Useful thread, but I need a little more help. What exactly is "route-metric 512" for? It doesn't seem needed, pushing the route alone fixes the "unidentified network". Also, Win 7 firewall allows inbound echo's only on its subnet. i.e. if Win 7 road warrior IP is 10.0.8.6 and VPN "home LAN" is 192.168.1.1 Win 7 will block the ICMP coming from the "home LAN". Is there an elegant solution to this? Changing firewall rules on each Win7 road warrior is far from ideal.

You're welcome! I think there is something that remains unhappy when a carp virtual IP (VIP) (a setup with a live failover PF box waiting)  is used as the gateway on the lan side when the same PF box is used as the openvpn server via bridge and tap.   It all appears to work, but there are lots of unexpected log entries.    Still trying to track it down.  Also remember that all the traffic goes through the tunnel, so a slow 'upload' link on the openvpn server will be felt by the road warriors… Clearly the whole 'tap' interface idea has the clean aspect of road warriors having the same ip whether on the local wifi not via openvpn or remotely via openvpn.   The biggest weakness the current openvpn tun mode has is that at least I haven't found a way to assign fixed static ip addresses to each of my road warriors--- short of creating a whole separate server instance for each of them, or just resorting to dropping the dhcp mechanism altogether and resorting to static IP's -- a pain to keep track of across the client boxes as they come and go. A good upgrade for PFSense would be to store the XML in the openvpn client exporter, particularly the options and other details, so that later uses of the same certificate would recall the advanced options used the first time that cert was the source of an export activity.

Eh. After having gone through a few working examples, the VPN is set up properly, the rulse are set up properly, the problem is just "somewhere else." So I'm just going to set up a couple of Linux VMs on either side and do OpenVPN that way until reinstall time rolls around for the pfSense boxen.

Nothing stopping you from having two servers running with the same certs+auth setup just one tcp and one udp Using the port forward method you can forward in as many ports as you want to one server, too, so you can cover tcp, udp, and many ports without issue…

Hi ScOrian, did you find your problem, because I encounter almost exactly the same and I find no solution ! For me, like you, from pf all is ok but pcA cannot ping pcB and vice-versa !

Just wanted to add to this, in the latest snapshots when you set a gateway group and one of the gateways go down, it seems this bug appears http://redmine.pfsense.org/issues/2582 The ovpn session is unable to assign the new address and the service exits. This completely destroys failover, as even when the original gateway comes back up the ovpn service is stopped.

Thanks. Will configure  routing setup instead.

Hi All, Just want to share how I configure my Samsung Galaxy Y to connect to my PFsense 2.0.1 Firewall ======================== OpenVPN Installer By: Fredricj Shauffelhut OpenVPN Settings Busy Box I don't to install tun.ko since galaxy y has already built-in Note: Tested using Galaxy Y (rooted) Model: GT-S5360 Kernel: 2.6.35.7 Build number: Gingerbread.dxkl2 just create folder for config on sdcard/openvpn 1. First Install busybox if encounter error saying not compatible just select lower version from the list 2. install Openvpn Installer when you see Binary not installed (make sure you busybox is installed succcessfully) Click install You will see "Binary Installed" Just tap on exit 2. Install OpenVPn Settings App from google play same author 3. Create folder for config on sdcard/openvpn and copy your openvn config files in there. 4. now you will see the config you just save on the list. 5. Just put a check mark on the list of vpn connection you would like to connect wait for it to connect. it won't prompt for password I just have to click on the notifications area to display the user/password prompt. That's it…. Regards, Rocel

I don't really know why you had problems. I never really needed up/down scripts on a pfSense yet. On linux i once had similar problems but they were actual bugs in OpenVPN itself which i solved by using a different version of OpenVPN.

My setup is similar to yours (TAP, etc) except I  needed to rely on pfsense's DHCP server running on the LAN to provide the ip whether the box was using openvpn to connect remotely or was plugged in locally.  As I needed all the traffic other than Openvpn related to pass through the tunnel (no security holes on the client going to the general lan) this was okay. In either case the issue I had (and finally solved) was that the arp table on the client side was geting 00 00 00 00 00 (invalid) mac address for the gateway.  I had to manually put an 'up' script in the client to forcibly add the lan's MAC address to the client's arp table – and then it all worked.  Anyhow maybe you can get some hints from a known working setup TAP described here: http://forum.pfsense.org/index.php/topic,54701.msg292497.html#msg292497 With openvpn server and client configs listed here: http://community.openvpn.net/openvpn/ticket/233

End of the day, your gateway was "wrong"

