Hi, thanks for your feedback. Please post your results (in a few days).

np, once in a while i share the same boat

Anyone, any idea how to remove "server 0.0.0.0" parameter? I delete it from /var/etc/openvpn/server1.conf but it always come back after system restart. Where I can disable "server" parameter. I need only "mode server" parameter.

well the easiest thing to do would be outbound NAT on the LAN interface, source of the openvpn subnet, translated to the LAN IP of the box. Yes, you'd have to switch to manual. You could do 1:1 NAT on LAN from an OpenVPN IP to a VIP (non-CARP!) in the LAN subnet, but that would only work for one client with a static IP.

check if the routing is correct on both ends … it can happen that one side is able to send traffic, but that the other side does not know how/where to return the replies

I've had similar issues like this in the past. Some things to look at: as heper said, check your routing table. make sure there is a route in  site A's table that routes traffic to siteB_subnet via the openvpn interface (do the same check for site B) make sure you have the allow rules on the openvpn tab check your lan rules on A, see which rule get hits when your sending traffic from A to B and double check that its using the "default" gateway. if there is no such rule, add one that has source->lan_subnet dest-> siteb_subnet gateway->default Run a wireshark on the receiving end (the machine on site B that you're pinging), see if the ping requests are coming in (could be that the responses aren't going from B to A properly) -E

@jimp: coughcoughcough :-) OOOOHHH, I was looking in pfSense's FAQ in the OpenVPN sections…  :D Thanks for the link!

There is no tunnel network - when using TAP the client is effectively directly connected to the LAN. It gets a DHCP lease from the LAN DHCP server. I would recommend you read the OpenVPN documentation so you understand the basics of what you're dealing with.

If it is just OpenVPN under the hood of Zerina, then yes. The sticky post at the top of this forum for site to site covers the process, the GUI on Smoothwall should be the only difference.

Currently we have a bunch of 'satellite' systems that all serve the same purpose and don't have active users. It was looking to be a bit tedious (as we are constantly sending out new systems and such) to have to create a separate user in pfSense for our fluid usage of the network. However, as you have mentioned, if the certificate is compromised then anyone could have access to the network (which only allows access to one IP but that is beside the point) and we'd have to replace the certificate on all the systems. Is there an easier way to create a user/certificate combination without having to go through so many steps every time? On IPCop, for example, you type in the hostname and one or two other things and it created the user and certificate and everything.

That is in Client-Specific Overrides in the OpenVPN config. Make an entry for each user's certificate CN, give each of them a hardcoded tunnel network (a /30 inside of your larger tunnel network on the vpn), then set your firewall rules accordingly.

I set both the server and client to "any" and it still doesn't come back up until it gets rebooted. For example, the client machine was down for the weekend.  When I powered it back up the VPN would not come back up until I rebooted the server.

You may be seeing the clients randomized source port, not the server's listening port.

Edit the advanced options of each OpenVPN instance and remove any "management xxx xxxx;" declarations you have there. It's handled differently in 2.0.

Yes, it works fine. That error generally means that the openvpn traffic is not making it through the firewall. Make sure you are allowing the traffic into the OpenVPN port on the server.