You missunderstand how the rules work.
http://forum.pfsense.org/index.php/topic,7001.0.html

Rules:
Rules are processed from top to down.
If a rule catches the rest of the rules is no longer considered.
Per default a "block all" rule is always in place (invisible below your own rules).

Traffic is filtered on the Interface on which traffic comes in.
So traffic comming in on the LAN-Interface will only be processed by the rules you define on the LAN tab.

A couple of reasons, my outside interface is using port 1194 the 12.166.84.3 ip is using 34246.

Each connection has a destination-port and a source-port.
Only the destination is 1194. The source can be something random between 1024+ ~ 65535.

Please give a little more information on your configuration.  Is this firewall to firewall, or a host to your firewall?  Is this PKI or shared key?  What are the networks involved?  How is OpenVPN configured?  It sounds like you're not trying to do anything fancy, so if you can give more details, I might be able to help.

Huh… No one is willing/able to verify?  I'd hate to raise a bug just to find out that it's an existing bug or only in my config.

We can close this issue.

Jimp you are right. The problem why the IP-Address 192.168.11.2 doesn't response my requests was the gateway.
I tried antother IP and I could see all things are working.

The Push command brings up the solution - THANKS !!!

so…yesterday i uppgraded my firewall to 1.2.3 and now the tun interfaces (OpenVPN interfaces) show up in the GUI. I've adde them as optional interfaces. The thing is when i create rules for these interfaces nothing happens so i guess this is not supported? But...when i look in the firewal logs, i can se the occational packet beeing blocked on the tun0 or tun1 interface?

Is there anyone who can bring some light as to why the tun interfaces show up in 1.2.3 and if they can be filtered?

I just ran the command "pfctl -sr" on my pfsense box and it seems that the rules i've created for the tun interfaces are there. I'm no master of pf so i will have to spend some time decoding this printout.

I've kind of found a way to do this:

1)  Create a client config called DEFAULT.  This is parsed by OpenVPN when a CN is not matched elsewhere.
2)  Click the "Blocked" option in the config.

What I'm not sure of is the downside of doing this… The blocked option specifically says that the option shouldn't be used "due to key or password compromise", which seems to imply that it has weaknesses the a CRL does not.

Any thoughts?

Hi Dave,

For the multiple client connections that you were trying to create, did each client have a different key and cert, or were they using the same client certificate pair to connect to the server?

Great!  I'll be sure to add that fact next time I update the howto.

The WebGUI works fine for configuring OpenVPN.  If you want to create the keys on the pfSense host then there are stickies that you've already been directed to:

http://forum.pfsense.org/index.php/topic,4807.0.html
http://forum.pfsense.org/index.php/topic,2057.0.html

Otherwise, as GruensFroeschli said, if you don't say what you're trying to do it's impossible to help you - crystal balls are still on back order.

I'm not sure what you're trying to do (your choice of white font for the network diagram doesn't help ;) ).  Why don't you just configure the LAN hosts to use the DMZ IP address to access the server?  I can't see why you're using OpenVPN when the network between the hosts appears to be trusted.

Look at the log:
status –> system log --> openvpn

alternative you can enable the managment interface of the openVPN isntance:
http://forum.pfsense.org/index.php/topic,5282.msg31843.html#msg31843

you coudl go ahead and install in.

pfsense runs on freeBSD which is a *nix environment. I havn't look at the requirements however this shoudn't be too hard to implement yourself :)

It will probably break the pfsense GUI openvpn configs though

I've tried both - still the same

thanks

have you set up NetBIOS properly in your pfsense openvpn settings? These should be set to your domain controller

Anyone?

I think these routes are the problem:

192.168.1.1 192.168.1.2 UH 1 0 1500 tun0 192.168.2.0/24 192.168.1.1 UGS 0 190 1500 tun0

First, the gateway for 192.168.2.0/24 should be the other endpoint of the OpenVPN tunnel, 192.168.254.1. Not sure what the other route is about, but it's weird.

I haven't used OpenVPN in pfSense though, so I'm not sure what you'd need to change to fix this.

@Cry:

To confirm:

When you connect between the gateway and pfSense you can connect to OpenVPN using 192.168.123.142?

When outside your network you can't connect using the public IP (WAN) address?

If that is so, then your problem is with your gateway's port forwarding/firewall rules.

That's correct, the strange thing is that some rules do work. For example if I open port 8080 for a webserver, that does work perfectly.

Edit : It looks like it's fixed, I did a firmware upgrade of my gateway and it's working just fine:)

Thanks for the help