Hello,

the client must be pingable otherwise you will be missing rules to permit that.

If you get no respond form hosts behind the client while your rules allow the access, check this two points:

Does the default route at the host you try to reach point to VPN client?
If it doesn't you need a route at the host to direct the traffic to the VPN client or you activate NAT for VPN traffic at the client.

Ensure that the hosts software firewall allow access. E.g. Windows firewall drops packets from unknown private networks.

Plot thickens:

For some reason it seems to tls-verify successfully, but only for the first connection after making a change (which reloads the server config I'm guessing), subsequent connections fail as above:

openvpn[56619]: x.x.x.x:59134 VERIFY SCRIPT OK: depth=1, C=xx, ST=xx, L=xxxxx, O=xxxxx, CN=vpn.example.com, emailAddress=xxxxx

After looking at it for several hours, its the little things you miss.

Cheers!

As to the net30 crap, I wasn't getting routes pushed, so I'll fix that up now, not that it's causing too many dramas, but you are right, I doubt I need it.

Thanks again.

@Derelict:

https://doc.pfsense.org/index.php/What_is_policy_routing

And, in particular:

https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

I had made an attempt at this previously and failed, following the instructions I used an alias to include 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8 this is now working perfectly. Thanks Derelict!

Would you be able to use this method to solve this, https://forum.pfsense.org/index.php?topic=104090.0, problem?

Hi,

thanks for suggestions.
Tested and introduced.

Regards
JMat

So I got this working finally.
Turns out, for my DNS servers, I needed to put my DHCP server there.
This allowed the DNS to get resolved.
Thanks for your help folks.

Yeah good i have upgraded to 2.2.5 8) 8)

stil same problem

Site1:192.168.114.0
site2:192.168.116.0
site3:192.168.140.0

cant access site2 from site3
cant access site3 from site2
remaining all success.

can you please check the screenshots

site1.jpg
site1.jpg_thumb
site2.jpg
site2.jpg_thumb
site3.jpg
site3.jpg_thumb
status-openvpn.jpg
status-openvpn.jpg_thumb

Well, I don't know how to explain this but it's working now. I manually re-keyed the "IPv4 Local Network/s" on the OpenVPN server setup screen and after saving it started working. The 7.0/24 subnet is on the other end of the OpenVPN client tunnel, so perhaps that was the commonality between tunnels causing them to interact? And my previous note about it working with split tunneling disabled also touches this since that field disappears when the "redirect gateway" option is checked.

It makes no sense to me at all, but so it is. After manually re-keying the subnets into that field everything is now working.

@Derelict:

You are natting your OpenVPN port to your Wii.

Yes I was! Everything works after I disabled the Wii rules.

Thank you for the help!

Thats it! I was assuming that the gateway for this interface was set to the pfSense box since I use DHCP server on pfSense, with the default route set, to service the LAN addresses. But, I checked and the default route, although set in DHCP, was not set. After adding the default route to this interface manually the OpenVPN works! Now I only have to figure out why the gateway is not set by DHCP.

Thanks all!!!

As I said before, the concept of "Server" and "Client" in OpenVPN is more about terminology than the roles of a traditional server and client you may be used to.

Specifically the OpenVPN Server is the end of the connection that listens on a port for the start of a connection, the Client is the end that initially makes the call from the outside.

Once the two have negotiated a valid connection, routing information is passed between them and the routing really can be from either end.

I'm not  really sure what your getting hung up on as far as who's the Server and the Client.

If you really want to have both ends to be Server and Client, there's nothing stopping you from creating two OpenVPN instances on each end, one a Server and Client the other a Client and Server.  If you go with that type of design, you'll need to use distinct port and certificates as well as figure out which end will route what information.

Glad your up and running  :)

You might want to update the subject of your first message to include  "(SOLVED)".
It's helpful for people checking in the future.

At server configuration tab there is a section called "Client Settings".

:)

No problem!

Use a gateway group configured for failover as the interface. That or enable default gateway switching.

I've just bought this for the ML110: http://www.ebay.co.uk/itm/272073960382 (HP NC360T 412646-001 412651-001 PCI Express Dual Port Gigabit Server Adapter)

…which I'm hoping is going to make the whole exercise easier now.

would still appreciate comments though please, thanks.

It depends on the particular client if routes can be pushed. Mostly this works.

If so, check "redirect gateway" in server configuration and put a firewall rule to OpenVPN interface that allow access to any if it isn't already done by OpenVPN wizard.
Ensure that there is an automotic NAT rule in Firewall > NAT > Outbound with your vpn tunnel network as source and WAN address as NAT address, otherwise add it yourself after checking "hyprid outbound nat rule generation".

OpenVPN will do what your asking easily.

I have multiple sites connected to my primary in this very way.  If your a Gold Subscriber then go in to the portal and look at the recent "hangout" about OpenVPN doing this.

OpenVPN tunnels can be set up in a hub and spoke configuration or a mesh configuration.  Hub and spoke requires that your hub be live in order for branch offices to contact each other though the VPN. Mesh config does not.

@Trel:

Is there any way I can have it that mobile clients by default do not tunnel all, but the client can enable it if necessary?
(PFSense is the server, various machines (Windows, Linux, Android) are the clients)

Are you talking of split tunneling?

I tested with openvpn in pfsense  with Android and it was working.

In openvpn android client you can check uncheck this options..

Not sure if Linux Mac or Windows.

I will test it those gadgets and let you know.

I did a temporary setup where I put pfsense behind cisco 1841 router and applied qos to restrict bandwidth. When I was connected via vpn to it I was getting that pathetic speed in browsing and site to site data transfer. And what is my ip would show that all my traffic is routed via my open vpn server.

However when I enabled split tunneling in client on Android browsing speed became normal.  But site to site was still slow.

And what is my ip would show me Wan address of the local network.