I've been meaning to try it out thru DD-WRT GUI interface since it supports OpenVPN Server and Client.. You may have to add routes to it if you use the GUI.

It was my only guess, sorry for not been able to help more

That's a good idea and I've messed with it a little bit. What setup in pfSense would be analogous to the roadwarrior setup in IPCop? I guess my issue is that the terminology is different in the two firewalls and so I can't just make an identical setup with my current knowledge.

I'm using 2.0. Thanks for the reply !

The config is written out in /var/etc/openvpn

Yes thanks, works perfectly!!

So nice to have VPN working again since an upgrade killed my PPTP connection

I think the old routing table is gone. If I figure it out I'll post back, if I remember.
Thanks for reply.

btw, excellent book.

Well it's rare that you need to use OpenVPN via an http/https proxy ^^"

For roadwarriors which have to go regularly into environments where security is very tight, i have a second instance of our normal openVPN server (UDP 1194) with the same keys/certs providing access on TCP 443.
This usually allows them to reach our main-office.
But this is more of a failover if the normal server isn't reachable.

You can do NAT and port forwards with it too, but you can't ever do port forwards on broadcast traffic, nor do you ever want to.

sorry, no offense.
but you should be asking it in mikrotik forum.

This is what happens when you setup broken routing, where your client gets a route to the server IP where it's connecting, within the VPN, and tries to access the server IP by using the tunnel. It has to be able to reach the server outside the tunnel not within it, and basically loops traffic and causes chaos. Don't push or setup routes on your client inside the tunnel for the IP it has to reach outside the tunnel.

No, his later method is probably best - though when making the separate server setups, make sure they each use a unique CA, otherwise the clients could connect to either server and jump into another subnet.

(Though I suppose having a unique TLS key alone would be enough, it never hurts to err on the side of caution)

Thanks so much for the information.  I'm not sure where I was looking before , but now I've definitely seen how to have multiple servers.
Your response led me in the right direction.
Thanks again!

Check openvpn faqs to create openvpn server, you may not need certificate authentication or anything that fancy.
Create openvpn interface and allow trafic to lan or describe local network in openvpn server settings or push route

Thanks - I figured so I managed a bit of a work around -

ovpn Client -> pfsense (load balance) -> debian ovpn instance -> pfsense captiva -> lan/internet

this worked…. and its all on a single VM machine..

Why the madness? We can do more flexible pre-authentication things w/ captiva than w/ radius.

If you have no vpn connection yet, then i think that fileshares has to wait. Sorry, but i thought that you had done that already.

@LeoLeung:

Hi,

I am a newbies to establish a vpn using OpenVPN and Pfsense.  I use ca cert.  The client can connect to pfsense firewall.  However, the IP address cannot ping after firewall.  I have tried using route X.X.X.X Y.Y.Y.Y or push "route X.X.X.X Y.Y.Y.Y.  It does not work.  Anyone help?  Thx

Ming

Show us your network infrastructure
Add an allow rule on the firewall tab for the OpenVPN interface

Last time I tried it, it "just worked" - though that was on a static/shared key tunnel and not a PKI setup.

Also both LAN networks have to be on different subnets of course.

Not sure what's up with tap, I'm not sure if it's even supposed to be working or not at the moment.