Hi, After a lot of  tests, I can't fid my solution. So I decided to burn everything and start again… And.. surprise! everything works ... :) I think that I had problems wth my certificate, . Now it's all good.

We currently use a custom build of the Windows OpenVPN client that fully supports IPv6. If/when that client is based on a version of OpenVPN (2.3 I think?) that also fully supports IPv6, we could consider changing.

Can you show your client config file? Also from the pfSense side, the output of "ifconfig -a" and perhaps the config from /var/etc/openvpn/ for this server. The code is better on 2.1 for tap bridging (though bridging in general is broken there at the moment) but I made the tap fix package to backport most of the good bits. I've installed it several times and had it working. Also, if you are not giving DHCP from the OpenVPN instance on pfSense (your server bridge start/end boxes are blank) it will try to get DHCP from the DHCP server on your LAN1 interface. Trying to pass DNS servers and a default domain may be conflicting with that. Either fill in a Server Bridge DHCP Start/End box, or clear out the search domain and DNS server.

I believe this is your problem. http://forum.pfsense.org/index.php/topic,8773.0.html You need to use Advanced outbound NAT.  (Manual NAT). And make an entry under the Firewall > NAT > Outbound which lists your openvpn client subnet as the source, to destinations that you specify, for example, any destination. If its not AON, then check the OpenVPN tab under: Firewall -> Rules and make sure that the source openvpn network in question can talk to for example, anything, or ! Local Subnet (not the local subnet but anything else). An example of a firewall rule for the OpenVPN tab: Proto      Source    Port  Dest.  Port  GW    Queue openvpn net * * * * none @wanie: Hi I am trying to route all my lan traffice through an openVPN provider like perfect-privacy. To me it looks like, there is something blocking the traffic throug this tunnel. If i connect with the openVPN client i can't open any website. Anyway i can't ping any public domain or ip, but DNS works. If i ping on google.com i see the resolved ip but got no ping answer. I allready tried to play arround with the AON settings but no luck. Here is the openVPN log: Feb 5 18:55:04 openvpn[25458]: real_hash_size = 256 Feb 5 18:55:04 openvpn[25458]: virtual_hash_size = 256 Feb 5 18:55:04 openvpn[25458]: client_connect_script = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: learn_address_script = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: client_disconnect_script = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: client_config_dir = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: ccd_exclusive = DISABLED Feb 5 18:55:04 openvpn[25458]: tmp_dir = '/tmp' Feb 5 18:55:04 openvpn[25458]: push_ifconfig_defined = DISABLED Feb 5 18:55:04 openvpn[25458]: push_ifconfig_local = 0.0.0.0 Feb 5 18:55:04 openvpn[25458]: push_ifconfig_remote_netmask = 0.0.0.0 Feb 5 18:55:04 openvpn[25458]: push_ifconfig_ipv6_defined = DISABLED Feb 5 18:55:04 openvpn[25458]: push_ifconfig_ipv6_local = ::/0 Feb 5 18:55:04 openvpn[25458]: push_ifconfig_ipv6_remote = :: Feb 5 18:55:04 openvpn[25458]: enable_c2c = DISABLED Feb 5 18:55:04 openvpn[25458]: duplicate_cn = DISABLED Feb 5 18:55:04 openvpn[25458]: cf_max = 0 Feb 5 18:55:04 openvpn[25458]: cf_per = 0 Feb 5 18:55:04 openvpn[25458]: max_clients = 1024 Feb 5 18:55:04 openvpn[25458]: max_routes_per_client = 256 Feb 5 18:55:04 openvpn[25458]: auth_user_pass_verify_script = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: auth_user_pass_verify_script_via_file = DISABLED Feb 5 18:55:04 openvpn[25458]: ssl_flags = 0 Feb 5 18:55:04 openvpn[25458]: port_share_host = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: port_share_port = 0 Feb 5 18:55:04 openvpn[25458]: client = ENABLED Feb 5 18:55:04 openvpn[25458]: pull = ENABLED Feb 5 18:55:04 openvpn[25458]: auth_user_pass_file = '/conf/perfect-privacy.pas' Feb 5 18:55:04 openvpn[25458]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011 Feb 5 18:55:04 openvpn[25458]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client3.sock Feb 5 18:55:04 openvpn[25458]: WARNING: file '/conf/perfect-privacy.pas' is group or others accessible Feb 5 18:55:04 openvpn[25458]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Feb 5 18:55:04 openvpn[25458]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Feb 5 18:55:04 openvpn[25458]: Control Channel Authentication: using '/var/etc/openvpn/client3.tls-auth' as a OpenVPN static key file Feb 5 18:55:04 openvpn[25458]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 5 18:55:04 openvpn[25458]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 