Interesting - but confused.

Changed the mobile network to 10.0.8.0 so as to be VERY different to all other networks - and it works! No entries in firewall for blocked packets (as you would expect)

Only slight funny is on Status/Openvpn - if you click the routing button it shows the connection details but it says that there should be a "C"  if currently connected - there is not - is this a funny from the 2.1 snapshot (using yesterday morning version)

At this time I have only included etails of the local lan, defaut domain name and a DNS server together with the push route - is the general advice to inculde netbios/wins etc or just leave well alone?

Andrew

Well… I did get it working, so for anyone wanting to try this out, here's how:

1/ make sure you get an OpenVPN client connection working
2/ assign an interface to this connection via Interfaces->Assign->click the + symbol->assign the interface to your OpenVPN client connection (typically ovpnc1)
3/ configure the interface: click Interfaces-><your_new_interface>->enable it & give it a sensible name (let's call it "MYVPN" for this example), choose "None" for IPv4 & IPv6, leave all other fields blank
4/ assign another interface to one of your physical ethernet ports (call this one "SECURELAN" for this example, and let's assume the physical interface is called re1)
5/ configure it again by enabling it and giving it a static IP (192.168.100.1 for this example)
6/ enable DHCP for this last new interface so your clients can get an IP address: Services->DHCP Server->SECURELAN->enable the interface & specify a DHCP-range (range  192.168.100.2 to 192.168.100.5 for this example)
7/ click Firewall->NAT->Outbound tab and add a new rule: select "MYVPN" for the interface, source = network 192.168.100.0/24, destination = any, translation = interface address
8/ choose "Manual Outbound NAT rule generation" (IMPORTANT!) & hit save & apply changes
9/ click Firewall->Rules, pick the "SECURELAN" tab and hit the + symbol to create a new rule: interface = SECURELAN, protocol = any, source = any, destination = any, gateway = choose MYVPN

And you're done  8)
Test that everything is working fine by connecting a client to your re1 interface with a LAN cable and doing a traceroute to a url of your choice.

I'm going to be finetuning this a little more to check for DNS leaks & such, will post again when I've verified this.
Hope this may help anyone wanting to route some traffic over their OpenVPN client connections. \m/</your_new_interface>

It is possible but the IPsec tunnel needs a Phase 2 entry that covers the path from the OpenVPN client network to the Server network.

Hi Guys, seems that the problem is solved. The main problem was to have the tunnel network inside the LAN which does not work. Reducing the LAN network and placing the tunnel network outside was the main fix. All other problems where a result of not having consequently changed all netmasks to the reduced LAN network on my guest operating systems. The two name servers had 255.255.0.0 as netmask, thats why they answered ping requests through the tunnel. The other boxes still had 255.0.0.0. All have now 255.128.0.0 and everything works fine.

So many thanks again to all who helped me! Great work!

Rumpi

Post a network map, your server.conf's, your routing table and firewall rules and lets take a look.

You shouldn't of had to create any rules… especially on the WAN side... the wizard should've taken care of that.  Do this on both sides:

On the wan tab, pick a protocol, don't add both (unless you have a specific need for TCP, use UDP)... and the destination should be "WAN address":

UDP|*| *| WAN address | 1194 (OpenVPN)| *

On the OpenVPN tab, change your protocol to any:

*| *| *| *| *| *

Just out of curiosity, what's with the funky port?

Don't know if this is related or not but I was setting up OpenVPN due to my issues with speed with IPsec tunnels, you can read about them here http://forum.pfsense.org/index.php/topic,62457.0.html. Anyway I setup the OpenVPN and I was not getting communication from site to site even though I was absolutely sure I set it up correctly. After further inspection I was that I still had the IPsec configuration still setup for the remote site. This got me thinking, and I would love some clarification from anyone who knows for sure:

IPsec has a lower cost than OpenVPN, in other words IPsec routes are preferred over OpenVPN?

How about other VPN technologies that Pfsense supports, what are the order in which they will be used? Maybe this is your problem? Once you add the OpenVPN interface to your IPsec, you may then need to add a static route to use the IPsec tunnel?

I know that it's not a good idea to have multiple tunnels going to the same site, but this is just good to know in the future for trouble shooting purposes.

