Disregard.. totally miseed the Host Name Resolution section int eh export utility dialog!

if this is an Active Directory just change group policy to the FQDN and problem does not matter 5 min work to you and on there next login they have the new settings

Again, it's post-NAT so you can't match on the source address.  See the other thread which is the same solution

You need to make sure a route for 192.168.0.0/24 is being pushed out to the remote client.
You need to make sure a route for 192.168.1.0/24 is being pushed to the other remote client.

You need to make sure that OpenVPN firewall rules on the main site and the 192.168.1.1 site pass the traffic.

Changed back to TAP, left the advanced options out.

[2.2-RELEASE][admin@vm-vpn.home.vpn]/root: ifconfig vtnet0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=6c00bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,linkstate,rxcsum_ipv6,txcsum_ipv6>ether 52:54:00:32:5b:97 inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255 inet6 fe80::5054:ff:fe32:5b97%vtnet0 prefixlen 64 scopeid 0x1 nd6 options=21 <performnud,auto_linklocal>media: Ethernet 10Gbase-T <full-duplex>status: active vtnet1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=6c00bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,linkstate,rxcsum_ipv6,txcsum_ipv6>ether 52:54:00:32:b5:de inet 192.168.2.1 netmask 0xffff0000 broadcast 192.168.255.255 inet6 fe80::5054:ff:fe32:b5de%vtnet1 prefixlen 64 scopeid 0x2 nd6 options=21 <performnud,auto_linklocal>media: Ethernet 10Gbase-T <full-duplex>status: active pflog0: flags=100 <promisc>metric 0 mtu 33144 pfsync0: flags=0<> metric 0 mtu 1500 syncpeer: 224.0.0.240 maxupd: 128 defer: on syncok: 1 lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 nd6 options=21 <performnud,auto_linklocal>enc0: flags=0<> metric 0 mtu 1536 nd6 options=21 <performnud,auto_linklocal>ovpnc1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=80000 <linkstate>ether 00:bd:e7:00:00:01 inet6 fe80::2bd:e7ff:fe00:1%ovpnc1 prefixlen 64 scopeid 0x7 inet 192.253.240.75 netmask 0xffffffe0 broadcast 192.253.240.75 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect status: active Opened by PID 10235</performnud,auto_linklocal></linkstate></up,broadcast,running,simplex,multicast></performnud,auto_linklocal></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></promisc></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,linkstate,rxcsum_ipv6,txcsum_ipv6></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,linkstate,rxcsum_ipv6,txcsum_ipv6></up,broadcast,running,simplex,multicast> [2.2-RELEASE][admin@vm-vpn.home.vpn]/root: netstat -nr Routing tables Internet: Destination        Gateway            Flags      Netif Expire 0.0.0.0/1          192.253.240.65    UGS      ovpnc1 default            192.168.1.1        UGS      vtnet1 127.0.0.1          link#5            UH          lo0 128.0.0.0/1        192.253.240.65    UGS      ovpnc1 192.168.0.0/16    link#2            U        vtnet1 192.168.2.1        link#2            UHS        lo0 192.168.3.0/24    link#1            U        vtnet0 192.168.3.1        link#1            UHS        lo0 192.253.240.2/32  192.168.1.1        UGS      vtnet1 192.253.240.64/27  link#7            U        ovpnc1 192.253.240.75    link#7            UHS        lo0 Internet6: Destination                      Gateway                      Flags      Netif Expire ::1                              link#5                        UH          lo0 fe80::%vtnet0/64                  link#1                        U        vtnet0 fe80::5054:ff:fe32:5b97%vtnet0    link#1                        UHS        lo0 fe80::%vtnet1/64                  link#2                        U        vtnet1 fe80::5054:ff:fe32:b5de%vtnet1    link#2                        UHS        lo0 fe80::%lo0/64                    link#5                        U          lo0 fe80::1%lo0                      link#5                        UHS        lo0 fe80::%ovpnc1/64                  link#7                        U        ovpnc1 fe80::2bd:e7ff:fe00:1%ovpnc1      link#7                        UHS        lo0 ff01::%vtnet0/32                  fe80::5054:ff:fe32:5b97%vtnet0 U        vtnet0 ff01::%vtnet1/32                  fe80::5054:ff:fe32:b5de%vtnet1 U        vtnet1 ff01::%lo0/32                    ::1                          U          lo0 ff01::%ovpnc1/32                  fe80::2bd:e7ff:fe00:1%ovpnc1  U        ovpnc1 ff02::%vtnet0/32                  fe80::5054:ff:fe32:5b97%vtnet0 U        vtnet0 ff02::%vtnet1/32                  fe80::5054:ff:fe32:b5de%vtnet1 U        vtnet1 ff02::%lo0/32                    ::1                          U          