I am using Quagga and the dual vpn connection works fine initally. Its only when one of the connection drops, that error appears. Its looks like a potential bug when the loopback interface is trying to use a route already in use by the other VPN instance?

Hi! It works, thank you. What happened? I know that the server and client didn't match. Do you know by why?

Hi, I just reboot my pfsense and my VPN works now…. Thanks for the help.

can be done on 1 appliance. in fact it would be more of a hassle to do the same on multiple appliances

I am trying this from at home behind my home router. When I connect to the VPN server the connection will be established - the systray icon turns into green. But "netstat -rn" does not show me additional routes - just the route for the tunnel network. When I run the OpenVPN client with admin rights the routes will be added. But when I run it with admin rights I got a similar error message: Wed Oct 03 21:17:58 2012 Successful ARP Flush on interface [50] {FBDB3111-D2E3-4899-A765-87EAFB843546} Wed Oct 03 21:18:03 2012 ROUTE: route addition failed using CreateIpForwardEntry: The object still exists.  [status=5010 if_index=50] Wed Oct 03 21:18:03 2012 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem Wed Oct 03 21:18:03 2012 Initialization Sequence Completed But then I can connect to the pfsense server and to the LAN clients behind pfsense.

No need to create three OpenVPN server instances. Just connect all sites to one server. The most difficult to do ist setup the correct routes on OpenVPN server and OpenVPN Client to connect to the LANs behind each pfsense. I think this forum post will explain it: http://forum.pfsense.org/index.php/topic,12888.0.html You probably need these 3 commands as custom OpenVPN options: push "route IP.IP.IP.IP SM.SM.SM.SM"; route IP.IP.IP.IP SM.SM.SM.SM; iroute IP.IP.IP.IP SM.SM.SM.SM;

Here's one issue: Tunnel Settings_________________ tunnel 10.0.8.0/24 Bridge(none) local 10.0.0.0/8 Compress tunnel packets using the LZO algorithm. Your tunnel needs to be outside of your LAN.

Not by domain name, no. You'd have to somehow identify them base on IP address (or block of IP addresses)

Following cmb's remark: we put the vpn on the primary pfsense box (and upgrading its hardware a bit)

I know next to nothing about pfSense specifically, so don't take this as gospel: I think you need to set a floating rule at both b and c to use A as the gateway for matched traffic (either by port, classification, subnet or something else). Have you solved your issue yet? – Dennis

Windows won't do OSPF so that's not an option. You need a proper router to do failover, you'll really have to move the OpenVPN off the Windows server to do that properly.

@cmb: You need manual outbound NAT and to NAT traffic leaving your OpenVPN connection. The StrongVPN guide here has that documented if I recall, it's the same process regardless of VPN provider. Many thanks for your help. I tried that guide, several times actually, but it didn't work for me (same no web browsing after connecting). So I'm guessing maybe my pfSense version is different. (I have the latest x86 version).

@nadaron: I looked around and found a strange thing in the ifconfig output (server and client): Not strange, that's just how it works when using certificates. My guess is you're missing either a route or an iroute. http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)

Hello, If I recreate the bridge or change the STP proto (stp/rstp) stp will be enabled on the openVPN interface. However, after a reboot stp is only enabled on the physical nic. For now this isn't a game changer for me as my network is working ok with each connected stack electing it self at the root when stp is disabled. When I have STP on the nic in pfSense the switches elect the pfSense nic as the root (I can change this by adjusting the priority though). Thanks for your time, Fred

Check the logs on the other side. The 60 second timeout just means it failed to contact the server, so no connectivity. The other side would be more helpful.

Hello, I just set up the same config and had it working. The issue I ran into is that I needed some layer2 stuff to cross the network and pf was placing in layer 3, thus breaking my config. Anyhow, I have Cisco switches that were connecting to my pf setup. I have three Nics in my pf boxes (1 for LAN, 1 for WLAN and 1 for Internet) I created openvpn tun sharedkey tunnels between my pf boxes, and assigned the openvpn clients to interfaces. In QuagaOSPF add the three interfaces to area 0.0.0.0. On the switch side I added the pf LAN network to area 0 and my failover was good to go. Just play with the interface cost in quagga to determine when a failover should occur. I think my fail over was sub 2 minutes. In pfsense you will want to set up some rules to handle traffic that ospf doesn't know about. I used the gateway groups to handle this so that in a failover my internet traffic would still go out. However, I route all my outgoing internet traffic through my data center so YMMV. BTW if you need to trunk (802.1q) between your switches and they support ospf you can connect the wlan to the switch use pfsense to create a vpn backup there. At least that's what I am trying now…. Fred

That blog post is correct as well. No, not everyone who's ever written a site to site OpenVPN guide is conspiring against you. They really do work as illustrated. My guess at this point is you have a general connectivity problem between client and server for some reason. Packet capture, check firewall states, for the outer 1194 or whatever port you picked.

The server's raw config would be in /var/etc/openvpn/ If the clients have routes, try doing a traceroute and see how far it gets. See if you can ping/reach the pfSense firewall's LAN IP. If you can reach the LAN IP and no farther, it could be something on the target machine (local firewall/filter), or it may not be using pfSense as its default gateway. If you can't reach the pfSense firewall's LAN IP, then I'd double check the routing, make sure the client is being run as Administrator on Vista/w7/w8/etc.

Oh my god, I feel like an idiot. You guys were correct about the routes.  Unfortunately, I made an error while adding the route, to the VPN settings. While I added the route under the Server settings, I forgot to add the 10.10.20.0/24 route under the Client Specific Overrides.  As soon as the route information was added there, communication worked bi-directionally. Thanks so much for your help!  This was a great learning experience.

When you enter Tunnel Network, Local Network and Remote Network it uses these to make a route to Remote Network across Tunnel Network for you. So when there is just 1 LAN subnet at each end, the routing happens "automatically". The extra things you have to do are; open the port you are using at the server end, so the client incoming connect can get through. Add firewall rule/s on OpenVPN at each end to allow the traffic you want that comes from the other end of the tunnel. Then it all just works in a simple site-to-site config.