Hi kpa,

thanks for your fast response.
The VPN is a TAP/bridged one, as fas as I understand there is no tunnel on this kind of vpn, or am I missing something?

Thanks,
Jakommo

ok i confirm the workaround.

For an OpenVPN in TCP 443 on pfsense 2.1.3 i have to disable TCP Inflight Mode.

If not, i have only 1.3 Mbit, without, i have 12 Mbit !

Yah, been there ::)

Sometimes the magic works…...
Sometimes you just have to get all the details just right.....

Glad it's up and running  :)

I got panicked while I run```
pkg_add openvpn

anyway I did

pkg_delete openvpn-2.2.2
pkg_add -r http://ftp-archive.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/All/openvpn-2.3.2.tbz

and now I got openvpn version 2.3.2 and also the shared object :

/usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so

thank you very much… I ll make my tests now...  :)

My reply is after adding that option and testing for however many days since your post. At first, it seemed to have done the trick but then I realized same problem exists.

Here is my config

auth-user-pass xxxx;
#route-gateway x.x.x.x;
#dhcp-option DNS x.x.x.x;
#dhcp-option DISABLE-NBT;
route-noexec;
#dhcp-option DNS 8.8.8.8;
#verb 6;
reneg-sec 0;
keepalive 10 60

"But I use this vm for business use and this request is for my personal use"

So you want to route your personal traffic through your business box?  And you don't want to even reboot it, etc.  Why don't you just get a lowend vps, install the simple openvpn access server package on it and be done?

https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html  You say this is personal use, it comes with 2 connection license for free. I have started a doc/howto in connecting to this and using policy routing, etc.  But have gotten side tracked and have not finished it yet, etc.

I have multiple lowend vps for play, they are $15 a YEAR ;)  route your personal vpn traffic through one of those - my plan has 500GB a month, etc.

If you want I could post a link to the plan I am using.. But there are plenty of low end vps to play with out there..  Why you would even think of touching a business box for personal use, not sure thinking would be the word I would use ;)  Be it over or under.. Unless not was the term you were looking for..

Thanks for the reply macboy6.  I do already have Tomato on an Asus router to do this, but I want to route the VPN through a computer with a faster processor to get better download speeds.  And I do like having pfSense on an old desktop.  It has worked great for several weeks now for the local network.

May I ask how you were able to get it to work with pfSense?  I've followed the tutorials in the sticky link on this, but I can't seem to make it work.

Thanks for any words of wisdom you may have!

ok. thanks, now I understand, /32 has to put in the list.

I have one more concern:

currently we are using  2.1.2-RELEASE of pfsense.
and quagga we are using: 0.99.22.3 v0.6.1.

With my previous setup where I turned on accept filter in OSPF interface config on openvpn interfaces and setup /28 filter subnets in quagga
OSPF main page we had the problem when a link went down and ospf neighbour has gone the Quagga Zebra service stopped.
So all routes via OSPF have gone. I was not able to manually start Quagga Zebra daemon, till I remove the accept filter setting on
openvpn interface in Quagga interface configuration section.

Did you experience something similar? I can reproduce this error anytime.

Thanks for help,

klajosh2

I used the client export utility on pfsense's web management page, and yeah I think it installed the adapter.  I uninstalled OpenVPN and reinstalled it and its working, for now.  Not sure what happened.  I installed it exactly the same way the first time around.  Hopefully it continues to work.

Marvosa, you're right I very well may be using the wrong solution.  If there is a better way to go about it I am completely open to it, and in fact if there's a way to have anything that connects to my VPN just be directly on the same subnet that's what I want but haven't found a way to do so yet.  Thanks again, and here is the server1.conf. (I removed my public IP, but everything else is untouched.)

