@GruensFroeschli:

The problem is that the traffic seen from the Firewall is not entering the LAN interface in point 3.
The Firewall filters against the outside.
Not against the inside.

I guess you mean that the filters are applied with out instead of in from the gui.
And surely there is a good reason, so will browse the filtering section.
I'm just curious, because i'm used to put the major part of custom rules with in policies.

@GruensFroeschli:

I'm sorry yes you are right.
I dont know what i was thinking when i suggested that ^^"
This only prevents access from the LAN to the clients.

I think what you are trying to do is not possible right now.
Filtering OpenVPN is on the wishlist.

Not pushing a route to the client for the rest of the network is so far your only "protection".
But hey… how many users are out there that know how to add a route ;)

Good news that this is already in the whishlist. I'm new to OpenVPN, but very happy at the momment ("remote" is a good friend).

The route solution is acceptable for some (dumb) users, and it's usefull in a really temporal way.
Maybe to stay a long time, would be possible to add some pf rules from an script (gui independent), anyway have been doing setups in text mode for a long time before pfSense (and by the way i really miss rdr).

GruensFroeschli, thanks for your time and help.

w0w!

i will try it. If it works will write hundred times RTFM.
Will see if this affect the ip assignation.

Thanks.

Josep M.

OpenVPN bridge works like a charm for me.  As mentioned, I am not using CARP on my setup.

please use the search function:

solution: –> http://forum.pfsense.org/index.php/topic,5282.0.html

I'll go with the large neon letters, flames and strobe lights….

You will not get OpenVPN reliably working if the local and remote subnets are the same (or overlap)

See the OpenVPN HowTo: http://openvpn.net/howto.html#numbering.  You will have to renumber one network or stop trying to use OpenVPN.

hmmm… nice suggestion... i think i will shrink the subnet on LAN from /16 to /24 or using different ip block for openvpn.

quote from man

Server Mode
Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode is supported, and can be enabled with the –mode server option. In server mode, OpenVPN will listen on a single port for incoming client connections. All client connections will be routed through a single tun or tap interface. This mode is designed for scalability and should be able to support hundreds or even thousands of clients on sufficiently fast hardware. SSL/TLS authentication must be used in this mode.

--server network netmask
    A helper directive designed to simplify the configuration of OpenVPN's server mode. This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask. The server itself will take the ".1" address of the given network for use as the server-side endpoint of the local TUN/TAP interface.

For example, --server 10.8.0.0 255.255.255.0 expands as follows:

mode server
        tls-server

if dev tun:
          ifconfig 10.8.0.1 10.8.0.2
          ifconfig-pool 10.8.0.4 10.8.0.251
          route 10.8.0.0 255.255.255.0
          if client-to-client:
            push "route 10.8.0.0 255.255.255.0"
          else
            push "route 10.8.0.1"

if dev tap:
          ifconfig 10.8.0.1 255.255.255.0
          ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0
          push "route-gateway 10.8.0.1"

TLS Mode Options:
TLS mode is the most powerful crypto mode of OpenVPN in both security and flexibility. TLS mode works by establishing control and data channels which are multiplexed over a single TCP/UDP port. OpenVPN initiates a TLS session over the control channel and uses it to exchange cipher and HMAC keys to protect the data channel. TLS mode uses a robust reliability layer over the UDP connection for all control channel communication, while the data channel, over which encrypted tunnel data passes, is forwarded without any mediation. The result is the best of both worlds: a fast data channel that forwards over UDP with only the overhead of encrypt, decrypt, and HMAC functions, and a control channel that provides all of the security features of TLS, including certificate-based authentication and Diffie Hellman forward secrecy.

To use TLS mode, each peer that runs OpenVPN should have its own local certificate/key pair ( –cert and --key ), signed by the root certificate which is specified in --ca.

When two OpenVPN peers connect, each presents its local certificate to the other. Each peer will then check that its partner peer presented a certificate which was signed by the master root certificate as specified in --ca.

If that check on both peers succeeds, then the TLS negotiation will succeed, both OpenVPN peers will exchange temporary session keys, and the tunnel will begin passing data.

The OpenVPN distribution contains a set of scripts for managing RSA certificates & keys, located in the easy-rsa subdirectory.

The easy-rsa package is also rendered in web form here: http://openvpn.net/easyrsa.html

--tls-server
    Enable TLS and assume server role during TLS handshake. Note that OpenVPN is designed as a peer-to-peer application. The designation of client or server is only for the purpose of negotiating the TLS control channel.

so theoretically it shouldnt make a difference if you write it manually.
sorry i dont know why your connection is not working :(

AFAIK OpenVPN listens on all interfaces, it's "just" a matter of routing ;)

You add something to "Local Network" if you want OpenVPN to push a route to it to the client (in your case it would be 192.168.1.0/24).  If you simply want to have all traffic pushed through the VPN leave it blank and add the following to the "Custom Options":

push "redirect-gateway"

The rule - the external IP address(es) of the pfSense host you want OpenVPN to be visible on.

On the last point, replace n.n.n.n with the external (213.94.182.) address and ensure the device(s) that has/have those IPs forward the relevant ports to pfSense host (if the pfSense host doesn't have them).

@naughtyusmaximus:

Does anyone know if a 500MHz AMD Geode (LX800) will have enough processing power to handle being an OpenVPN client for three-five people?  I have a satellite office that I want to send an enclosed unit to, but don't want to buy it, configure it, ship it off, only to find out that it doesn't have enough processing power to do the job…

I just setup my alix.2c3 (LX800) and I'm able to push about 15Mbit over an OpenVPN tunnel.

Hi,

If you're interested in pinging across the link, I advise you change your rule to allow Protocol -> ANY, instead of TCP/UDP.  Pinging requires ICMP traffic.

Wow, I've been struggling with this for a while and actually saw the persist-remote-ip option in the config but couldn't think how to remove it but still maintain float. Thanks!!!

I'm trying to think though where this combination could be used if you want site-to-site. I presume the diff is that float allows diff machines to connect with diff ips but persist-remote-ip only allows the same machine to connect with it's previous address. So I think it's more suited to multiple remote clients where you wouldn't use the 'remote network' setting.

But perhaps there should be a settting for this then eg. checkbox for dynamic ip and checkbox for site-site with dynamic client.

Regards

Robby

@GruensFroeschli:

http://forum.pfsense.org/index.php/topic,7001.msg39657.html#msg39657

or do you want just "some" addresses and not all?

Thanks but I just want some addresses and not all traffic to vpn tunnel ;)

Hi,

the LAN rule did the trick!

Many thanks.

oh i see… i missed that one.  :-[
thanks for your info.

yes.

http://openvpn.net/howto.html#revoke

On pfsense there is below the fields to set the server key and certificate a field to put your CRL in.
No need to mess around with copying files manually and modify the config files.
Just use the field which is already in the GUI.