I see.

Only problem is I want (well, need) local PC's (on local LAN) to be able to access remote LAN with NAT address of server there.
I do have full access to that machine.

So, if I understand correctly, I should make route on remote server for local IP's with iroute, and push "route" commands, while setting NAT on remote server, where OpenVPN server is located?

Well, will try to fiddle with this later tonight.

Edit
Well, found temporary workaround in other post that makes it work:
Adding in /tmp/rules.debug line:
nat on tun0 from 192.168.0.0/24 to any -> (tun0)

.. and doing:
/sbin/pfctl -f /tmp/rules.debug

But, AFAIK, this won't work after reboots.. any way to automatize this?

I agree that in situations where you control both sides, this isn't an issue at all, and after giving it a bit of thought, I imagine that this is probably the vast majority of cases with OpenVPN.

Sorry to ask what is probably a dumb question but where can I find that utility?

The custom options are there for ppl who want to use custom functions (like a balanced server) ;).
Using this field is the right way :)

@GruensFroeschli:

Take a look at the openVPN-MAN-pages. Look for the "route" command.
You can add on the server config an entry that when the tunnel comes up automatically adds the necessary route to the servers routingtable.
When the tunnel drops openVPN automatically remoces the entries and adds them again if the tunnel comes back up.
You cannot do this on the client side but on the server side.

thanks very much. i knew there had to be something to do this.

Its not a problem, just something different.  The only annoying one is the P2P page on the traffic shaper as the check could be read as either disable or enable.

You can use the revocation list.
No need for recreating all the key's :)
Take a look at the how-to of the easy-RSA on how to creat a CRL.

also there is a sticky in the openVPN-forum about your question:
http://forum.pfsense.org/index.php/topic,4105.0.html

I will give this a try again. I followed the guide at the top of the forums for setting up site to site but was unable to get some pings going across. Everything was connected but i don't understand it completely. Thanks!

Thanks for such a prompt answer GruensFroeschli,
I was aware that Relakks requires PPTP but I thought I could forward all the traffic that goes in my pfSense box directly to Relakks' PPTP server.

Thank you for clearing that up

Yes, I understand the static route problem. It is kind of acceptable for now.

Yes, I use PSK. Thanks for the hint about PKI. I hope to have time to look into it some time next week.

/Roger

so now here is what is weird… when a client connects to the wireless access point.... and then connects to the VPN server... the same thing happens, it locks up when I put some heavy work on the VPN....

what is going on with openvpn???

I'd generally advise that you set up authentication servers at each site.  That way you only have to cope with the authentication syncs (password changes, new users), which can be handled even over a dialup.  More importantly, it means people can continue working when they can't connect to the main site (such as when your power goes out, or somebody puts a digging machine through your Internet connection).

That's very good point. I will consider this kind of setup when I actually setup the site to site vpn. Thank you very much

after reseting the firewall config and reseting the modem, now site-to-site vpn is work smoothly.
thanks…

Doing a traceroute from de XP client i see it goes through the PFsense's end of the VPN connection. XP has not firewall, nor the local linux host.

XP
LAN: 10.129.4.X
TUN: 10.1.8.6
ping LINUXBOX: works
ssh LINUXBOX: doesn't work
http LINUXBOX: doesn't work

PFSENSE
LAN: 10.1.1.X
TUN: 10.1.8.1

LINUXBOX
LAN: 10.1.1.X
ping XP: works
rdp XP: works

it will work fine, i run mine like this as well.

192.168.125.0/25 LAN
192.168.125.128/27 VPN

as far as how to access the other non-LAN subnets, youll just need to tinker with it… but it doesnt sound unresonable.

did u put ur Local Network in Local network place openvpn server configuration ?

ahhh finaly!! thanks GruensFroeschli and mihai, i love you <3

just fixed… thank you !

do your remote client know a the route to your local subnet?