Well, I have ended up just assigning static IPs to the different clients, this will work for me.  Still curious why it wasn't working before.

ok I think I got it working, I had the above settings - as recommended by phil - and it turns out you need some NAT rules (firewall-nat-(manual)outbound) and add an entry: select 'openvpn' as interface and 'from all' 'to all' or in my case I narrowed it down to from 10.0.7.0/24 to 192.168.2.0/24 and another entry 10.0.8.0/24 to 192.168.1.0/24 respectively (openvpn interface) I did a traceroute from sat1 to sat2 and it timed out at 10.0.7.1 so tested with the nat rule, I might have swapped the .7. and .8. but you get the idea… now in a perfect world: how to route all internet traffic out of the main office's connection...

Hello, I have the same situation. I tried to solved it following the instructions but I can not  make it  to work. Can you give more detail instructions please?

Do they show running on Status > Services? Any errors in the OpenVPN log?

Yes, so disable it?

Manual Outbound NAT needs a ruke on interface VPN. Outbound NAT is applied on the way out, the rules go on the interface/s where the traffic exits. Also, the Outbound NAT rule on TESLAN is not needed - it won't break anything, but it will never match anything.

@TC10284: Thanks for the quick response! I've been doing some more Googling… Is Tinc an easier/better solution or would you prefer OpenVPN? I hav not tried Tinc, so I can't give a comparison. I use OpenVPN for site-to-site an Road Warrior "dialin" from Windows laptops. It works, so I use it - what more to say?

Ah! Im on 2.1 but didnt know about the multiple route possibility. Will try that later

@phil.davis: System: Advanced: Miscellaneous Skip rules when gateway is down - By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down Check that box - pfSense is too nice, and when the target gateway is down it changes the rule to just pass the traffic to the dwefault routing table (= out the default WAN in most cases). This box disables that "niceness". That fixed it. It seemed like it was some type of failover because it wasn't immediate. I looked and looked but was in the wrong area. Thanks for the help!

Well, i didn't findout to make it work so i used the hard way. Creating a list of all pc, create a batch to update lmhost and run it over each network. It's far then neat and clean but it works. Thanks for everyone !

Try to get the log off the phone, odds are it will tell you why. Usual suspects: Clock on the phone is wrong/not set, or you're using a cert/key format that the phone does not understand (e.g. you need SHA1 not SHA256)

You really just need to type the 3 letters "pen" in the middle of "ovpn"to make "openvpn". I can only guess that you have accidentally deleted or added some syntax character when making the edit. This change is simple enough that I would just do it from Diagnostics->Edit, Load, type the 3 chars in the right place and press "Save". No need to mess with command line.

Bag Attributes     friendlyName: ipcolo CA That's the CA certificate Bag Attributes     friendlyName: home That's your certificate And the key is your key. Create a new CA, set to import, copy/paste from –---BEGIN CERTIFICATE----- to end of the CA cert, save. Then import your certificate on the Cert Manager tab using the user cert and key from the p12.

That may be the case.  VPN is a door inside my network, so I wanted to make sure that if it was compromised, as little as possible would be available. Thanks for the sanity check.

This thread can be considered closed.  believe it or not, I had not cabled to tie the LAN segment to the switch with the other devices I was attempting to connect to.  Everything is connecting as expected. :-[

Thank you, i can see that. Another pfsense is working without problems and I can ping the ovpns-Interface ip-address of the tunnel network from the pfsense itself. So it must be a problem with the pfSense-installation I'm testing right now. I will backup the setup and reinstall it this evening.