You forgot to write any relevant information like:
Layout of your setup, OpenVPN configuration client/server, firewall rules, routes, etc.

@GruensFroeschli:

Setting the checkbox "Dynamic sourceport" on the client allows the OpenVPN process to use dynamically a different port.

Taking note…

Thanks Havok,

I've created a route on the pfsense2 (OpenVPN server) to route all packets to the remote subnet using the tun0 interface IP as the gateway on the pfsense3.(OpenVPN client)

All traffic between the server and client is now encapsulated.

Thanks for your advice

Thanks for the directive.

Of course virus will go on my enterprise network if the client is already infected.
But if someone can have a remote control of the client, at least he couldn't do it while the client is connected to the VPN.

Thanks very much for your reply.

@GruensFroeschli:

Sorry i dont have anymore the time to look at the forum as much as i used to ;)
I use quite something similar as you want to connect my workplace with my home.
I use this to redirect certain traffic i dont want to go over my workplaces network to my home.
(private traffic from my iphone as an example).

How i did this:
Basically the same as you describe, however with some minor differences.
I dont use a PKI. For site-to-site connections i just prefer private shared key setups.

I use a PKI since that's what I get from the provider (StrongVPN), there's no option to use shared keys. Some other providers have it the other way around though.

I redirect traffic not with the "redirect def1" but with my policy routing.
I dont think what you are after is even possible while using "redirect def1".

That was my thought too and that's why I tried to manually (while testing) remove the entries from shell (worked) and then use policy routing, but it didn't work all the way.

Also you dont need two entried in the failover pool. A single entry is enough. (see screenshot).

Ok

Just set on the OPT-config page the correct IP like in the OpenVPN config and the corresponding gateway. As monitor i use the other side of the VPN.
This is just a workaround from a previous version, with 1.2.3 you can assign the VPN tunnel as interface and thus select it as gateway directly

Hmm yes that's what I've done, the VPN is an interface and much seem to work, I have incoming NAT and FW rules working through the tunnel from the outside too, and verified. Pretty cool. Means I could place my web server or whatever in Hong Kong :) and since IP is static I could add that as A record in DNS too.

This is actually another reason why to use a PSK and not a PKI. In a PSK you can hardcode the IP you use in the config.
In a PKI you can get dynamically a different IP when you have multiple clients. (of course you can use a client specific configuration).

I get the same IP etc every time from StrongVPN, in fact that's part of this service, a static IP for the duration of that specific account.

In my "custom options" i forced the site-to-site connection to "dev tun10" to ensure i always have the same dev when assigning the interface.

Ahh, that may be practical.

In the example screenshot below i redirect my Iphone on wireless over the VPN to my home.
The normal policy routing rules apply.

What i would do in your case:

Get rid of the PKI and set up a PSK. Get rid of the failoverpool and use the gateway directly. Change the firewall rules to redirect traffic however you want.

Thanks for your input, I will try and compare and do some testing. In this case (with this account) I will have to use the PKI though.

There is the problem with dead peer though, if my tunnel stops working for some reason (has happened a few times, tunnel appear up but no traffic goes through) I need to like disable/enable to get it back up but until that is done the network would be effectively offline if I have entered the VPN gateway instead of 'default' in the FW rule.

Maybe one could have a cron job running, pinging some VPN exit point IP and if no answer take down tunnel, bring back up and then remove those routing entries.

I'm also a bit concerned about those problems with WAN-services, like OpenVPN, PPTP, they seem not to work while tunnel is up, even though port forwarded services work fine. I'll try to do some more testing on that too.

Cheers,

The Road Warrior config should be fine. If you can talk to anything at all on the LAN, it should all work – unless those stations which you cannot reach have something such as:

1. Local client firewalls on LAN systems which block ping or other services from outside your local subnet
2. Incorrect/different gateway set on the LAN system.
3. Some other routing or overlapping subnet issue on the OpenVPN client side.

I assume the site on which the camera is has it's own internet connection?
The request TO the camera arrive correctly.
The problem is, that the answer goeas directly to the cameras default gateway and not back over the VPN tunnel.

What you can do is:

Disable automatically generated rules for the VPN. Assign the VPN interface. Enable advanced outbound NAT and create a NAT rule for the VPN interface.
–> Set as destination the IP of the camera.

Like this , from the camera seen, the requests originate from the pfSense on the other side of the VPN tunnel
--> The answer will go back over the VPN.

I suggest you take another look at the OpenVPN config-page ;)

Your OpenVPN clients get an IP out of the pool you defined in the "Address pool" field on the OpenVPN config page.
It's not possible to assign an IP based on the MAC because the OpenVPN interfaces are virtual and not real.

If you want to use static IP's you can use the option "Use static IPs".

Will TAP interfaces be supported in pfSense 2.0 ?

@XZed:

@jimp:

You're probably better off following this for making keys/certs:

http://doc.pfsense.org/index.php/Easyrsa_for_pfSense

Well i remember have used easy-rsa for pfsense, at its beginnings… but it was still in "beta"... but it seems to be right now  ;D

So, i'll give it a try and will feedback here  ;D !

Just a question :

I suppose there isn't any package to backup folders (to backup easyrsa4pfsense folder) ? Well, winscp will be sufficient ^^ !

Thanks

I replied to this old post in order to give some feedback :

Indeed, the easyrsa package is very nice ! But, pfSense 2.x brings many nice changes to OpenVPN management (CRL missing in 2.x ?? How to do ?? Perhaps will be corrected in final version ?)  ;D !

Thank you

@mazzz86:

I haven't the System > Packages menu.

Maybe because I'm just testing it on a LiveCD…

Packages are not available on LiveCD, so that would explain why you don't see it. You have to install to the HDD first and then you can install packages.

OK it works !!!!!  :)

My last problem was an internal routing problem.

So the solution seems to be :

For clients running Vista or Seven, add those two lines at the end of your client configuration file :

route-method exe
    route-delay 2

Thank you for your help Jimp !!
See you

Here is the additonal screen captures.

pfsense3-tomato1.JPG
pfsense3-tomato1.JPG_thumb
pfsense3-tomato2.JPG
pfsense3-tomato2.JPG_thumb

God bless and take care
                            –  ll_hellBoy_ll

Wow. Does this forum support sigs? 'cause that brilliant and seemingly unintended use of irony needs to be remembered  8)

Hi,

do this post and this one tell the same thing ?
http://forum.pfsense.org/index.php/topic,21941.msg112804.html#msg112804

GruensFroeschli, when you say in the other post:
"With OpenVPN you have the ability to specify multiple servers and how to connect to them (balancing/failover)."
is this achieved by
"binding the OpenVPN server to both interfaces and do the failover in the OpenVPN client config"
i.e "using the Custom options ?

Thanks for your help

If you guys have this problem also and running Captive Portal remember thoose clients you need to connect to needed to be added to Allowed IP Adresses.

i've got exactly the same problem! "Options error: –server and --server-bridge cannot be used together"
could anyone shed some light on this?
i triple checked every setting and my custom option will not override the settings :(

my custom settings

dev tap0;server-bridge 192.168.2.254 255.255.255.0 192.168.2.218 192.168.2.250;tls-auth /etc/openvpn1196.key 0;management 127.0.0.1 1196;