@Nachtfalke:

Hi,

I would suggest you to read this how-to:
http://forum.pfsense.org/index.php/topic,12888.0.html

This will explain you how to make a site-to-site VPN which only needs one OpenVPN server and PKI infrastructure instead of PSK.

Further you have the ability to use "Client specific overrides" so that you can push routes from the OpenVPN server to the clients and so you can push only the routes you want to allow. So one strategy could be to push only the routs syou want to allow or you push all routes to all sites and the do it like twaters wrote with firewall rules.

I probably would go the way with firewall rules because configuring firewall rules to make a temporarily connection for some IPs or a subnet would be easier than with adding/removing routes.

In general we can say what you want to do is possible, there are different possibilities to setup the VPN (PKI or PSK) and to use routes or firewall rules to limit traffic.

Not to mention, but if you ever need to have Site 1 Subnet A talk to Remote Site 1 Subnet B, the route is already established and confirmed. All that is needed is a change in the Firewall Status.

I did a routing on the router 192.168.4.1

Any destination 192.168.0.0/23, redirects to the IP 192.168.4.117

entire network 192.168.4.0/24 can ping the pfsense.

So…  Apparently I'm an idiot, and when I downloaded the config, I downloaded the iOS version, and never realized.  I re-downloaded the ANDROID config, and it worked first shot.

Sorry for the trouble, but I was starting to go crazy wondering what I could be doing wrong.

I'm a m0n0wall convert and I'm really loving psSense!!  I'm running it on a little VIA C7 1ghz fanless unit...  I might have to upgrade to a full PC...........

Oops, I can't delete this topic, but I figured it out.

I had the second client set with a static IP, but I dyslexia'd the IP, so it was not in the correct subnet.

Delete this post if needed.

Are both sides PFsense?  Post your server1.conf and client1.conf.

Nachtfalke already said it, but you're using a routed setup, you should be using TUN (not TAP).

A couple things:

1.  Remove those client-specific override options, they are not needed.  (iroute is only used when the remote side is on a software client and that tunnel statement is redundant)
2.  Your advanced rules are redundant.  Those rules are already generated from the "IPv4 Remote Network/s" line.
3.  Remove the source restrictions from your firewall rules until you get it working…. i.e. on the OpenVPN tab, add an any/any rule to both sides (server and client)

[SOLVED]
Fix will be available on 2.1.1

Hi All,

I am now able to connect to the VPN, but the network through the VPN works for only 10 seconds, then I can see the gateway goes down, changing to red. Not sure what is happening here?

Thanks,

Dan

Missed a file in the last commit, it's 1.2.2 now, should be OK to try.

@kyreservoirdog:

jg3, did you ever get this figured out?

I did — apologies for not reporting back (bad form!).  I'm glad that you solved it but for the record:

I have a 1:1 NAT for an host using an additional public IP (not the IP of the firewall).  There's a corner case or two where VPN'd clients would want to reach the internal host via the public IP.  So I had created another public-private 1:1 NAT rule and applied it to the OpenVPN interface.  This worked to solve the aforementioned problem, but caused the host the NAT applied to not to be able to connect to  VPN clients (other hosts on the internal nework could still connect to VPN clients).

So, if you've come here looking for help … about all I can tell you is:  don't do that.

--jg3

Found a fix at last, and would like to share it with you.
it turns out that the ISP has changed some of their backbone routers. & I ended up doing this.
1. add mtu-test command in the advanced box of the Main OVPN Server.
2. check the logs of ovpn.
3. verify whats the local/remote mtu value
4. add the following to both local & remote (in advanced box)

fragment 1400;
mssfix;

Has anybody a similar configuration that works?

For anyone looking at this, i found the best guide to use here:

http://hardforum.com/showthread.php?t=1663797

Yep that was my issue. Thanks!

Too easy  ;)

Tested and fine.

Could this be documented in the Wiki?