@jimp: Sure that works fine. OpenVPN doesn't check the source IP of the traffic, only that the keys and/or certificates match. You can restrict access to the VPN process with firewall rules if you wish. Most limitations of dynamic IPs can be sidestepped with Dynamic DNS if you want to still be somewhat strict. any place to find some documentation to do this? I cant get the clients behinde the home pfsense to get ip from the DHCP server on office.

Okay, logging is turned on and everything is passed. logs: pass Oct 6 14:47:32 LAN 10.0.11.107 10.0.0.2 ICMP the routes look way better now on the pfsense: IPv4 Destination Gateway Flags Refs Use Mtu Netif Expire default 85.126.29.201 UGS 0 38 1500 em1 10.0.0.0/24 10.0.1.5 UGS 0 36 1500 ovpnc1 10.0.1.0/24 10.0.1.5 UGS 0 0 1500 ovpnc1 10.0.1.5 link#10 UH 0 0 1500 ovpnc1 10.0.1.6 link#10 UHS 0 0 16384 lo0 10.0.10.0/24 link#3 U 0 0 1500 em2 10.0.10.11 link#3 UHS 0 0 16384 lo0 10.0.11.0/24 link#1 U 0 3994 1500 em0 10.0.11.11 link#1 UHS 0 0 16384 lo0 85.126.29.200/29 link#2 U 0 174 1500 em1 85.126.29.203 link#2 UHS 0 0 16384 lo0 127.0.0.1 link#7 UH 0 33 16384 lo0 but I still have no connection to 10.0.0.0/24; though pinging 10.0.1.6 works

Ah…yeah, so I see that one firewall I'm using RADIUS for OpenVPN on doesn't work with client-connect defined. This seems like a bug - is there a workaround? Is it a known issue? Edit - I could just call my script from the attributes script...though I'm looking for something clean. Meaning, I get all the environment variables, etc.

Use a /30 for your tunnel instead of a /24. I had this same problem initially. For some reason, your client and server are not picking the same set of IPs for their tunnel endpoints. Your client thinks the server is at 10.1.2.9 when it's actually at 10.1.2.1. Your server thinks the client is at 10.1.2.2 when it's actually at 10.1.2.10. If you set the mask to /30 they will have no other choice than for the server to be at 10.1.2.1 and client to be 10.1.2.2.

Hey everyone, Here's a little update.  First of all, I have seen this issue on numerous Win7 64-bit clients.  I have seen it on at least 2-3 PC's at my work, and even my PC's at home.  OpenVPN acts very strange when you try to remove it sometimes.  What I ended up doing was downloading the client from another source and just using my own config file.  That seemed to do the trick. Thanks for your suggestions.

Hi jimp, I have tried this VPN connection on both internal and external networks and receive the same error message.  We have multiple WAN lines, each with a different WAN IP address, as well as some hotspots that are completely unrelated to our infrastructure. 1. I changed the clocks on my boxes to reflect accurate times. 2. How do I verify that I have a mismatched key or not?  I'm almost positive I created the keys properly through the cert manager and downloading the corresponding Client Export. 3. See first part of my response. Thanks for your assistance.

I'm beginning to think the OpenVpn rules are auto-created as a "catch all" approach and are not user configurable, at least not through the WebConfigurator.

Yeah I did thanks. I've posted a new thread here with a YouTube video of my question. :) http://forum.pfsense.org/index.php/topic,67352.0.html

The ones under Hosts should be the public key from the other Hosts you are connecting too, not the same as the public key you configured on that box. (for security all hosts should use different public/private keys)

I use OpenVPN Client Export Utility package, and check the box for "Management Interface OpenVPNManager". You have to then install it from a Win7 admin account, but then mere mortals can use OpenVPN Manager to make their connections. So that is also an option that works for me.

Thanks phill Adding the route as per your suggestion worked perfectly Thanks again

You must use a different tunnel network for every OpenVPN instance. Post more details of your shared-key client and road-warrior server and we can try and spot the conflict.

Never mind all, turned out to be some weird problem updating between my server and my DDNS service. All solved now and thanks!

@kejianshi: Guess you didn't like the OpenvpnAS idea? I'm glad its working well for you. kejianshi, Thanks for recommendation. I will try it eventually. I just couldn't see my self changing existing infrastructure. Again thank you!

Yo, I did a test with 2.1-RELEASE  (amd64) and Windows Server 2012(Not R2) set up as AD,DNS and NAP. I followed the instructions on this site: https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory I followed all the topics in the guide up to "Change the cryptoapicert SUBJ " I did not do this step or any step following it(if you dont cound connecting the client to the server). I used my own names and IP adresses etc and I ignored any setting that was new for version 2.1. I shared a folder on my Windows Server 2012 and was able to access it with my testaccount from a Windows 7 Enterprise 64-bit using the exported OpenVPN client. Do you know if radius still only support unencrypted(PAP) communication with the NAP server? Using Captive Portal and NAP you can select at least MS-CHAPv2. I know this isnt entierly secure ether but hey, better than nothing I think. Im new to using OpenVPN and I tried this in a virtual test environment. Im gonna play around with the settings to see what happens and see if Im able to do this without having to manually create certs for each user in pfsense. Anyway, hope this  helps and let me know of your progress!  :) /erik

I stopped using netbios over TCP - I realized its just not needed for me, but my VPNs support it and WINs supports it for the one subnet I wanted to use it for.  For it to work on one subnet and not multiple subnet, you don't need to do all that much.  Just Set up SAMBA on a system somethere in the LAN on a static IP, set it to be master, set WINs option to yes, set OS level high, like 35 or higher.  It should sync up with everything on the network without any fuss.  I also set mine to not require passwords because passwords on shares can be a pain.

Probably the biggest obstacle I see to really simple VPN is that not all OSs honour "push" from openvpn.  When they don't, you need to enter the command on the client side rather than "pushing" to client from the server.  PITA.

So apparently for what I needed I was able to install the avahi package and set it up using both the remote site search domain and the local search domain and now everything shows up with bonjour! Anyone know how to pass on the NetBIOS stuff through the tunnel to the other end?  For example I don't see windows boxes on my mac from the client network… I only the bonjour devices like the macs and printers... Thanks anyone in advance! Matt