Giving this a little more thought, I checked the log files for my OpenVPN client on Android, just to be sure that it wasn't an issue with the config file being exported form PFsense.  Its not.
Using PFsense, the DNS is being pushed just fine using Openvpn Connect, so the PFsense end is working fine.
It really must be your Android Client's issue.

The OpenVPN client settings GUI page, Advanced Options box - that can take anything that is valid to add to an OpenVPN conf file - like route-nopull
Just type it without quotes - it will be appended directly to the client conf file.

Well….I got it.

I started poking around the routing tables after the last msg.  I needed to put a static route to the DMZ using the openvpn IP as the gateway.  Once I did that and added the vendor static routes that exist on the primary firewall to the remote firewall it all worked.

Thanks marvosa for pushing me in the right direction.

The binaries for the 64-bit OpenVPN client are there, but hidden in the GUI, because the last time I tried them, they did not function correctly. It produced a broken installation. It could be the config bundling parts to blame, but I'm not sure.

Using the 32-bit OpenVPN client on 64-bit Windows is fine, as others have pointed out. Probably not a huge difference either way, but if you really want to, you could install the 32-bit client + config, then uninstall it, and then download and install the 64-bit community client from OpenVPN. That way your config would be in place already.

Or just install the 64-bit client and copy an exported inline config into the config dir and do it that way. More manual, but less uninstall/reinstall song and dance.

I wouldn't need to fly there.  I can take a walk there…  Or ride a bicycle.  But the Metro is quicker.
Now, the real question is why the heck would I want to spend more time there than absolutely necessary?
I do like Dupont Circle from time to time, but its hardly Gangnam.  DC is boring.
(I was being FORCED to parade around museums AGAIN by yet ANOTHER visiting friend or I wouldn't have been there.)
It just hit me when I checked my logs to compare notes with Honeybadger that the only time I've seen that error I was in DC.
If someone did manage to overheat a mainframe and chew through that particular VPN they would be rewarded with a tunnel that just goes back to the internet and no where else.  Quite an accomplishment. I will be turning it on again next time I go to see if it happens again though.

Odd thing is that with an IPsec tunnel, the asymmetry is reversed, faster when the client is on my side of the house.

That is correct I didn't use the wizard to make the site to site. I will do some further testing to make sure there is leakage of ports. For the record I'm not saying that PfSense is leaky I'm just noting that in my situation I was getting flakey connection with my remote site. If I didn't have the port opened up I would expect no connection. I will document the steps if anyone wants to try to duplicate the steps.

I have resolved this now!

I have my pfSsense running on an ESXI host.

I was messing around with the vsphere switches last night and disabled promiscuous mode for the Firewall switch - this was causing it to not allow certain traffic through!

Hi Guy's,

I'm having similar issues with pfsense 2.0.3.

I'm using the OpenVPN Client software to setup a remote connection to my pfsense box and the VPN connection itself is up, some routes are being pushed to my client and I can ping the IP-address of the pfsense box itself.
But all traffic going through the VPN to the internal systems (like RDP, ICMP etc.) are not passing through. When doing a Wireshark on the RDP-server and tcpdump on the pfsense box I see that the traffic is coming in via the VPN to the firewall, but not going out of the firewall to the RDP-server. Wireshark is not showing any incoming packets from the VPN client.
So it seems that there maybe is a routing issue or that all VPN traffic is beeing blocked somehow.

What I found out is that when configuring a clean pfsense 2.0.3 box the VPN connection is working and traffic is passing through to my RDP-server. But after rebooting the pfsense box, it does not work anymore.
So something changes after rebooting the box.

To answer on Kejianshi, i'm using automatic Outbound NAT Rule generation

Regards,
Cedric.

There is a limit of a couple of days for editing posts. So you can only do what you have already done - add an entry indicating the problem is solved.

There isn't really an official changelog. Some package maintainers do put one up but I've been doing most of the maintenance on that package and haven't really done much in that regard.

1.0.10 also further fixed space issues. The person that added that code to put in common names in the filename didn't test it very well. It's been broken for a few months but for some reason nobody hit it until the last week or so and then several people complained about it. (Then again, not many people put spaces in their CNs either… spaces in CNs are a bad idea, but not forbidden, unfortunately...)