Hi again,

I found some posts on the internet on which they say that apple disabled "VPN on demand" on newer versions of iOS or newley shiped devices.
I found out that there is an iPhone Configuration Utility (IPCU) which can be directly downloaded on the apple webpage which allows the to create and set profiles on an iPhone.

Setting such a profile works but I had problems to get "Custom SSL with VPN on demand" to get working with my pfsense OpenVPN server. The intention is that I setup the domains from my intranet as the e-mail server and when the e-mail app tries to connect to this URL the VPN connection will start. Instead of using "Push Mail" I would try to use automatic check by the mail app every 15min - hopefully the vPN will start when "VPN on demand" is configured correctly.

Perhaps someone can help me to configure this with the help of the following tutorial:
http://simonguest.com/2013/03/22/on-demand-vpn-using-openvpn-for-ios/

This is my iOS inline config from the pfsense export utility:

persist-tun persist-key cipher AES-256-CBC tls-client client remote xx.yy.xx.yy 443 tcp comp-lzo nobind keepalive 5 30 <ca>-----BEGIN CERTIFICATE----- ..... -----END CERTIFICATE----- <key>-----BEGIN RSA PRIVATE KEY----- ..... -----END RSA PRIVATE KEY-----</key> <tls-auth># # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- .... -----END OpenVPN Static key V1-----</tls-auth> key-direction 1</ca>

Thank you for your help!

–-- edit ----
I got it. My iPhone starts the OpenVPN connection to my pfsense OpenVPN server. The config I posted above is the one the OpenVPN Export utlity created. Follow the instructions on the URL I posted above - they are correct. I just had to modify some parameters on the config to get it working (Custom options with "key" and "Value":

Export the CA.crt to your computer and replace every newline with  \n  to make it one line. (As described on the URL above)

You need a password protected .p12 of the client certificate which contains .key and .crt. pfsense itself cannot do that from GUI. I exported the .crt and .key to pfsense /tmp. Then I ran the command on the webpage ( openssl pkcs12 -export -in client1.crt -inkey client1.key -out client1.p12 ) and set a password. I imported that new password protected .p12 into the IPCU.

On the .ovpn config I exported from pfsense there is a part "tls-auth". I created this key in the custom options of IPCU and as value I did the same as for the "ca". everything in one line and every newline as   \n

ca     –---BEGIN CERTIFICATE-----\nABCDEF112312.........\n-----END CERTIFICATE-----

tls-auth     –---BEGIN OpenVPN Static key V1-----\nABCDEF112312.........\n-----END OpenVPN Static key V1-----

comp-lzo     value

persist-tun     value

persist-key     value

cipher     AES-256-CBC

tls-client     value

client     value

key-direction     1

Push-Mail seems not to work with OpenVPN - probably because the VPN connection is in standby and will only be established if the iPhone app starts to check the E-Mails every 15min and so is using "VPN on demand".

Will do some more tests with bigger delays to make sure iPhone awakes froms sleep with VPN and hopefully same will happen when disconnection the iphone from the USB data cable which I still have connected to view what is happening on my iphone in the IPCU cosole.

Well, I've done quite a bit of searching and I feel that I am getting closer.

I am receiving this in my logs when trying to connect. Looks like an issue with the passwords, I've already checked that those are correct…

