Yes, this can be done. You can realize that with the "Client Specific override". Enter the Certificate's Common Name of the RoadWarrior and setup a /30 subent within the OpenVPN-Server tunnel network for that client. This will assign the client always the same IP address. Every OpenVPN connection has its own /30 subnet. 10.10.10.8/30 has these IPs: 10.10.10.4: Netaddress 10.10.10.5: OpenVPN Server 10.10.10.6: OpenVPN Client/RoadWarrior 10.10.10.7: Broadcast address Okay, thanks. This is fine, but how do I do this? –Nevermind. Wow. This is humbling. There's a tab for that?! Never even saw it until you mentioned it. Ok, I'm going to try it out now, but I suspect I should delete the client config sub-directory I created and restart openvpn. Much Thanks for enlightening me, Jits.

I work in Call Center so I must wait until agent stop with work. After chaange on 172.20.100.0/24 i can connect only one time and client doest get any gateway adress. I can't access servers on 172.20.x.x, and my external adress is not like from OpenVPN server, but my client keeps adress of internet provider. Very strange?!?!

you don't want tap either, that's only very, very rarely desirable, and pretty much never for site to site. Take out the hard coded tunnel network, add iroute as needed, and you're set.

Thank you, i'll try that:) It works! thank you!:)

If I read this correct then you must configure this parameter on both sites. If you do not so the lowest value takes effect. But you can disable it on one site so that you can configure it individualle on the other site (different clients with different times i8f disabled on server site). http://openvpn.net/archive/openvpn-users/2006-12/msg00189.html PS: Do you use freeradius2 package with mOTP ?

from office 2 I can ping the lan port on office 1 pfsense lan  card that has a ip of 10.1.2.43 C:\Users\Administrator>ping 10.1.2.43 Pinging 10.1.2.43 with 32 bytes of data: Reply from 10.1.2.43: bytes=32 time<1ms TTL=63 Reply from 10.1.2.43: bytes=32 time<1ms TTL=63 Reply from 10.1.2.43: bytes=32 time<1ms TTL=63 Reply from 10.1.2.43: bytes=32 time<1ms TTL=63 Ping statistics for 10.1.2.43:    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:    Minimum = 0ms, Maximum = 0ms, Average = 0ms Ugh  so I can not reach anyone on that network. note that network on the lan is connected to a whole office using an diffrent router . the Wan is on its own ip static seperate net connection so what I want to know how to do is route traffic from the office 2 through the openvpn to the 10.1.2.0 network. I don't even know where to start or what to read up on.

Though I must ask - if it's a point to point interface, why use openvpn? Just add some static routes for the networks reachable via the opposing router. Unless you don't trust the carrier of the p2p circuit, then encrypt all you want.

Thank you for this guide; with your help I got things working on pfSense 2.0.1 with a few minor alterations, some of which are cryptodev/security/regulatory requirements based, some of which are specifically to require all OPT1 (wifi) traffic to flow over AES/SHA256 VPN (no exceptions), DNS included, and I deliberate use a ta_auth.key to increase security. Setting up your pfSense firewall - match the parms in the config files (*.ovpn)   *** DO ENTER the interface for OpenVPN to LISTEN on   *** DO NOT UNCHECK "Enable authentication of TLS packets.   *** DO UNCHECK "Automatically generate a shared TLS authentication key" and instead paste in the contents of         the file that build-ta.bat created   *** DO CHECK "Redirect Gateway"   *** DO LEAVE "Remote Network" blank - we're not doing a site-to-site VPN   *** DO ENTER the maximum number of Concurrent Connections, if known   *** DO NOT CHECK "Compression" unless you know you're going to be sending compressible data           Note that remote desktop use is typically encrypted in and of itself, and is thus not compressible.   *** ADD 'auth SHA256;push "redirect-gateway def1";push "dhcp-option DNS <openvpn listening="" ip="" addr="">"' without the outer single quotes to the Advanced configuration, Advanced section at the bottom.   ??? the redirect gateway may not be required if the checkbox is checked. Sample initial client1.ovpn (I'm still working on this - in particular, I'd like to get away from DHE entirely): client dev tun proto udp remote YourListeningInterfaceIPAddr 1194 #ns-cert-type is a pre-2.0 way of making sure we're not being spoofed by a client acting as a server keepalive 5 60 resolv-retry infinite nobind persist-key persist-tun # Wireless networks often produce a lot # of duplicate packets.  Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server".  This is an # important precaution to protect against # a potential attack discussed here: #  http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server".  The build-key-server # script in the easy-rsa folder will do this. ns-cert-type server ca ca.crt cert client1.crt key client1.key cipher AES-128-CBC auth SHA256 tls-cipher DHE-RSA-AES128-SHA tls-auth ta_auth.key 1 pull verb 3 # run "client.up" to add necessary # DNS entries to resolv.conf #;up /home/user/openvpnclient/sample-config-files/client.up # run "client.down" to remove # resolv.conf entries when VPN # is disconnected #;plugin "/usr/lib/openvpn/openvpn-down-root.so" "/home/user/openvpnclient/sample-config-files/client.down" CopyClientConfigs.bat (select the files each client needs): md keys\client1 del /q keys\client1\* copy keys\ca.crt keys\client1 copy keys\EyeWearHausta.key keys\client1 copy keys\client1.crt keys\client1 copy keys\client1.key keys\client1 copy OpenVPNConfigFiles\client1.ovpn keys\client1 build-ta.bat openvpn --genkey --secret keys\ta_auth.key build-key-pass.bat @echo off cd %HOME% rem build a request for a cert that will be valid for ten years openssl req -days 9000 -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG% rem sign the cert request with our ca, creating a cert/key pair openssl ca -days 9000 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG% rem delete any .old files created in this process, to avoid future file creation errors del /q %KEY_DIR%\*.old And the simple RunAll.bat call vars.bat call build-ca.bat call build-key-server.bat server call build-key-pass.bat client1 call build-ta.bat call CopyClientConfigs.bat ```</openvpn>