lo0 ff02::%ovpnc1/32                  fe80::2bd:e7ff:fe00:1%ovpnc1  U        ovpnc1 Mar 7 10:34:41 openvpn[10235]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mar 7 10:34:41 openvpn[10235]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file Mar 7 10:34:41 openvpn[10235]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mar 7 10:34:41 openvpn[10235]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mar 7 10:34:41 openvpn[10235]: LZO compression initialized Mar 7 10:34:41 openvpn[10235]: Control Channel MTU parms [ L:1590 D:166 EF:66 EB:0 ET:0 EL:0 ] Mar 7 10:34:41 openvpn[10235]: Socket Buffers: R=[42080->65536] S=[57344->65536] Mar 7 10:34:47 openvpn[10235]: Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ] Mar 7 10:34:47 openvpn[10235]: Local Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client' Mar 7 10:34:47 openvpn[10235]: Expected Remote Options String: 'V4,dev-type tap,link-mtu 1590,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server' Mar 7 10:34:47 openvpn[10235]: Local Options hash (VER=V4): '48527533' Mar 7 10:34:47 openvpn[10235]: Expected Remote Options hash (VER=V4): '44bd8b5e' Mar 7 10:34:47 openvpn[10235]: UDPv4 link local (bound): [AF_INET]192.168.3.1 Mar 7 10:34:47 openvpn[10235]: UDPv4 link remote: [AF_INET]192.253.240.2:53 Mar 7 10:34:47 openvpn[10235]: TLS: Initial packet from [AF_INET]192.253.240.2:53, sid=dddc401d 519eb1d9 Mar 7 10:35:01 openvpn[10235]: Validating certificate key usage Mar 7 10:35:01 openvpn[10235]: ++ Certificate has key usage 00a0, expects 00a0 Mar 7 10:35:01 openvpn[10235]: VERIFY KU OK Mar 7 10:35:01 openvpn[10235]: Validating certificate extended key usage Mar 7 10:35:01 openvpn[10235]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Mar 7 10:35:01 openvpn[10235]: VERIFY EKU OK Mar 7 10:35:01 openvpn[10235]: VERIFY OK: depth=0, C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, emailAddress=mail@host.domain Mar 7 10:35:10 openvpn[10235]: WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun' Mar 7 10:35:10 openvpn[10235]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1590', remote='link-mtu 1558' Mar 7 10:35:10 openvpn[10235]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500' Mar 7 10:35:10 openvpn[10235]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Mar 7 10:35:10 openvpn[10235]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mar 7 10:35:10 openvpn[10235]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Mar 7 10:35:10 openvpn[10235]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mar 7 10:35:10 openvpn[10235]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Mar 7 10:35:10 openvpn[10235]: [PureVPN] Peer Connection Initiated with [AF_INET]192.253.240.2:53 Mar 7 10:35:12 openvpn[10235]: SENT CONTROL [PureVPN]: 'PUSH_REQUEST' (status=1) Mar 7 10:35:13 openvpn[10235]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 8.8.4.4,route-gateway 192.253.240.65,topology subnet,ping 10,ping-restart 120,ifconfig 192.253.240.75 255.255.255.224' Mar 7 10:35:13 openvpn[10235]: OPTIONS IMPORT: timers and/or timeouts modified Mar 7 10:35:13 openvpn[10235]: OPTIONS IMPORT: --ifconfig/up options modified Mar 7 10:35:13 openvpn[10235]: OPTIONS IMPORT: route options modified Mar 7 10:35:13 openvpn[10235]: OPTIONS IMPORT: route-related options modified Mar 7 10:35:13 openvpn[10235]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Mar 7 10:35:13 openvpn[10235]: ROUTE_GATEWAY 192.168.1.1 Mar 7 10:35:13 openvpn[10235]: TUN/TAP device ovpnc1 exists previously, keep at program end Mar 7 10:35:13 openvpn[10235]: TUN/TAP device /dev/tap1 opened Mar 7 10:35:13 openvpn[10235]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Mar 7 10:35:13 openvpn[10235]: /sbin/ifconfig ovpnc1 192.253.240.75 192.253.240.75 mtu 1500 netmask 255.255.255.224 up Mar 7 10:35:13 openvpn[10235]: /sbin/route add -net 192.253.240.64 192.253.240.75 255.255.255.224 Mar 7 10:35:13 openvpn[10235]: ERROR: FreeBSD route add command failed: external program exited with error status: 1 Mar 7 10:35:13 openvpn[10235]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1590 192.253.240.75 255.255.255.224 init Mar 7 10:35:15 openvpn[10235]: /sbin/route add -net 192.253.240.2 192.168.1.1 255.255.255.255 Mar 7 10:35:15 openvpn[10235]: /sbin/route add -net 0.0.0.0 192.253.240.65 128.0.0.0 Mar 7 10:35:15 openvpn[10235]: /sbin/route add -net 128.0.0.0 192.253.240.65 128.0.0.0 Mar 7 10:35:15 openvpn[10235]: Initialization Sequence Completed [2.2-RELEASE][admin@vm-vpn.home.vpn]/root: ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes ping: sendto: No route to host ping: sendto: No route to host ping: sendto: No route to host