May 18 20:30:32 openvpn[58267]: OpenVPN 2.2.2 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] built on Apr 2 2013 May 18 20:30:32 openvpn[58267]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock May 18 20:30:32 openvpn[58267]: WARNING: file '/conf/openvpn-server2.pas' is group or others accessible May 18 20:30:32 openvpn[58267]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts May 18 20:30:32 openvpn[58267]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file May 18 20:30:32 openvpn[58267]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication May 18 20:30:32 openvpn[58267]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication May 18 20:30:32 openvpn[58267]: Control Channel MTU parms [ L:1557 D:166 EF:66 EB:0 ET:0 EL:0 ] May 18 20:30:32 openvpn[58267]: Socket Buffers: R=[42080->65536] S=[57344->65536] May 18 20:30:32 openvpn[58267]: Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ] May 18 20:30:32 openvpn[58267]: Local Options hash (VER=V4): '0f816d6e' May 18 20:30:32 openvpn[58267]: Expected Remote Options hash (VER=V4): '2f3e190a' May 18 20:30:32 openvpn[58379]: UDPv4 link local (bound): 192.168.1.175 May 18 20:30:32 openvpn[58379]: UDPv4 link remote: My.IP.Address.123:1194 May 18 20:30:33 openvpn[58379]: TLS: Initial packet from My.IP.Address.123:1194, sid=a388832d cb9b06e6 May 18 20:30:33 openvpn[58379]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this May 18 20:30:33 openvpn[58379]: VERIFY OK: depth=1, /CN=OpenVPN_CA May 18 20:30:33 openvpn[58379]: VERIFY OK: nsCertType=SERVER May 18 20:30:33 openvpn[58379]: VERIFY OK: depth=0, /CN=OpenVPN_Server May 18 20:30:34 openvpn[58379]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1542' May 18 20:30:34 openvpn[58379]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC' May 18 20:30:34 openvpn[58379]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' May 18 20:30:34 openvpn[58379]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key May 18 20:30:34 openvpn[58379]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication May 18 20:30:34 openvpn[58379]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key May 18 20:30:34 openvpn[58379]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication May 18 20:30:34 openvpn[58379]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA May 18 20:30:34 openvpn[58379]: [OpenVPN_Server] Peer Connection Initiated with My.IP.Address.123:1194 May 18 20:30:36 openvpn[58379]: SENT CONTROL [OpenVPN_Server]: 'PUSH_REQUEST' (status=1) May 18 20:30:36 openvpn[58379]: AUTH: Received AUTH_FAILED control message May 18 20:30:36 openvpn[58379]: SIGTERM received, sending exit notification to peer May 18 20:30:38 openvpn[58379]: TCP/UDP: Closing socket May 18 20:30:38 openvpn[58379]: SIGTERM[soft,exit-with-notification] received, process exiting

As long as you're using an OpenVPN that supports it. Some clients (on phones/tablets?) might not support it.

Hi, good to hear you get it working… i was struggling on same thing couple month ago....

I think your problem was in routes (if openwrt didnt route your request back from pfsense when pinging behind openwrt to pfsense)

did you set remote lan 192.168.4/24 (openvpn settings "route 192.168.4/24") (what pfsense routing table shows ? does it know 192.168.4/24 network ?

did you use peer-to-peer or remote access ?

Set pfsense "Manual outbound nat" -> wan interface NAT all outbound traffic its public interface ip. (thats the way i allways do it, 1 NAT in network everything else is fully routed between routers..)

Make sure DNS request goes also to tunnel (dns queries coming from openwrt / openwrt connected networks(lan)..

If you use own dns resolver(at endpoint pfsense) you need to set openwrt to allow dns queries coming from private network(from pfsense).

br.
.k

@cgu29:

it's solved

the problem came from the nat rules on the pfsense server

i had to enable manual nat and add a mapping between the remote LAN and the natted IP (PFsense wan interface)

hope it helps

now time to quit and go to the pub (in France)

By doing this, am I telling the computer to use the VPN on everything EXCEPT for when it is in one of those subnets?

Yes. When the VPN comes up, it sets the default route to itself. All packets for destinations that are not on a directly connected subnet and do not have an explicit route, will go to the VPN.

Will it still cause DNS leaks?

I guess the DNS is another issue. When you first connect to the local LAN, pfSense DHCP gives you an IP address and gives itself as the DNS server (that is thee default behaviour). So your PC will have DNS pointing to pfSensse. Because pfSense is on your local network, your PC will happily send DNS lookups there, and the pfSense DNS forwarder will do the lookup for you out the pfSense WAN. I guess you don't want that to happen - the DNS should go over the VPN also.
Someone else could give some advice here - how to make the OpenVPN client replace the DNS server?

It's solved, thanks to cmb

On my client side, the tunnel was bind to WAN interface instead of CARP Address.

I did not upgrade.

Thanks everyone.

U cannot 'push' settings to client over peer-to-peer vpn.

If you want have routes over openvpn -> use ospf (more than 1 network wich is configured on openvpn settings.. or use 'redirect-gateway def1' to route all traffic via tun)

br.
.k