For all who can't figured this out and noone want to answer him.

When you create tap based VPN after you create a bridge go to Firewall > Rules > Bridge interface > creat a rull to allow trafick on that interface with custome optoion "Gateway" internal gateway of your network. After that everything start flying :)

there should be a field in the openvpn server config named: "IPv4 Local Network/s"

all subnets declared there get an automatic "push route' statement added in the underlying config.

The problem is solved for now.
I stopped the apinger service manually and it stops restarting.
Every 5 minutes that service made a "alert" of gateway down, but it isn't true… the gateway was ok all time.
For now, I will keep that service down.
Thank you for your answers :)

Adjusting the threshold seems to have fixed it.  Thank you!

Speaking for a very small segment of the pfsense community (ie. Myself), thank you very much for taking the time to drop in and give us an update.

I've used the OpenVPN Manager and OpenVPN for many projects and it's one of the nicest combinations of work I've used.

Thanks again!

@jimp:

Any errors in the system log when you try to export a .p12?
It must be something in the way the cert was imported. You might try to remove one of the imported certificates and then import it again.

No entries in the system log. Is it possible to raise the loging level or to activate some kind of debug mode?

I've already removed and reimported some of the IPCOP certificates with no success. I've also exported and reimported certificates created by pfsense, which was successfull. It definitely has something to do with the content of the IPCOP certificates…

I also noticed the the distinguished name of the imported certificates is different to the one from the certificates created by pfsense (see attached screenshot).

screenshot.png_thumb
screenshot.png

I'd love to find some of the root causes for this one.  I run a box with about 25 client OpenVPN - PKI connections and when I reboot the box everything shows up fine, but over time I see "lost" connections in the GUI.  The total number and particular connections that are bad fluctuate but are somewhere around 5/25.

I got mad one afternoon and was able to force a GUI restart on the downed instances by finding their PID's in the shell and killing their process.  It seems that the GUI gets out of sync with the PID and then gets lost.  In general OpenVPN has been very stable overall and the GUI thing is really just a nuisance.

I imagine if I get ticked at this enough I'll dig into creating a script to identify the differences between the GUI PID's and the actual running PID's  :o

most of my installations have been update from 2.0-Beta -> 2.0.1 -> 2.0.3 -> 2.1 -> 2.1.1 -> 2.1.2 -> 2.1.3

as far as i can tell, there is nothing wrong with your openvpn configuration.
for testing you could add a firewall rule on top of the openvpn-tab: PASS, PROTO:all, source:any , dest: some-lan-client-address, logging:on

see in logs, if it shows up when you try to ping the client … if it does, then i'd say it's a client issue. If not, then only packet-captures could help to explain what is happening

@Derelict:

Is this on?

Strict CN/User matching: When authenticating users, enforce a match between the common name of the client certificate and the username given at login.

It's in the OpenVPN server settings.

EUREKA!!!

Yes thank you -just tested, and is working as described.

…

In other news, i need to go and have my eyes tested - cant believe that i missed the setting  :o

Thx Derelict / Guys :)

Hi ,

i tried all things ….........no luck !

the only way it worked is , when i used openvpn gui  !!!

i was using openvpn client , but not working !

can you tell me wt the diffeence between them ?  why pfsense dont like both of them ??

also i have another issue with my iphone !

im trying to download the profile but it fail !!!
it give me an error !!!

anyhellp ?

many thanx viragomann, now i try to do it, i hope to have success.

Can i ask you other in future?

For me, this features is very important

Regards

Hi,

I have also added the following rules on the PRV5 interface

you have to put the rule allowing traffic from OpenVPN to OpenVPN interface.

FIXED

I went into the VPN interface, clicked 'Save' and all miraculously started working again.
got the idea from another Thread: https://forum.pfsense.org/index.php?topic=75142.0

Same problem too (vpn tap with certificate + bridge)

The vpn connects correctly (from logs either client and server side), but no traffic passes through it as interface is down.
Going to the interface properties hitting save makes it work

The problem doesn't happen with vpn tun with shared key to another location

Thanks for the help though!

Well that figures, after dealing with it for weeks and finally asking for help, I seem to have fixed it.

I ran 'addtap' and it gave me some dialog about how it was installed and updated?  It's working now.

A couple potential solutions.

Use different networks for the local and VPN.  e.g. local: 192.168.1.x, VPN: 192.168.21.x
Edit: Oh wait a minute, just realized that isn't what you are talking about.  It's the work and local networks that would need to be different also.  I think.

Place the OpenVPN interface at the top of the binding order.
This was pointed out to me by hero member johnpoz in an earlier thread last week:
https://forum.pfsense.org/index.php?topic=77421.0

Good luck.

If you had used EasyRSA on pfSense 1.2.x to make the certificates and imported the CA from there, you have to be careful to get the serial number from EasyRSA when importing. EasyRSA tracked it in a separate text file. See https://doc.pfsense.org/index.php/Using_EasyRSA_Certificates_in_2.x

I'm a little unclear on what's your actual problem.

Does the Tomato router connect, but you simply can't ping it from the pfsense side?

Or does the Tomato connect and then drop off forcing a restart of the OVpn connection?

If it's just a ping issue, you may need to add the "iroute 192.168.1.0 255.255.255.0" to the "OpenVPN->Client Specific Configuration" section for your Tomato connection.