Anyway, this is resolved. I needed "route 192.168.25.0 255.255.255.0 10.9.0.2 (ip address of the ovpn interface where the subnet is located"

Yes, the routing issue was fairly evident once you posted the configs.

So this does not morph into a vps thread, please start a new post to discuss vps'.

Thanks

you need to select this option on the VPN server " when authenticating users, enforce a match between the common name of the client certificate and the username given at login."

the user A will only be able to log with his certificate

@rand4505:

Stop using PSK, use 2048bit+ RSA/DSA keys, with group 14 or higher DH, PFS.

See: http://cdn.media.ccc.de/congress/2014/h264-sd/31c3-6258-en-Reconstructing_narratives_sd.mp4

Thank you for the video !

Hi,

thanks for the quick reply. I tried this setting without effect (in fact, the box WAS checked, so I unchecked it. From the description, state killing takes place, when it is unchecked).

In my understanding, it only does something, if a gateway fails. So it would kill the "normal" states of connections on my WAN gateway. However, the states of connections through my VPN are not affected and still stay in place…

Hey,
Check this thread: https://forum.pfsense.org/index.php/topic,56565.msg364122.html
however, IMHO always, get an Alix box or use OpenVPN AS Hyper-V VM (2 free users), or (don't know your Hyper-V edition), use a Linux VM with openvpn server.

Best regards

Kostas

Jingles, I think adding two servers will allow the client to use the second one if the first one isn't working.

Dmitriy,

I am reviewing their client config file they don't specify a digest algorithm. The provide the following:

client
dev tun
proto udp
remote [REPLACE WITH SERVER NAME] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
cipher bf-cbc
comp-lzo
verb 3
mute 20
ca ca.crt
mssfix 1300
key CN1.key
cert CN2.crt
#tls-auth ta.key 1

Since I am using pfSense. I don't need to specify the path for the files since pFSense allows me to put the certs in the certificate authority and load the tls key in the GUI.  Right?

I changed the verbosity to 4 and got this:
Jan 20 18:19:21 openvpn[84390]: real_hash_size = 256
Jan 20 18:19:21 openvpn[84390]: virtual_hash_size = 256
Jan 20 18:19:21 openvpn[84390]: client_connect_script = '[UNDEF]'
Jan 20 18:19:21 openvpn[84390]: learn_address_script = '[UNDEF]'
Jan 20 18:19:21 openvpn[84390]: client_disconnect_script = '[UNDEF]'
Jan 20 18:19:21 openvpn[84390]: client_config_dir = '[UNDEF]'
Jan 20 18:19:21 openvpn[84390]: ccd_exclusive = DISABLED
Jan 20 18:19:21 openvpn[84390]: tmp_dir = '/tmp'
Jan 20 18:19:21 openvpn[84390]: push_ifconfig_defined = DISABLED
Jan 20 18:19:21 openvpn[84390]: push_ifconfig_local = 0.0.0.0
Jan 20 18:19:21 openvpn[84390]: push_ifconfig_remote_netmask = 0.0.0.0
Jan 20 18:19:21 openvpn[84390]: push_ifconfig_ipv6_defined = DISABLED
Jan 20 18:19:21 openvpn[84390]: push_ifconfig_ipv6_local = ::/0
Jan 20 18:19:21 openvpn[84390]: push_ifconfig_ipv6_remote = ::
Jan 20 18:19:21 openvpn[84390]: enable_c2c = DISABLED
Jan 20 18:19:21 openvpn[84390]: duplicate_cn = DISABLED
Jan 20 18:19:21 openvpn[84390]: cf_max = 0
Jan 20 18:19:21 openvpn[84390]: cf_per = 0
Jan 20 18:19:21 openvpn[84390]: max_clients = 1024
Jan 20 18:19:21 openvpn[84390]: max_routes_per_client = 256
Jan 20 18:19:21 openvpn[84390]: auth_user_pass_verify_script = '[UNDEF]'
Jan 20 18:19:21 openvpn[84390]: auth_user_pass_verify_script_via_file = DISABLED
Jan 20 18:19:21 openvpn[84390]: port_share_host = '[UNDEF]'
Jan 20 18:19:21 openvpn[84390]: port_share_port = 0
Jan 20 18:19:21 openvpn[84390]: client = ENABLED
Jan 20 18:19:21 openvpn[84390]: pull = ENABLED
Jan 20 18:19:21 openvpn[84390]: auth_user_pass_file = '[UNDEF]'
Jan 20 18:19:21 openvpn[84390]: OpenVPN 2.3.3 amd64-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 15 2014
Jan 20 18:19:21 openvpn[84390]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Jan 20 18:19:21 openvpn[84390]: WARNING: using –pull/--client and --ifconfig together is probably not what you want
Jan 20 18:19:21 openvpn[84390]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jan 20 18:19:21 openvpn[84390]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
Jan 20 18:19:21 openvpn[84390]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 20 18:19:21 openvpn[84390]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 20 18:19:21 openvpn[84390]: LZO compression initialized
Jan 20 18:19:21 openvpn[84390]: Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Jan 20 18:19:21 openvpn[84390]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Jan 20 18:19:21 openvpn[84390]: Data Channel MTU parms [ L:1542 D:1300 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Jan 20 18:19:21 openvpn[84390]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Jan 20 18:19:21 openvpn[84390]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Jan 20 18:19:21 openvpn[84390]: Local Options hash (VER=V4): '504e774e'
Jan 20 18:19:21 openvpn[84390]: Expected Remote Options hash (VER=V4): '14168603'
Jan 20 18:19:21 openvpn[84425]: UDPv4 link local (bound): [AF_INET]XXX.XXX.1.222
Jan 20 18:19:21 openvpn[84425]: UDPv4 link remote: [AF_INET]XXX.XXX.111.111:1194
Jan 20 18:19:21 openvpn[84425]: TLS: Initial packet from [AF_INET]XXX.XXX.111.111:1194, sid=2dbd86cf 06dd0388
Jan 20 18:19:21 openvpn[84425]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]XXX.XXX.111.111:1194
Jan 20 18:19:23 openvpn[84425]: TLS: Initial packet from [AF_INET]XXX.XXX.111.111:1194, sid=2dbd86cf 06dd0388
Jan 20 18:19:23 openvpn[84425]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]XXX.XXX.111.111:1194
Jan 20 18:19:27 openvpn[84425]: TLS: Initial packet from [AF_INET]XXX.XXX.111.111:1194, sid=2dbd86cf 06dd0388
Jan 20 18:19:27 openvpn[84425]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]XXX.XXX.111.111:1194

