afaik you shouldn't use static routes for openvpn! use the local/remote network fields and route/iroute/push route features of the openvpn server/client to get routing working over the vpn.

Thanks both of your answer. The trick was to allow traffic in the firewall section. In quagga I added only the openvpn interfaces. But in firewall rules I refer for opt interfaces and there I saw denied traffic and this is what I allowed. So it works fine now. Thanks. I am about to extend this config to other links.

What mode is your server set to? And what auth source (if any)? If it's SSL/TLS+User Auth and it's set for Local, then the certificates have to be assigned to Users that exist as well.

It's working fully now. For some odd reason, I am unable to ping devices behind a ZyXEL HD Powerline networking device from the 192.168.1.0/24 subnet, but I can ping everything else on 192.168.2.0/24 from 192.168.1.0/24. I can ping all devices behind the ZyXEL device on the same subnet just fine. I think I was trying to ping devices behind that ZyXEL and getting confused because it wouldn't ping. Thanks for your efforts!

Thanks. That's what I figured. I was able to get all my sites VPN up using Shared Key. I just upgraded to 2.0.1 from 1.2.3 at my main site in dramatic fashion (I made some really dumb routes trying to captive portal on OPT1, made webGUI inaccessible, panicked, reinstalled pfsense 2.0.1 and rebuilt). I had SSL/TLS set up previously with 1.2.3 and it worked great. I've got to relearn and translate to the new version. thanks again.

The only way you get the same address is if: 1. The tunnel network isn't big enough (but I thought openvpn logged that as an error) 2. You're trying (incorrectly) to use the same client certificate on more than one client at the same time, and you don't have the box checked to allow duplicate connections (which is a bad idea). When configured correctly, according to the wiki doc, that config works fine.

Thanks! @cmb: It's not available yet. That issue doesn't pose an imminent threat, we're working on testing the update.

as far as i know you don't need to change any NAT rules …. perhaps you should check your firewall rules. could some screenshots of openvpn/firewall/nat/routing table ? also find out whats in the routing table of the roadwarrior

I have managed to fix it by passing "dev tap1" instead of "dev tap" in the advanced configs. (stupid misstake) Now my interface connected to tap1 gets the ip from the vpn provider but it doesn't pass it through to my gateway so I can't connect to the internet. My gateway has the ip-address set to "dynamic" and the interface is set to the one getting the address from tap1. But all it says is "gathering data". Edit: Problem solved. I simply changed back to default gateway and then back to the vpn gateway and it worked. Oh boy, I have learnt a lot today about what could be wrong with this, hopefully I can have it working a while now :) Thanks for a great software PFSENSE team!

no clue … i've added tons of vlans while maintaining an openvpn connection without such issues

Thanks for the help! It has been resolved now, I needed to add outbound nat for 10.12.0.0 and 10.13.0.0 on the master, works like a charm now.  Luckily these easy fixes barely cost any time off commercial support.

There are three possibilities for an OpenVPN client to connect to your OpenVPN server: Just an username and password combination (User Auth) Just a OpenVPN client certificate A combination of client certificate and username/password So if you just have a client certificate and someone else got this certificate he is able to connect to your VPN. If you know that someone lost his certificate or someone has stolen a certificate you can put this certificate on a so called "Certificate Revocation List" which means that connections with this cert will be blocked. So best thing would be that you think about a username/password and certificate combination. A more secure possibility would be a certificate + username and one-time-password combination. This can be done in less steps with the freeradius2 package in combination with your OpenVPN Server. http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#Enable_Mobile-One-Time-Password_.28OTP.29_support

Hi Thanks. At the end it was problem on default GW that was set to different IP on clients. Regards, Miha