@joako: I had tried something similar but it seemed the routes pushed from the vpn were conflicting with the local routing table. I'm sure there's a workaround. I basically copied a working config from the OpenVPN client (Viscosity,) it was pretty straightforward. I did the same, but the tunnel didnt came up. I just took a look into the client config and changed the tls seeting in /var/etc/openvpn/client1.conf from tls-auth /var/etc/openvpn/client1.tls-auth 1 to tls-auth /var/etc/openvpn/client1.tls-auth restarted the service and the tunnel came up Now i have the same issue like joako.

@kilthro: The local network is the network you want the vpn clients to have access to. If you do not enable that the connected users will not be able to access the network. Are you pushing DNS as well? Local network will not be available if you redirect all traffic through OpenVPN. Local network is only available if you want that the client should rout all traffic from network "172.16.1.0/24" through VPN and all other traffic through the internet connection on the VPN client site. @manolios On pfsense where the OpenVPN server is running, there you have to go to Firewall and on the "OpenVPN" tab. There you have to allow the traffic from the OpenVPN network (10.0.8.0) to any.

Yup, I did do that.

Not sure if you can access your computers at home through "network manager" when using OpenVPN in tun mode. But you should enable "Enable NetBIOS over TCP/IP" with "h-node" on your OpenVPN server. If you cannot connect to your computers through network manager just use the UNS path: \\home_computer_IP\Share

podilarius, thanks man, i feel so stupid. I thought it was a routing problem. That didn't even cross my mind. I got it working once i disabled the firewall. Thanks again.

Just tested in my own config, the "ifconfig-push clientip mask" works with TAP (windows 7 client). You have placed it under client-specific-overrides > advanced right?  And completely disconected the client so its gone from the status screen.? And rebuild the connection from 'nothing'. Do you get any error? Does the openvpn-client logs mention anything worth mentioning?

You could change the server mode to "Remote Access (SSL/TLS + User-Auth)" and re-export.

Not "now" – it's always been that way.

Create an interface and route it out that interface.  Or you can modify the routing tables manually (not suggested).

It didn't finish establishing the connection.  I'd need to see more if you still haven't fixed the solution, you can always contact me. Cheers. -Percy

Excellent!! thanks for reply!!

When you set up the VPN configuration, make sure you're using the right certificate authority and client certificate in your config.  Otherwise, delete the CA cert and client cert and redo those.  It'll almost definitely solve your problem.  Sounds like a problem with your cut and paste. -Percy Kwong http://swimminginthought.com

The issue with the GFW is that they interfere with the authentication mechanism (TLS).  There are ways around it, although it is not considered secure.  There would be nothing to stop them from killing the connection once it's up.  A shared key configuration would work, although, it isn't exactly secure.

Sorry guys checked my config and realised that I forgot to add the route back from the client site to site to the roadwarrior. Cheers, Raj

Hi TooMeek, Unfortunately the "Tunnel Network" field cannot be left blank and will always result in the server directive. This directive expands into: **mode server tls-server push "topology [topology]" if dev tun AND (topology == net30 OR topology == p2p):   ifconfig 10.8.0.1 10.8.0.2   if !nopool:     ifconfig-pool 10.8.0.4 10.8.0.251   route 10.8.0.0 255.255.255.0   if client-to-client:     push "route 10.8.0.0 255.255.255.0"   else if topology == net30:     push "route 10.8.0.1" if dev tap OR (dev tun AND topology == subnet):   ifconfig 10.8.0.1 255.255.255.0   if !nopool:     ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0   push "route-gateway 10.8.0.1"** Given your setup that would result in an ifconfig directive that wronly sets the ip address. As a workaround for p2p mode I have found the following solution: -Add the ifconfig-noexec directive to the advanced settings. -Assign your OpenVPN interface. -Manually give it the correct static configuration. Now, whenever OpenVPN starts, the wrongly generated ifconfig directive will no longer override your static settings. Et voila, you can configure it however you want. I do the same for routes. I remove any routes in OpenVPN itself, and just manually add routes to gateways set on the other side of my links. This also has the nice side effect of detecting a downed VPN by looking at the remote subnet's gateway status in the dashboard. However, what I have not tackled yet is how to get this working in Remote Access mode. Apparently OpenVPN wrongly routes the .1 of my "Tunnel Network" despite my configured interface values. My guess is this happens because, although the OS is set correctly, OpenVPN itself doesn't know that the automatically assigned .1 server address is no longer in use. In p2p (site2site) setups this is no problem. It just always sends everything to the other side. However, in Remote Access mode (in OpenVPN it's called "server mode") OpenVPN itself needs to know to which client to route what data. Hence all the new iroute directives. Obviously, overriding the server interface does not override OpenVPN its internal routing and thus keeps believing it's the .1 in the Tunnel Network. As the config file gets overridden on every reboot, I cannot see how we can currently use "topology mode" in combination with an alternative Tunnel Network server IP. Maybe someone knows how to use the field for extra directives to inhibit automatically configured directives? Or maybe we can prevent pfsense from overwriting a custom server1.conf file? If not, a nice feature request would be another OpenVPN server mode called "custom". With no fields other than the "Advanced config" field. This way we would be able to do any complex setup while interface adjustments (precious dev-time) remain minimal. Devs? Anyways, I hope this will help you. And let me know if you find other workarounds. Jori Huisman

Still an issue for us. This is a UDP connection as well. I may try swapping to TCP to see if it persists any better.

I think that Amachi is not p2p as OpenVPN but you can pass all traffic throught their server..

uncheck Redirect Gateway "Force all client generated traffic through the tunnel. "