We had exactly the same situation. With an tun OpenVPN network I have not been able to get it working either.

So I created another OpenVPN connection, this time based on a tap-device (see other posts for that).
After pushing a route for the client-network in the OpenVPN default setting I now can access files through home–>OpenVPN-->Office-->IPSec-->Customer site.

In this case you can check your firewall logs to see if there is traffic blocked.If it is, just simply create a new rule. System logs can be very helpful.

@costasppc:

Hello,

Based on this thread: https://forum.pfsense.org/index.php?topic=60201.msg323949#msg323949 in the 2.1.5 in the OpenVPN there is the ability to have gateway groups in the OpenVPN server.
Can this be used for having Site to Site WAN failover?

Solutions were given at this thread, but is there something new with the latest edition?

Best regards

Kostas

should be mostly the same.
2.1 –> 2.1.5 are mostly bug/security fixes, with little major change to how to use it

It sounds like traffic is getting blocked by the default deny rule which means it is not matching any of your pass rules. Without more detail it's tough to say exactly what rules to add, but try making sure your OpenVPN tab rule is passing traffic in for any protocol and with a destination of 'any'. If that doesn't help, you'll have to post screenshots of the firewall log entries and your firewall rules.

You'd burn more CPU, be forced to deal with a much lower MTU, and genereally have more overhead, but there isn't any technical reason why that wouldn't work if the traffic is allowed across the 'outer' tunnel. Definitely need to use UDP tunnels, I can't imagine the nightmare you'd have from TCP retransmissions and compounded loss using nested TCP VPN tunnels…
shudder

In that case you need to set up the adapter to bridge (TAP) instead of route (TUN).
Hint: it starts by changing "Device Mode" under your OpenVPN server settings.

https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
http://en.wikipedia.org/wiki/TUN/TAP

happy reading  ;)

I'm not exactly an expert on this but when should't you use NAT: Outbound instead of NAT: 1:1

Have going through the VPN the default and make specific firewall rules that route your traffic elsewhere before the rule that gives you internet.  The computers you want to bypass the VPN should be on static DHCP leases so you can specifiy them in the rule.  Tell me if this response is not detailed enough.

Thanks anyway!

Hi thankx i can access to my network from my house, all this no problem. i install with local domain but when i try login to my domain appearme that the domain no found. Is necessary create access with LDAP?

Anyone?

This is how you set up multiple VPNs.  Tell me if I need more details.

2)  Choose one as default and restart them until your router uses that.  It may help if your defaults outbound NAT rules for default VPN are on top.

3)  Assign static DHCP leases for clients using t he other VPNS

4)  Add fire wall rules above the rule that gives you internet to your random DHCP leases that specifically ports that static DHCP lease through an alteernate VPN.  The rule looks something like this.

Interface: LAN
Source:  <static dhcp="" lease="" number="">(single host or alias)
Destination: Any
Gateway: <alternative vpn=""></alternative></static>

openvpn route-nopull will avoid the openvpn-client to force its default route upon pfsense.
then you can work with gateway(groups) to configure what client must go where.

the downside is that you'd have to add the necessary routes for the tunnel yourself

To specify which DNS server you want used.  Go to System -> General Setup.  Then add your the DNS server you want used.

You may also find this useful://www.privateinternetaccess.com/forum/index.php?p=/discussion/2114/ipv6-leak-dns-leak-e-mail-ip-leak/p1

I spent awhile figure this about but eventually found someone that knew how to do it.  From what I understand, you already have the VPNs themself working so they only thing left for your to do is to have specific client going through specific VPNs.  To do this you need to have what you consider a default VPN providing internet to everything first.  I usually restart VPNs until this is working correctly and it seems to continue working but it may also happen to do with the fact my Outbound NAT has my default VPN rules above the other VPNs (i'm not exactly an expert on this).

The next thing you need to do is to put a static address DHCP address on the clients you don't want to be using the default VPN.  This is done at status -> DHCP leases.

Finally, you need to create a firewall rule that that forces those static address through those alternate VPNs and place them above your rule that normally allows clients to get internet.  If your static dhcp address for that client is 188.132.1.3 then the rule looks like:

Interface: LAN
Source: 188.132.1.3  (using single host or alias)
Destination: any
Gateway:<the name="" of="" your="" selected="" vpn=""></the>