Static vs dynamic doesn't have anything to do with connection issues. 1.  double check your server config and firewall rules 2.  verify that the IP you THINK you have… matches what PFsense is pulling from the ISP... it is "dynamic" after all. 3.  once you've verified which public IP is attached to PFsense, make sure your clients are connecting to the correct IP.

Considering the lack of details, all anyone can do is give you their best guess.  So here goes… looking at this line in your log: Thu May 03 22:15:48 2012 Warning: address 10.212.20.154 is not a network address in relation to netmask 255.255.255.248 I'm guessing you either entered a host address instead of a network address or entered the wrong mask.  Re-visit your server config.

OK I was being an idiot. Pulled my hair out for ages changing openVPN settings and firewall rules. Why do I always start with the complicated issues and not go first to the easier most obvious. Turning off Windows firewall on the PC which I was trying to access. In case anyone stumbles across this with the same problem. I found with windows firewall enabled, XP PCs could be pinged, while windows 7 PCs could not. Therefore I changed the ICMP settings in the windows 7 firewall to allow incoming and outgoing packets from the subnet of the openVPN tunnel. I also had to do the same for both XP and win7 for SMB -> allow the openVPN tunnel subnet access. Now everything works as expected with windows firewall enabled ;D

@elkmoose: As I said, here's my config file for my VPN host.  I hope it may help somebody else having difficulty connecting.  The file is located under /var/etc/openvpn and should have a name like "clientN.conf".  I did a "factory reset" on my box before setting this up, so it shouldn't be related to any other settings.  Since pfSense reports the connection as working, I'll consider this solved.  Unfortunately, if the VPN connection is active, my computers can't get out to brows the web or anything, neither through the WAN (as they do if I simply disable the OpenVPN rule) nor through the VPN (which as far as I know does nothing other than be connected when not disabled). I don't know if this is intended behavior or not.  It would make sense to block outgoing traffic if a VPN connection is active.  I know more needs to be done to send traffic through the VPN connection instead of the WAN connection.  My goal was first to see if I can connect to the VPN (yes), and then see if my regular network WAN access is still functioning (no).  It's easy enough to turn the VPN connection on and off as needed, but I hope this is the correct behavior. This guide seems to work just fine: https://www.privateinternetaccess.com/pages/client-support/#pfsense_openvpn

Static vs. dynamic IP's have nothing to do with your issue. Double check that your clients are connecting to the correct IP…. then double check your config and that you're allowing connections in the firewall.

I have the same problem?

Some internal IT politics do not allow users to have admin rights. OpenVPN needs them to add routes in Windows 7 (doesn't related to Win XP) or Vista, I think. Some guy writed to me from Italy, they have to: open 1194 udp port in their main company firewall, add .BAT script manual adding routes (as temporary) since user do not have admin rights on his laptop. Then it worked. Some public internet access sites, like airports also do not allow VPN traffic. Then You have to use port forwarding instead. Remember, You are not limited to single VPN solution. If You have for example Windows 2008 Server You can use it's internal PPTP VPN solution also with pfSense and both will work.

I can confirm it's not needed. I never assing admin group to anyone, expect IT staff.. You can just create separate certificate for every user. [image: pfsense-users.png] [image: pfsense-users.png_thumb]