@GruensFroeschli:
Take a look at the openVPN-MAN-pages. Look for the "route" command.
You can add on the server config an entry that when the tunnel comes up automatically adds the necessary route to the servers routingtable.
When the tunnel drops openVPN automatically remoces the entries and adds them again if the tunnel comes back up.
You cannot do this on the client side but on the server side.
thanks very much. i knew there had to be something to do this.
Its not a problem, just something different. The only annoying one is the P2P page on the traffic shaper as the check could be read as either disable or enable.
You can use the revocation list.
No need for recreating all the key's :)
Take a look at the how-to of the easy-RSA on how to creat a CRL.
also there is a sticky in the openVPN-forum about your question:
http://forum.pfsense.org/index.php/topic,4105.0.html
I will give this a try again. I followed the guide at the top of the forums for setting up site to site but was unable to get some pings going across. Everything was connected but i don't understand it completely. Thanks!
Thanks for such a prompt answer GruensFroeschli,
I was aware that Relakks requires PPTP but I thought I could forward all the traffic that goes in my pfSense box directly to Relakks' PPTP server.
Thank you for clearing that up
Yes, I understand the static route problem. It is kind of acceptable for now.
Yes, I use PSK. Thanks for the hint about PKI. I hope to have time to look into it some time next week.
/Roger
so now here is what is weird… when a client connects to the wireless access point.... and then connects to the VPN server... the same thing happens, it locks up when I put some heavy work on the VPN....
what is going on with openvpn???
I'd generally advise that you set up authentication servers at each site. That way you only have to cope with the authentication syncs (password changes, new users), which can be handled even over a dialup. More importantly, it means people can continue working when they can't connect to the main site (such as when your power goes out, or somebody puts a digging machine through your Internet connection).
That's very good point. I will consider this kind of setup when I actually setup the site to site vpn. Thank you very much
Doing a traceroute from de XP client i see it goes through the PFsense's end of the VPN connection. XP has not firewall, nor the local linux host.
XP
LAN: 10.129.4.X
TUN: 10.1.8.6
ping LINUXBOX: works
ssh LINUXBOX: doesn't work
http LINUXBOX: doesn't work
PFSENSE
LAN: 10.1.1.X
TUN: 10.1.8.1
LINUXBOX
LAN: 10.1.1.X
ping XP: works
rdp XP: works
it will work fine, i run mine like this as well.
192.168.125.0/25 LAN
192.168.125.128/27 VPN
as far as how to access the other non-LAN subnets, youll just need to tinker with it… but it doesnt sound unresonable.
It is a PKI what i get from the IPCOP, but the pki does have a password
When i use it on windows with the client from openvpn.se it is asking me for a password. (Client to Net)
and on the setup on the IPCop i had to enter a Password even in PKI
pfsense is setup as client and it took my CA, Client certificate and Client Key just fine.
Pfsense is always coming up with this
Aug 2 20:39:04 openvpn[43938]: Exiting
Aug 2 20:39:04 openvpn[43938]: Error: private key password verification failed
Aug 2 20:39:04 openvpn[43938]: Cannot load private key file /var/etc/openvpn_client0.key: error:0906A068:PEM routines:PEM_do_header:bad password read: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
Aug 2 20:39:04 openvpn[43938]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 2 20:39:04 openvpn[43938]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
I'm a noob on OpenVPN … :-)
I've had a friend help figure this one out. What we had to do was use iroute in conjunction with the route command. We now have a working PKI VPN infrastructure where all remote locations and the local office are fully connected. (Can ping from anywhere to anything).
If you're having issues, try looking at using the ccd directory and the iroute/route directives.
is this pertaining to the challenge password i setup in my keys? I can still connect to my VPN and i don't need to enter any password. Is this secure without having a challenge password? I'm a little concerned about the man in the middle type attack
ive been working on getting a CRL generated, but each time i do, i get errors.
(hesitant to post all my output, as it has lots of information pertaining to one of my clients).
has anyone else sucessfully revoked a cert, and if so, how did you do it?
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