5 18:55:04 openvpn[25458]: Control Channel MTU parms [ L:1557 D:166 EF:66 EB:0 ET:0 EL:0 ] Feb 5 18:55:04 openvpn[25458]: Socket Buffers: R=[42080->65536] S=[57344->65536] Feb 5 18:55:04 openvpn[25458]: RESOLVE: NOTE: moscow.perfect-privacy.com resolves to 3 addresses Feb 5 18:55:04 openvpn[25458]: Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ] Feb 5 18:55:04 openvpn[25458]: Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client' Feb 5 18:55:04 openvpn[25458]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server' Feb 5 18:55:04 openvpn[25458]: Local Options hash (VER=V4): 'ed844052' Feb 5 18:55:04 openvpn[25458]: Expected Remote Options hash (VER=V4): '8a244582' Feb 5 18:55:04 openvpn[25739]: UDPv4 link local (bound): [AF_INET]192.168.178.22:50013 Feb 5 18:55:04 openvpn[25739]: UDPv4 link remote: [AF_INET]192.162.100.209:1149 Feb 5 18:55:05 openvpn[25739]: TLS: Initial packet from [AF_INET]192.162.100.209:1149, sid=0dffcb99 ea51437a Feb 5 18:55:05 openvpn[25739]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Feb 5 18:55:06 openvpn[25739]: VERIFY OK: depth=1, /C=NZ/ST=Glenside/L=Wellington/O=PP_Internet_Services/OU=PP_Security_Department/CN=ppca/emailAddress=admin@perfect-privacy.com Feb 5 18:55:06 openvpn[25739]: VERIFY OK: depth=0, /C=NZ/ST=Glenside/O=PP_Internet_Services/OU=PP_Security_Department/CN=ppserver/emailAddress=admin@perfect-privacy.com Feb 5 18:55:18 openvpn[25739]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1562' Feb 5 18:55:18 openvpn[25739]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' Feb 5 18:55:18 openvpn[25739]: WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic' Feb 5 18:55:18 openvpn[25739]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Feb 5 18:55:18 openvpn[25739]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 5 18:55:18 openvpn[25739]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Feb 5 18:55:18 openvpn[25739]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 5 18:55:18 openvpn[25739]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA Feb 5 18:55:18 openvpn[25739]: [ppserver] Peer Connection Initiated with [AF_INET]192.162.100.209:1149 Feb 5 18:55:20 openvpn[25739]: SENT CONTROL [ppserver]: 'PUSH_REQUEST' (status=1) Feb 5 18:55:21 openvpn[25739]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 4.2.2.4,route 10.0.16.1,topology net30,ping 10,ping-restart 120,ifconfig 10.0.16.14 10.0.16.13' Feb 5 18:55:21 openvpn[25739]: OPTIONS IMPORT: timers and/or timeouts modified Feb 5 18:55:21 openvpn[25739]: OPTIONS IMPORT: --ifconfig/up options modified Feb 5 18:55:21 openvpn[25739]: OPTIONS IMPORT: route options modified Feb 5 18:55:21 openvpn[25739]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Feb 5 18:55:21 openvpn[25739]: ROUTE default_gateway=192.168.178.1 Feb 5 18:55:21 openvpn[25739]: TUN/TAP device /dev/tun3 opened Feb 5 18:55:21 openvpn[25739]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Feb 5 18:55:21 openvpn[25739]: /sbin/ifconfig ovpnc3 10.0.16.14 10.0.16.13 mtu 1500 netmask 255.255.255.255 up Feb 5 18:55:21 openvpn[25739]: /usr/local/sbin/ovpn-linkup ovpnc3 1500 1557 10.0.16.14 10.0.16.13 init Feb 5 18:55:21 openvpn[25739]: /sbin/route add -net 192.162.100.209 192.168.178.1 255.255.255.255 Feb 5 18:55:21 openvpn[25739]: /sbin/route add -net 0.0.0.0 10.0.16.13 128.0.0.0 Feb 5 18:55:21 openvpn[25739]: /sbin/route add -net 128.0.0.0 10.0.16.13 128.0.0.0 Feb 5 18:55:21 openvpn[25739]: /sbin/route add -net 10.0.16.1 10.0.16.13 255.255.255.255 Feb 5 18:55:21 openvpn[25739]: Initialization Sequence Completed This are my routes before the openVPN connection is active: Destination Gateway Flags Refs Use Mtu Netif Expire default 192.168.178.1 UGS 0 537611 1500 vr1 127.0.0.1 link#5 UH 0 1009 16384 lo0 192.168.1.0/24 link#1 U 0 8769280 1500 vr0 192.168.1.1 link#1 UHS 0 0 16384 lo0 192.168.178.0/24 link#2 U 0 1 1500 vr1 192.168.178.1 00:0d:b9:23:01:1d UHS 0 88556 1500 vr1 192.168.178.22 link#2 UHS 0 0 16384 lo0 Here the routes after initializing the tunnel: Destination Gateway Flags Refs Use Mtu Netif Expire 0.0.0.0/1 10.0.16.73 UGS 0 177 1500 ovpnc3 => default 192.168.178.1 UGS 0 538564 1500 vr1 10.0.16.1/32 10.0.16.73 UGS 0 0 1500 ovpnc3 10.0.16.73 link#11 UH 0 0 1500 ovpnc3 10.0.16.74 link#11 UHS 0 0 16384 lo0 95.128.242.224/32 192.168.178.1 UGS 0 59 1500 vr1 127.0.0.1 link#5 UH 0 1027 16384 lo0 128.0.0.0/1 10.0.16.73 UGS 0 154 1500 ovpnc3 192.168.1.0/24 link#1 U 0 8770408 1500 vr0 192.168.1.1 link#1 UHS 0 0 16384 lo0 192.168.178.0/24 link#2 U 0 1 1500 vr1 192.168.178.1 00:0d:b9:23:01:1d UHS 0 88678 1500 vr1 192.168.178.22 link#2 UHS 0 0 16384 lo0 Has anybody experience with problems like this? I am thankful for every hint in the right way!

