@dhel:

I'd suggest a few things to try-

Add "tun-mtu 1500;" and "mssfix 1400;" to the OpenVPN "Advanced Configuration"

Move off port 1194… it might be shaped on the provider's end.

Wow, this did cause a dramatic difference once applied to both ends. I max out his upload receiving on my end perfectly fine testing with both SMB and HTTP, and he can now get around 1 to 1.1MB/sec from me, which is great in comparison to before. I technically can push out 5MB/sec with the fluff on the upload from FiOS and he should be able to receive that since he has 45Mbps down, but I guess it's better than nothing!

Re: OpenVPN - Ping LAN resources which has a different default gateway

That did the trick ….Thank you .

Any help  on this please???

Hm…
I can however add a few rules to the NAT.

OpenVPN TCP/UDP * * 192.168.186.0/24 22 (SSH) 192.168.1.10 22

And this works... so I'll go this way ...
If someone has any other solution ... please post it anyway

thanks,
p.

Hi,

1:1 NAT is only the incoming side…
you also need outbound NAT.

=> Manual Outbound NAT generation
==> normally you can delete safely the autogenerated rules if you don't use IPSec but perhaps you want some of them modified.

=> add a new rule which is bound to your outgoing OpenVPN Interface the reverse NAT mapping rule... finished ;)
(you don't have forgotten to open incoming firewall rules to needed services ?)

your log is not very helpful… Because of

kernel: ifa_add_loopback_route:insertion failed

I guess you also run into this problem/bug: http://forum.pfsense.org/index.php/topic,60231.0.html
where this fix could help - if he is made correctly… actually he has problems on server side (but you can test it on client side)
http://forum.pfsense.org/index.php/topic,60231.msg330670.html#msg330670

I'm going bonkers.  When I go to edit vars.bat, I get the message that "edit" is not recognised as a command.  WHAT???  I'm using Vista.

IIRC it's for the native windows OpenVPN GUI's 64-bit version and underlying binaries, not for the drivers.

Thank You. That worked.

I bought the book OpenVPN 2 Cookbook and was able to figure it out.

I've solved it, it was a stupid mistake…. on the machine I was trying to reach!!!!  >:(
192.168.129.253 it's the linux machine that I was trying to reach, it has a second eth interface with address 10.0.0.1 and (wrong!!!!) netmask of 255.0.0.0
So I was reaching the machine, but packets got forwarded to the wrong interface instead of going back, hence the timeout!!
Putting the right netmask solved the problem, now everything works fine.
Lesson learned!

So I figured it out. I made a couple of rules to set the traffic from the open VPN interface to the VLAN.

Give us a network map with IP info.

Remove #2 and #3 from the client side.

You also have to enable IP routing on the client side… has this been done?

@hugolia:

Is it possible to have User/password for some users but not for all?
I am using OpenVPN for RoadWarriors users (mostly notebooks). But now I need to setup a connection to a site where I will have a server with a daemon client to establish the VPN between sites.

Yes, but they would need to use separate server instances. You can have one server that does user/pass, one that does not, and others for site-to-site VPNs.

Any more detail than that belongs in its own thread specific to your implementation, though, so if you need more help than that, feel free to start a fresh thread and ask.

Not easily possible on pfSense 2.0.x

Easy on pfSense 2.1:

pfSsh.php playback svc stop openvpn server 2
pfSsh.php playback svc start openvpn server 2
pfSsh.php playback svc restart openvpn server 2

The # is the actual VPN ID, the one you'll see in the links to the service controls on the service status page.

"Its ok" meaning you resolved the issue?