If it helps, heres the openvpn settings from purevpn's .ovpn file

client dev tun proto udp remote hk1-ovpn-udp.purevpn.net 53 persist-key persist-tun ca ca.crt tls-auth Wdc.key 1 cipher AES-256-CBC comp-lzo verb 1 mute 20 route-method exe route-delay 2 route 0.0.0.0 0.0.0.0 auth-user-pass auth-retry interact explicit-exit-notify 2 ifconfig-nowarn auth-nocache

On LAN site "road warrior" OpenVPN server in Local Network/s you need to list all the networks that are available to the road warrior clients through the OpenVPN server - the local LAN and the LAN subnet at remote site.

On LAN end site-to-site OpenVPN, put LAN subnet and road warrior tunnel subnet in Local Network/s. Put remote subnet in Remote Network/s.

On remote end site-to-site OpenVPN put Local and Remote the other way around.
(on some ends there will only be local or remote bix available - fill in what is there)\

Make sure you have pass rules for traffic arriving at every interface, like Derelict says.

Use traceroute and packet capture to find out where the traffic reaches, stops or deviates from the expected path.

I thought to this idea, but it's crappy, no ?  :-\

I've followed this howto wich fits prefectly to my needs but same problem.

Site B can't access to site A.

I think it's a OpenVPN server firewall/forwarding issue…

Any idea ?

Thanks

EDIT : I precise that the OVPN server situated in the site A pings well the site B.
I set as gateway on clients on site A the OVPN server.

I'm not sure where to post this, but bug 4177 is marked "Resolved" but it isn't.

The line in ovpn_auth_verify doesn't handle the base64 encoding properly.  It should be:

password=$(echo -n "${password}" | openssl enc -base64 | sed -e 's/=/%3D/g' | sed -e 's/+/%2B/g' | sed -e 's_/_%2F_g')

Or if you want the sed all on one line:
sed -e 's_=%3D_g;s+%2B_g;s/_%2F_g'

Try the password: "00>00?0" to test.

Thanks

As an experienced cellular site service tech I can say that most all the carriers block ports for ssl, voip and vpn if you are on a "pre-paid" phone, specially AT&T. They (the carriers) claim that it consumes too much traffic so they only allow those ports for their "Contract" customers. Even at that they throttle the bandwidth which makes using vpn or voip sometime extremely difficult to use. Depending on how big your account is with the carrier you can force the issue with tech support and they will for the most part correct any issues you have. I have found that sometimes changing the port numbers will help, other times not, as the carrier will a lot of times only allow port 80 to pass. This problem is true also with "free wifi" at most places that use AT&T for their WiFi hotspots (can we say McD's) and if you ask the store managers why they don't allow the ports to pass, well you just have to ask one of them to fully understand their answers….. I have several AT&T pre-paid phones, and several Waliworld phones in use in my family and one Verizon portable hotspot. The Verizon hotspot does VPN great, the other phones are just worthless except for telephone calls and texting and half of the time one of them doesn't even get coverage ( I bet I don't have to name which one that is) and it cost more to use then the others do.....go figure.

Do the training course at hurricane: https://ipv6.he.net/certification/

Now that they have free DNS and tunnels, all you will really need to do to get through it is get a tunnel up (ezpz on pfSense) and get a web server running on IPv6.

Hi Matt,

I have the same configuration

Two hardware boxes WAN, LAN, DMZ interface with CARP

… and the same problem. Did you find any workaroud or clues ?

Sacha

Just to let everyone know, I think I've solved this (with some help from the OpenVPN support forums).

Looks to have been an MTU size problem, fixed by adding:

fragment 1300 mssfix

to the server and client configs. Will know for certain tomorrow morning when I roll it out to the live environment (rather than my test lab).

You can select the "BSD cryptodev engine" for OpenVPN in pfSense, which should support AES-128-CBC with AES-NI, or not?

Edit: OpenVPN is probably only using a single core/thread per process, though.

I installed pfSense on VM with two interfaces WAN and LAN (Maybe I only need one interface -WAN?).
TAP mode is optimal for me -because clients, connecting via vpn, must a have access to the network.
I have not found a tutorial how to perform this configuration -please help!

If it is the same Cert, try using the "duplicate-cn" option on the server. It is not recommended though, better use different Certs for each Client.