Either you didn't create a certificate for that client, or the certificate you created is on the wrong CA.

don't double post.

if I turn the interface off via: ifconfig (vpn interface) down PID stays on.  The service itself doesn't report any type of error in any of the logs that I can see… (system logs, status).  So OpenVPN doesn't seem concerned about the interface status. when i do: ifconfig (vpn interface) up the connection is back up.  This could work good also it seems, but can't really see a true status unless I do a ping test, or do an ifconfig to see the "UP" flag on the interface, or no "UP" flag. I feel like its a toss up as far as purpose.  Maybe one is cleaner than the other. @wm408: Good question.  I am not sure if the pid stays open while the interface is off.  But I will test it. @jamesc: Couldnt you just bring the openvpn interface up/down on a cron job using the ifconfig command?

@cmb: You don't use the wizard to connect to someone else's server. You'll have to import their CA cert, the user cert and key they give you, and then configure a client (VPN>OpenVPN, Client) to connect to them with the parameters they provide. I did use the Cert issued by the PrivateTunnel and set it up according to the instructions given by them. I never set up OpenVPN or used it before. So for me its like stumbling in the dark… Thats why im here !

There was a duplex mismatch as well.  Got that corrected too.  Between that and the limiter the loss is much better (max of 1.6% during heavy traffic).

Perfect, it works like a charm  8)

Finally I found an answer for my issue in following article, that explains how to setup OpenVPN in bridged mode: http://hardforum.com/showthread.php?t=1663797 Unfortunately it is not possible to do that remotely as the new configuration kicks off my current client connection. But that's a different issue. brgds David

From the pfSense OpenVPN Client config page, this should've given you a clue: Tunnel Network: 10.1.0.1/24 Remote Network: 192.168.202.1/24 You entered host addresses instead of network addresses.  They need to be: Tunnel Network: 10.1.0.0 (match the subnet mask to the tunnel network on your server. you have /24, but you typically see a /30 here) Remote Network: 192.168.202.0/24

use firewall rules to block or reject traffic in one or the other direction

Solved. I need add the rules in Float tab. As image attached. :) [image: floating.png] [image: floating.png_thumb]

Yeah the default gateway has to know how to reach that remote network.

Ping from the interface to the internet works fine ans the routing is in place. a pfsense to pf sense connection works fine it just appears to be layer 3 on the vpn connection that is failing zeroshell <-> pfsense

You can't. If pfSense doesn't handle the DHCP, there is no way it can know that information.

Actually in case #1 you probably wouldn't have a problem. When a road warrior connects, and talks on the VPN tunnel, the traffic from the client should be coming from its OpenVPN client IP, not the IP it obtained from the coffee shop network. In case #2 you would have a problem trying to reach anything in that subnet, yes. It would believe it was local. You could setup some 1:1 NAT for another unused subnet that people can use in that case though, like 172.20.11.0/24 that maps on the OpenVPN interface to 172.20.10.0/24 on the inside. Then if you have a conflict, the clients just connect to IPs in the alternate subnet. Though with that odd of a subnet I doubt you'd ever hit a coffee shop or hotel using that.

There isn't an automated way to make that many users+certificates. Even if you setup radius, unless you did auth-only, you'd still need certificates. Anyhow, I wouldn't consider 50-60 users "small", radius would work well for that size. There are freeradius packages for pfSense, though I'm not sure how easy it would be to add users to them in a batch (either freeradius or the new freeradius2 package)