I didn't look hard at your pfSense version - 1.2.3. I updated one of those a few weeks ago, but I really have no useful memory of what the menus looked like - and certainly not how VPN was done! Someone else who knows the 1.2.3 menus and VPN please feel free to advise.

Thanks! It works

I created the certs but independent from the wizard. Maybe there went something wrong…
I will try it the next few days again and notify about the result.

mhab, I think this is a similar issue i am having which I believe is related to this bug:

http://redmine.pfsense.org/issues/2582

Post your smb.conf.

Useful thread, but I need a little more help.

What exactly is "route-metric 512" for?
It doesn't seem needed, pushing the route alone fixes the "unidentified network".

Also,
Win 7 firewall allows inbound echo's only on its subnet.
i.e. if Win 7 road warrior IP is 10.0.8.6 and VPN "home LAN" is 192.168.1.1
Win 7 will block the ICMP coming from the "home LAN".

Is there an elegant solution to this?
Changing firewall rules on each Win7 road warrior is far from ideal.

You're welcome!

I think there is something that remains unhappy when a carp virtual IP (VIP) (a setup with a live failover PF box waiting)  is used as the gateway on the lan side when the same PF box is used as the openvpn server via bridge and tap.   It all appears to work, but there are lots of unexpected log entries.    Still trying to track it down.  Also remember that all the traffic goes through the tunnel, so a slow 'upload' link on the openvpn server will be felt by the road warriors…

Clearly the whole 'tap' interface idea has the clean aspect of road warriors having the same ip whether on the local wifi not via openvpn or remotely via openvpn.   The biggest weakness the current openvpn tun mode has is that at least I haven't found a way to assign fixed static ip addresses to each of my road warriors--- short of creating a whole separate server instance for each of them, or just resorting to dropping the dhcp mechanism altogether and resorting to static IP's -- a pain to keep track of across the client boxes as they come and go.

A good upgrade for PFSense would be to store the XML in the openvpn client exporter, particularly the options and other details, so that later uses of the same certificate would recall the advanced options used the first time that cert was the source of an export activity.

Eh. After having gone through a few working examples, the VPN is set up properly, the rulse are set up properly, the problem is just "somewhere else." So I'm just going to set up a couple of Linux VMs on either side and do OpenVPN that way until reinstall time rolls around for the pfSense boxen.

Nothing stopping you from having two servers running with the same certs+auth setup just one tcp and one udp
Using the port forward method you can forward in as many ports as you want to one server, too, so you can cover tcp, udp, and many ports without issue…

Hi ScOrian, did you find your problem, because I encounter almost exactly the same and I find no solution !

For me, like you, from pf all is ok but pcA cannot ping pcB and vice-versa !

Just wanted to add to this, in the latest snapshots when you set a gateway group and one of the gateways go down, it seems this bug appears

http://redmine.pfsense.org/issues/2582

The ovpn session is unable to assign the new address and the service exits. This completely destroys failover, as even when the original gateway comes back up the ovpn service is stopped.

Thanks.
Will configure  routing setup instead.

Hi All,

Just want to share how I configure my Samsung Galaxy Y to connect to my PFsense 2.0.1 Firewall

========================
OpenVPN Installer By: Fredricj Shauffelhut
OpenVPN Settings
Busy Box

I don't to install tun.ko since galaxy y has already built-in

Note: Tested using Galaxy Y (rooted)
Model: GT-S5360
Kernel: 2.6.35.7
Build number: Gingerbread.dxkl2

just create folder for config on sdcard/openvpn

1. First Install busybox if encounter error saying not compatible just select lower version from the list
2. install Openvpn Installer
when you see Binary not installed (make sure you busybox is installed succcessfully)

Click install

You will see "Binary Installed"

Just tap on exit

2. Install OpenVPn Settings App from google play same author
3. Create folder for config on sdcard/openvpn and copy your openvn config files in there.
4. now you will see the config you just save on the list.
5. Just put a check mark on the list of vpn connection you would like to connect wait for it to connect. it won't prompt for password I just have to click on the notifications area to display the user/password prompt.

That's it….

Regards,
Rocel

I don't really know why you had problems. I never really needed up/down scripts on a pfSense yet.
On linux i once had similar problems but they were actual bugs in OpenVPN itself which i solved by using a different version of OpenVPN.

My setup is similar to yours (TAP, etc) except I  needed to rely on pfsense's DHCP server running on the LAN to provide the ip whether the box was using openvpn to connect remotely or was plugged in locally.  As I needed all the traffic other than Openvpn related to pass through the tunnel (no security holes on the client going to the general lan) this was okay.

In either case the issue I had (and finally solved) was that the arp table on the client side was geting 00 00 00 00 00 (invalid) mac address for the gateway.  I had to manually put an 'up' script in the client to forcibly add the lan's MAC address to the client's arp table – and then it all worked.  Anyhow maybe you can get some hints from a known working setup TAP described here:

http://forum.pfsense.org/index.php/topic,54701.msg292497.html#msg292497

With openvpn server and client configs listed here:

http://community.openvpn.net/openvpn/ticket/233

End of the day, your gateway was "wrong"