As they said, the same thing is different ways, it won't work then.

I'd suggest getting on the admin's case and making him fix it.

@phil.davis:

What I have also tried right now is:

I have only static IP's in my LAN (need that for rsync backups). I have added my PFS (192.168.1.1), my switch and my NAS-systems to an alias 'holiday'. I have created a firewall rule on the OpenVPN-tab to block everything from 192.168.19.0/24 to that alias 'holiday'.

Yep, that is the way to go. You are obviously not stupid and are understanding about IP addresses and rules. Now traffic to the important resources you want to protect on LAN is blocked, but connections from across the OpenVPN to your "ordinary LAN client systems (your laptop…) are allowed. Hopefully your communication and marriage now remains intact for a long time to come  ;)

And, of course, you have a backup on an external device of all that is important on the NAS. With the external device physically disconnected, you simply can't have it all deleted by a remote intruder and lost forever.

Thank you for your kind words, Phil  ;D

Yes, indeed I have a backup, the NAS-ses are duplicated, since there is about 20TB of data on each of them. The problem is: NAS1 automatically rsyncs to NAS2 during the night to make sure NAS2 is always a complete mirror of NAS1 (well, almost always). That of course poses a risk: if a hacker can access NAS1 anywhere before the nightly rsync, rsync will happy delete NAS2 also. I haven't really found a solution to this problem, and I don't know how big companies do this.

It turns out, btw, that I am now wasting all my savings on calling her majesty (my wife  ;D) on the old fashioned phone anyway, as the hotel (and this is my area, economics) is being run by morons, I have no other word for it. Because: the 'free, high speed, internet' my wife receives is 1kb/sec, wireless, and no way to get wired internet in that hotel. I tried talking Skype into doing its thing anyway, but it refuses  ??? 'Stupid microsoft' ( :D). So either it is congested, in which case you set up more access points (like the UAP-PRO recommended to me here in this fine forum), or you implement traffic control per room (perhaps her neighbor is saturation the connection with 24/7 torrent), or you provide fixed internet in every room (her previous hotel had that). I can not understand that hotels in 2013 don't understand that (free) broadband internet isn't no longer a 'fancy feature', but a core benefit, as core as a bed and and a shower.

Thanks again Phil, & bye,

Does server B end up with a route back to LAN A 192.168.0.0/24? ( "route print" in Windows, I think)

You could also run pfSense in a VM on server B, as a "one-armed router" with an IP like 192.168.1.11 providing the OpenVPN site-to-site link to LAN A. Then you can add a static route on server B, telling it that LAN A 192.168.0.0/24 is reached via 192.168.1.11 (or a route on your LAN B basic router). That would removing any messing about with how Windows Server copes with being an OpenVPN client.

Or even better, replace LAN B basic router with pfSense :)

The problem is the identical IP address for the all vpn.

Thanks.

Openvpn will work fine there, but you will need to put the sites on separate subnets and run DHCP at both locations.  Separate subnets will not break communication between the two sides.  Thats my opinion anyway.

Check this out.  Read down to "This indeed was the issue! I have had my old certs from a previous attempt (that also failed) on my laptop. I've regenerated this clients certs, and ta da"

This thread might help you.

https://forums.openvpn.net/topic12623.html

Basically, he ended up regenerating his server CA and certs as well as client certs.

Sorry, from your diagram it looks like you have DMZ's on both firewalls.

Yes, adding push "route 10.10.8.0 255.255.255.0" to your advanced config when it's already in your Local Network field is redundant and can be removed.  If you look at your config, you'll see the duplicate entry.

Yep - I'm not sure how much bandwidth you need, but a cheap ($10 or so used) E1000 with a DDWRT VPN load can act as server or client.
I've had excellent results with them so long as I'm only pulling 5 Mbps or less through it.  You can max out their CPUs pretty fast after that and be sure to put it somewhere where it can breath.  They get warm because openvpn is a cpu user.

I would probably use pfsense as a client on your end to the ddwrt router you send to their end acting as server.
There would just have to be a little cutting and pasting of certs and CA between the two before you sent it.

For dynamic dns, I have had good luck with dyndns.com but there are MANY that work.

freedns.afraid.org also works.