Edit:  After looking into what you said, I'm pretty sure I do just want it bridged.  I don't want them to be segregated in any way.  I'm tinkering with it trying to set the "Device Mode" to "tap" without much luck yet.

dev ovpns1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local <my public="" ip="" is="" here="">tls-server
server 192.168.2.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 443
management /var/etc/openvpn/server1.sock unix
max-clients 10
push "route 192.168.1.0 255.255.255.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo</my>

By the way, you mentioned that allow dup connections wasn't that great because if one connection was compromised it would mean re-issuing all….  I would only be using the dups for classroom work then probably deleting and making a new ones after class (a day to two) anyway so it doesn't matter...  The ones that will be persistent will be unique.

Make sense?

What you mean by " setup route on the box to point to pfsense". I'll describe better the topology: I have some computers with 192.168.0.x subnet and the DG 192.168.0.254. This DG routes to another subnet inside another LAN so i also cannot touch it. Pfsense has internal interface 192.168.0.253 and the external one connects it outside. I setup VPN in order to access 192.168.0.x subnet but because Pfsense is not their DG I cannot access them. Any ideas how I can do it?
Thanks.

I'm also running on an Atom D525 with 4GB memory. My Internet connection is only 30mbit down so I am not pushing it by a long shot. Look around on this board or in the hardware section for what other people are running.

I am however waiting on a supermicro board with a E3-1220v3 to replace it with. Traffic shaping completely kills the Atom processor. Also the Realtek nics cause high interrupts. Time to get a real server. :) So unless you have a 100mbit connection or want to do traffic shaping you'll be fine with the Atom. You already have the hardware so try it for yourself.

Regarding PIA,  I am extremely satisfied with them. I am using them for over 6 months now and I have always been able to saturate my connection. There is some extra lag because of the VPN but not much.  There is someone in my house playing online shooters and he doesn't know he is playing through a VPN.  :p I'm also streaming Netflix over the VPN and it has never failed on me.  On really busy moments like Friday night it might reduce stream quality but I ask myself if that would happen without a VPN too.

Please use the latest release of pfsense, there was some bug in versions prior to 2.1.2 where the webgui lost track of the openvpn proces. The tunnel was still working it just showed as down in the webconfigurator.

so is there a way in the current version that comes with pfsense to run scripts when the tunnel is as map network drives automatically when the connection is live and disconnect them when the connection is disconnected pls?

I know you can do that with the normal openvpn-gui which works like a charme on xp but I am using wi 7 and do not want to have to click run as everytime  :-(

Cheers,

Raj

@kpa:

I think that I know what is happening with your problem. When the VPN client is active on your server it overrides the default gateway but does not replace it, this is where the 0.0.0.0/1 and 128.0.0.0/1 entries in your routing table come from. When you try to connect to your own VPN service the packets come in via the WAN interface but the replies are not sent back via the same WAN interface because of the two routes installed by the VPN client connection, the two routes are more specific than the actual default route so they will be selected for all traffic sent out from the system instead of the default route. This means the replies to connection requests to your VPN service are routed via this VPN client connection and don't make back to the source. I'm not yet sure how to fix it but at least that's what I think is happening.

Edit: You have the firewall rule on WAN interface that allows the incoming OpenVPN connections to WAN interface, UDP port 11194. Change the gateway option on that rule to be the gateway of the WAN network instead of the system default.

Thanks, that's pretty much what I thought was going on, I just wasn't sure how to address it.

@heper:

try to add this to your ovpn-client advanced field:

route-nopull

assign the ovpn-client as an interface, configure the necessary rules. It should automagically create a gateway for it. This gateway could then be used in your firewall rules on LAN/ovpn-server/…

this should disable the default-gateway override.

Don't do this remotely … you will probably lock yourself out once or twice ;)

I think that is exactly what I was missing.  I added that code to the advanced options, disabled my default LAN route, added a new LAN route specifying the VPN as the gateway and now it seems to work as desired.  I'll have to test it out some more, but initially I believe this has done it.  Thank you very much!!

nb,

update. my vpn tunnels have not lost connectivity in over 24 hours. not sure why.

thanks,
Sean