The only places I think may be wrong are the bolded.

Thanks for any help. Also, when posting what info should I take out or clean. Just the IP addresses?

Thanks, But How?

Thanks mate, sorted it.

The only rule I have is the auto generated one, Allow all from all.

I am not using squid as a proxy. However you asking the question made me start thinking in a different direction. I have a content filter in between pfsense and my network. I bet something is happening there. That would explain why it's just http/https.

Thanks. If I figure it out I'll update.

So I am at company X, and my company has servers lets call them serverA.companyX.com for example

How does 10.0.8.1 as your home DNS know about serverA.companyX.com when it is only resolvable by computers on the companyX network - its is not open to the public NET..  For example the Active Directory servers.

While you can hand out multiple dns to your pfsense clients, just because you have multiple dns, depending on what the dns returns when asked for serverA.companyX.com its just going to stop..  And if I ask say the companyX dns for something at home pfsense.localdomain.net - it sure and the hell does not know..

The best solution to this sort of problem is say run bind on your box..  Point to it for dns.. And in it have forwarder for localdomain.net to ask your dns on your home network, and everything else go to your corp dns.

That way you can resolve both your company stuff and your home stuff when you have a vpn connection.  It does not have to be bind, could be dnsmasq, tinydns, unbound, anything that can make the call..

@Derelict:

I think most of what you need is here: https://forum.pfsense.org/index.php?topic=46984.0

I don't think you need the fix package any more.  That post is a couple years old.  I don't see it listed in available packages.

Thanks !! I will try the guide!

Derp.  Thank you.  I don't know how I missed that option during the setup wizard, but I did.  I edited the server entry under OpenVPN for my LDAP server, changed it to Remote Access (SSL/TLS + User Auth), and the client export wizard now shows a client build for the certificate I cut for my test user.  Now I jsut need to install it someplace and verfiy it's all working :D  Thanks a ton!

you need to add the network so the traffic can return

Absolutely, you need a return route for the road warrior tunnel network on PFsense02, so the return traffic gets routed down the tunnel….but if you notice, the road warrior tunnel network is 10.0.7.0/24 not 10.123.45.0/24.

I'm guessing he was working on multiple documents and posted the wrong subnet by mistake because 10.123.45.0/24 is no where in his diagram.

Someone please point it out if it's right in front of my face and I'm missing it, but going strictly off the diagram... I don't see any reason for routing 10.123.45.0/24 down the tunnel.

After some testing, I have installed a new VM acting as a vpn server with pfsense 2.2 beta.

pfsense 2.2 has openvpn version 2.3.6 and openssl 1.0.1i by default, therefore it utilizes finally AES-NI feature, which reduces the cpu load by 45% in average, meanwhile I keep the 15mbyte/sec download bandwidth over vpn.

Nope.