Hi, finally I solve my problem with site-to-site openVPN Buffalo-pfSense it was just:) routing problem!!! 1. on pfSense under openVPN Server-Advanced configuration I have to put route 192.168.79.0 255.255.255.0; (Buffalo LAN) route 192.168.76.0 255.255.255.0; (pfSense LAN) push "route 192.168.76.0 255.255.255.0";(pfSense LAN) push "route 192.168.79.0 255.255.255.0";(Buffalo LAN) and pfSense under Client Specific Override- ifconfig-push 172.30.96.5 172.30.96.6; (openVPN-Network) push "route 192.168.76.0 255.255.255.0"; (pfSense LAN) push "route 192.168.79.0 255.255.255.0";(Buffalo LAN) iroute 192.168.79.0 255.255.255.0 (Buffalo LAN) 2. on Buffalo site Additional Config push "route 192.168.79.0 255.255.255.0" (Buffalo LAN) push "route 192.168.76.0 255.255.255.0" (pfSense LAN) now I have all my routes and it works!! http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing was very helpful! frosch

My Bad, my bad, my bad, i'm sorry, i'm sorry, problem solved, human error, what happend was that the it person in the location add another pc with the same static ip address of Pfsense box., whenever this guy turned on that pc my Pfsense losted connectivity, sorry if made anybody waste his time.

I've tried it and it appears to work, but there is atleast one "issue" When adding interfaces to the Ospf, you can set a password. Between OpenOspf servers this works flawlessly in my setup. If i specify a password on the interface between a quagga host & openOspf, then no neighbours are found. Without password it works without any issues. I guess this is not this much of a problem in my case, as i use it for routing over openvpn lines that should be pretty secure on its own. When routing public ip networks it might pose a risk that anyone can join ?

@johnpoz: "over TCP Port 443 is slow as hell" Curious about what you consider slow as hell, I run my openvpn over tcp 443 for pretty much same type of reason.  This is normally open no matter where you at.  And can even bounce the openvpn connection off the proxy here. I am not having any performance issues that I can tell, I can do everything I need to do over the vpn and performance seems fine.  What are you doing exactly that the performance is not up to your expectations? May have been my upload speed, I will try it again on 443. Thanks Jimp, may try that out!

Bump - I've had the same thoughts and have basically the same setup.  Is there a way to have the same subnet on either side of an oVPN link and have clients transparently use the DR server if the on-site server were to fail?  How have other people solved this issue.

The exact error message would be more useful. Sometimes it says there's a TLS error when in fact it's just failing to negotiate because the traffic is blocked by firewall rules…

There is no way (yet) http://redmine.pfsense.org/issues/34

I have been dealing with a similar problem.. and ip fast forwarding did not help much. Essentially, I have BGP setup, 6 pfSense boxes connected in a full mesh with some backend MPLS as the primary connectivity, but OpenVPN tunnels from everything to everything as a backup. 6 OpenVPN tunnels all TCP (BGP doesn't seem to want to play nice with UDP tunnels) and one of them, but only one, exhibits this problem. It is in fact a general problem with that pfSense box, as all OpenVPN tunnels out/in are slow, even though it is very new hardware. I have pored over it extensively, and I can't see anything that would alter its network behavior. I am on 2.0.1-release, and I am really not sure where to go from where I am now… I have done everything except look at frame sizes and packet traces. If anyone can give me a pointer in the right direction it would be sincerely appreciated! EDIT- This has included taking all encryption off the tunnel, so it is definitely not to do with encryption load. I am getting 140ms transit times and low bandwidth (4 +/- .5 MBps) when I am getting 94ms WAN to WAN

Thanks for the replies. I'll try some of the suggestions out and let you know. For now… 1.  Is the software firewall disabled on any hosts you're trying to ping? Yes 2.  Are clients running openvpn as admin? (win 7 / vista) Is this an issue? They haven't been but they can 3.  Can we see screen shots of your LAN and OPENVPN tabs? They're set to wildcard any, allow all from all 4.  What is the IP of your AD server? 192.168.6.2, LDAP auth is working fine 5.  When you are pinging around, are you pinging by IP or hostname? IP 6. [image: ygjJO.png] Edit: After disabling windows FW (for the second time, likes to re-enable itself) and setting the gateway to the pfsense box I can pass traffic back and forth between pfSense and the OpenVPN client. Thanks a ton guys!

don't post duplicate topics. Locking this, other is here: http://forum.pfsense.org/index.php/topic,49632.0.html

check this post for info on ospf http://forum.pfsense.org/index.php/topic,37084.0.html

If you have two different CA, one for site-to-site VPN and another CA for Road-Warrior VPN then the site-to-site clients can not connect to RoadWarrior VPN but only to site-to-site VPN. The Road-Warrior clients can only connect to Road-Warrior VPN but not to site-to-site VPN. Thank u Nachtfalke I have confused about this. Because I have tested with OpenVPN site to site and road warrior VPN with separate CA. Road warrior-clients can connect to site to site clients and clients site to site can also connect to road warrior-client with I used advance configuration option in tunnel and working. Example: OpenVPN server + road warrior site A, OpenVPN client site B and OpenVPN client site C "Road Warrior" on server site at Advance configuration tunnel I use:                   push "route 10.66.76.0 255.255.255.0"; (OpenVPN Client site B LAN subnet ) "OpenVPN Client site B" at Advance configuration tunnel I use:                          route 172.31.23.0 255.255.255.0; (Road Warrior tunnel network on server site)

@wm408: Try leaving concurrent connections blank. Remove your redirect gateway def1 entry in advanced options if its still there, the checkbox in the GUI will suffice. Tried that, didn't fix it. @wm408: Are you sure all of the subnets in your firewall/NAT rules are correct to the client pool subnet for the warrior vpn? No, most of those NAT were made automatically. Come to think of it I will have to play with the WAN gateways, as one day (after setting up failover) some subnets stopped having internet. I had to change from gateway = * to gateway = WAN for them to get online. I will try the same for OpenVPN EDIT - SUCCESS :) I had to change the OpenVPN firewall rules to use the WAN2 gateway: 10.0.8.0/24 * * * WAN2_312403 none Thanks for all the help!

If you have a new key and an new cert then import these in SYSTEM -> Cert Manager After that modify your OpenVPN server to use the new certs. That's all. No reboot needed. ADVICE: Please update your old pfsense version to pfsense 2.0.1. It does not make sense to discuss about problems with old versions.

Thanks for the suggestion. Just tried adding in the iroute command… The status under Status->OpenVPN changed to down and I could no longer ping from site B. I already have "route [site B subnet] [subnet mask]" command in server under the advanced options.

Thanks for your quick response! I figured as much. Cheers!