what's the size of those disappearing packets? My first suspicion is they're too large to fit across the VPN.

To add more juice to the issue. I am current RDPed into a machine from an OpenVPN session. That same machine is running solarwinds TFTP server. I have disabled the firewall on that machine, and I am unable to pull TFTP files from that machine through the OpenVPN Session. This seems odd since I’m able to pull all other services but TFTP.. Please help?

http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29 covers 2.0

@jimp: Easily solved by assigning each instance as its own interface and then applying NAT rules on the interface specific to the connection you want it to work upon. Jim,  thanks for the tip.  It's obvious how to do this in the plain-text files,  but not so obvious (to me) how to do it in the PFsense GUI. What I see now is that you must assign an "Interface" via Interfaces->Assign to each OpenVPN client interface (ovpnc1, ovpnc2) and then assign an Outbound NAT to each one. Perhaps a Wiki topic for future users? Thanks again!  

Glad its working for you, wasn't really a lot of time to be honest - you can see from the timestamps on the different logins what about 20 minutes or so. Time well spent on working with a settings I had not played with before, I personally don't have any need for multiple certs or being worried that than cn's don't match ;) And have not setup password auth either since I have physical control of the device my certs are on – but I can see the desire for these features.  And glad my testing worked somehow got it worked out for you.  I was always sure I could always revoke my cert if lost, but now I have verified that it does work.  In my case though if lost my certs I use - I would prob redo the whole CA portion and gen completely different certs.  But with multiple users revoking clearly a good feature to have working. I do agree I think the export tool should name the certs based upon the username being exported vs use of the generic naming scheme - I would think a minor rewrite of the export tool?  Maybe you could write up a post download script you run on the zip before handing it off to the user. And should would be up for a beer or two for sure if ever in the chicago area.

Ok, I figured out the problem. The traceroute tipped me off. Traffic coming from my OpenVPN tunnel to the OPT1 network wasn't being NAT'ed. This is why I wasn't getting a return from the ping. I enabled Advanced Outbound NAT and defined my OpenVPN tunnel as a network to NAT for the OPT1 interface (don't forget to to add rules for WAN too in Advanced Outbound NAT, since Advanced Outbound NAT disabled all the automatic outbound NATing).

Have you read the HOWto's for OpenVPN site-to-site? http://doc.pfsense.org/index.php/Category:Howto Otherwise, you could make it easy on yourself and just use Hamachi.

Try this on client: # The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120

if you changed the only rule to use sprcific gateway, then you should be ok with this scenario.

what about the gateway . so here is the network Site A                              Tunnel                                        site B Lan                                                                              lan 192.168.20.0/24 192.168.0.0/24                                   ON SERVER SITE                                                                      10.0.20.0/24                                       server ip is 10.0.20.1                      client ip 10.0.20.2 Vlan 23                                                                              roadworrior 192.168.23.0/24                                                                          10.0.23.0/24                                                                                         push route here is 192.168.23.0/24 How to add the route on A for 10.0.23.0 which is the network for B roarworrior. Also do you add it from System => Routing => 10.0.23.0/23 Gateway is the wan nic. Cheers, Raj

Okay, it's working now i change the client machine thanks for all of you other thing can i make it automatically connect when windows start i mean on startup windows XP ?

Hello, Rules are ok for me, i've also to create a temporary "Any" but no effect. In summary A computer 10.10.10.45 connected to firewall 10.10.10.1 can ping firewall, OpenVPN Interface 10.10.30.1 On other side a computer 192.168.2.8 can ping firewall 192.168.2.1 With a ssh shell session on 10.10.10.1 i can ping 192.168.2.1 and .8 Same on 192.168.2.1 i can ping 10.10.10.1 and .45 But not possible from pfsense gui / diag / ping, i try lan, wan… timeout, same from computers.... ... :'(

Bad English aside, we need more info.  Start with the basics…what does your set up look like... simple road warrior, site-to-site? Give us your LAN scope, Tunnel Network, PFsense version, OpenVPN firewall rule, also a network map would help. Did you actually add a static route or try to add a route to your custom config?

No there isn't, anyway i have rebooted pfsense and all is working perfectly now. Thank you very much. ;D

Then put ping-exit in the client config and make sure they have no keepalive or ping-restart in the client config. The only thing you can do on the server side is specify the inactive parameter I showed earlier.

I wouldn't really mark your work around as solved - because you have not solved the root of the problem.  The root of the problem is you have the same network segment. So you force traffic down the tunnel - now clients can not access resources on their own segment ;)  And still have issue with dupes, maybe client wants to access 192.168.1.14 on his segment, and he ends up trying to access 192.168.1.14 on your segment.  Maybe his address is .14, and needs to access .14 on other end ;) Your solution may have allowed you to accomplish a portion of what your what your wanting to do - but it in no way is an actual solution.  Now natting would actually be a solution since remote clients would be able to access any IP on the vpn local side, no matter what IP even if matches up with their own.