Hi all, Although this thread is slightly old, I still thought it would be worthwhile to post my solution. In summary, pfSense 2.x on ALIX hardware using OpenVPN with DuoSecurity PUSH authentication is working (for me) and hopefully the following notes will help :D The following setup works for the three forms of authentication from DuoSecurity - PUSH, Call and SMS. I used a server, separate from pfSense, to run the DuoSecurity RADIUS proxy, FreeRADIUS and authentication database (UNIX). Once you have identified the server, follow these instructions on DuoSecurity's website: http://www.duosecurity.com/docs/radius During the DuoSecurity Generic RADIUS configuration, follow the instructions for RADIUS (not Active Directory) and add the IP address of pfSense (not hostname) as a RADIUS client Test the RADIUS installation locally as suggested by DuoSecurity and be certain it is working before continuing Add the RADIUS details in pfSense: Go to System -> User Manager -> Servers Add the RADIUS client with the RADIUS secret you set during DuoSecurity proxy configuration. Set Services offered: to Authentication. Save Test authentication via DuoSecurity SMS only (PUSH won't work yet) by going to Diagnostics -> Authentication. Password is in the format <password>,sms</password> and if you already have the SMS OTPs, the format is e.g. <password>,A123456</password>. Once this is working, you can continue with the final steps. To set the RADIUS client timeout and retry limit to the values recommended by DuoSecurity, do the following: In pfSense, select Diagnostics -> Edit File Press Browse and select /etc/inc/radius.inc |     | NOTE: If the editing window is grey and you can't edit the file, you will have to amend the file via SSH and making the file system writeable by typing | |     | mount -u -w /dev/ufs/<pfsense_partition></pfsense_partition> | |     | To make it read-only after the change type | |     | mount -u -r /dev/ufs/<pfsense_partition></pfsense_partition> | In the editor, find the lines: function addServer($servername = 'localhost', $port = 0, $sharedSecret = 'testing123', $timeout = 3, $maxtries = 3) function putServer($servername, $port = 0, $sharedsecret = 'testing123', $timeout = 3, $maxtries = 3) Change the timeout and maxtries values to the DuoSecurity recommended values e.g.: function addServer($servername = 'localhost', $port = 0, $sharedSecret = 'testing123', $timeout = 10, $maxtries = 10) function putServer($servername, $port = 0, $sharedsecret = 'testing123', $timeout = 10, $maxtries = 10) Save the changes Test authentication via DuoSecurity PUSH by going to Diagnostics -> Authentication. Password is in the format <password>,push</password> Hopefully it works.

Phil, I just wanted to say thank you.  It was as simple as you suggested.  I've just now had the time/focus to configure and test this properly.  I just wish there was a way to get these darn iDevices to automatically reconnect to the IPsec VPN when turning back on.  I think that's out of the option because I'm using xauth with a pre-shared key, due to my inability to produce a certificate the iPad will accept.  Too bad Apple won't open the API for tunnel management so the OpenVPN project can use it. Anyway, thank you Phil - you helped me implement something that makes my life a little easier :) – Dennis

Ok :)

The E-Mail notification does not report many events until now but If one of my WAN is going down I get an email notification. If the Gateway is up again I will get a notification again. Of course it must be possible for pfsense to send the email to the email server you added on pfsense. (SYSTEM -> advanced -> notifications)

Jim: Indeed you're correct about the docs, the guide here http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29#Setting_up_advanced_outbound_NAT is clear about the step about choosing "advanced outbound NAT"  and changing to the carp translation address, which I haven't done. Kindly notice the screen dedicated to configuring virtual IP's on PFSense does not do as you've noted: refer the reader to PF's FAQ on the matter, but instead openbsd's carp docs– where the term NAT appears not at all.  That's what I was referring to upstream as not catching that I ought to have been using AON as PF's automatic outbound nat settings don't pick up on the carp vip outbound automatically. I suggest two cosmetic changes: 1:  Might PF consider removing the subtitle (AON - Advanced Outbound NAT) on the outbound NAT screen?  Generally 'automatic' is held to be more 'advanced' than something with a 'manual' (aka less advanced than automatic) component.   I wonder if others weren't foxed into thinking the reference AON meant 'automatic outbound nat' over against the 'advanced outbound nat with manually edited entries'.   Unfortunate that 'Advanced' and 'Automatic' both begin with 'A.' 2:  A link on the VIP screen to PF's own CARP faq, and moving the Openbsd link to PF's faq? Also:  The outbound nat rule you suggested worked splendidly to provide openVPN client running on the master access to the backup pf box also running the openvpn server. Is the proper approach to create an outbound nat destination network a one box '/32' specific link to the backup if on the master, and another like rule on the backup pointing to the master (while checking the box on each to not replicate the rule?)

@Nachtfalke: Check the firewall on the systems behin pfsense if they allow traffic on UDP ports from the OpenVPN subnet - or disable it for testing Pfsense is the only firewall and gateway on our local network involved.  The device serving both http (TCP) over port 80 and proprietary UDP over port 1876 has no firewall.  Also, as I mentioned, that computer when on the local network can access both resources just fine.  It's only when remote and connecting via OpenVPN that UDP/1876 traffic doesn't seem to get through.

Hi thanks for the help i have to say that now the client is getting the routes that i have added this morning without any changes just added this line push "route 172.16.10.0 255.255.255.0";push "route 172.16.11.0 255.255.255.0" up until know the route wont work for some reason thanks for the help  Daniel :)