I've kind of found a way to do this:

1)  Create a client config called DEFAULT.  This is parsed by OpenVPN when a CN is not matched elsewhere.
2)  Click the "Blocked" option in the config.

What I'm not sure of is the downside of doing this… The blocked option specifically says that the option shouldn't be used "due to key or password compromise", which seems to imply that it has weaknesses the a CRL does not.

Any thoughts?

Hi Dave,

For the multiple client connections that you were trying to create, did each client have a different key and cert, or were they using the same client certificate pair to connect to the server?

Great!  I'll be sure to add that fact next time I update the howto.

The WebGUI works fine for configuring OpenVPN.  If you want to create the keys on the pfSense host then there are stickies that you've already been directed to:

http://forum.pfsense.org/index.php/topic,4807.0.html
http://forum.pfsense.org/index.php/topic,2057.0.html

Otherwise, as GruensFroeschli said, if you don't say what you're trying to do it's impossible to help you - crystal balls are still on back order.

I'm not sure what you're trying to do (your choice of white font for the network diagram doesn't help ;) ).  Why don't you just configure the LAN hosts to use the DMZ IP address to access the server?  I can't see why you're using OpenVPN when the network between the hosts appears to be trusted.

Look at the log:
status –> system log --> openvpn

alternative you can enable the managment interface of the openVPN isntance:
http://forum.pfsense.org/index.php/topic,5282.msg31843.html#msg31843

you coudl go ahead and install in.

pfsense runs on freeBSD which is a *nix environment. I havn't look at the requirements however this shoudn't be too hard to implement yourself :)

It will probably break the pfsense GUI openvpn configs though

I've tried both - still the same

thanks

have you set up NetBIOS properly in your pfsense openvpn settings? These should be set to your domain controller

Anyone?

I think these routes are the problem:

192.168.1.1 192.168.1.2 UH 1 0 1500 tun0 192.168.2.0/24 192.168.1.1 UGS 0 190 1500 tun0

First, the gateway for 192.168.2.0/24 should be the other endpoint of the OpenVPN tunnel, 192.168.254.1. Not sure what the other route is about, but it's weird.

I haven't used OpenVPN in pfSense though, so I'm not sure what you'd need to change to fix this.

@Cry:

To confirm:

When you connect between the gateway and pfSense you can connect to OpenVPN using 192.168.123.142?

When outside your network you can't connect using the public IP (WAN) address?

If that is so, then your problem is with your gateway's port forwarding/firewall rules.

That's correct, the strange thing is that some rules do work. For example if I open port 8080 for a webserver, that does work perfectly.

Edit : It looks like it's fixed, I did a firmware upgrade of my gateway and it's working just fine:)

Thanks for the help

Finally i got it to work :D

I tried changing the DNS address to what you suggested but that didn't work. So i added a custom entry to Manual Outbound NAT rule generation (Advanced Outbound NAT (AON)) and that got it to work.

No one that has any idea to what bravo83 and I are doing wrong?

What you're say is only possible if you missconfigured or missmanipulated someting.
Please refer to the openVPN documentation on http://openVPN.net on how to set up a CA correctly and build the files.

I forgot to mention that when I make a PPTP VPN between the two networks it works both ways no problem to access the shared files!  ??? but ofcourse that's different

for thr OpenVPN
I'm pretty sure I have to add some route in the config file or in pfsense gui but I can't figure what exactly. i tried in windows: "route add 192.168.50.0 mask 255.255.255.252 192.168.10.5"        but still no access to \192.168.10.6

my openvpn ip is 192.168.10.6 (and my physical ethernet adapter uses 192.168.50.0) but i saw in the ovpn gui that it pushes the routes to 192.168.10.5 so i guess that is my gateway … or am i wrong? probably...

Cry Havoc , please i'm sure you know the solution. you're the man :)

cheers

AON works as expected, thanks again for your help.