Hello
thanks for explanation
my other site have only one computer so maybe it could consider as roadwarrior connection.

i will test different solution.
i choose PKI cause it look like more secure
dd-wrt config with PKI use gui , shared key use script ;-)
PKI allow client-to-client connection ( i think) but not tested yet !

i hope have not to use IPSEC for firewall rules over vpn !
so maybe i should contribute to the project to stay using openvpn…

What Valhalla1 said :)

If you set up OpenVPN yourself you would have to write these files yourself.
But on pfSense they will get created automatically if you just create a client specific configuration on the respective tab in the GUI.

Hi, drbowen,

Congratulation that you successful make the tunnel and works fine. If u plan long term running pfsense, better build with a best condition hardware.

Ya, you are running the vpn tunnel for files access or bridging? From what i know, you should not able to do bridging if doing shared key method.

Correct me if i m wrong.

kelvin

Hi,
I got found a solution by this idea:

Patch the registry to change the MAC address according IP. Disable the tap adaptor and enable back. The mac address of tap adaptor will changed to new one. Then enable openvpn client GUI. It should work.

Now will start work out the solution… or some Programming expert can help on this?

Thanks
Kelvin

Can you post the output of the openVPN log?
I think i've read somewhere something about OpenVPN only working with TCP with multiple WAN's.

Thank you very much GruensFroeschli,

Now everything much more clear. The topology that has been setup is obviously the problem.

10x again.

1:1 NAT forwards (as the name say) all ports to a server.
Including the port you would use for openVPN.

But why do you use 1:1 NAT?
You could use normal NAT forwardings.

Bridge mode can successful for 2 LAN sites in a "normal" condition. "Normal" mean a normal office or group network. If those client is "cloned" then will meet the problem with MAC address issue. This is because if the PCs are cloned, that mean the MAC address also will duplicated.

Bridge mode i use is form a pfsense as openvpn server and other client pc install openvpn with tap-adaptor. Client can be successful connected but need a different MAC address of TAP-adaptor. I m try to come out a script that can make the TAP-adaptor MAC address can change according to IP address.

But, what i hope that is 2 site PF sense can form bridge mode and no need to do any setting or installation to the client PC.. It is possible.

I know that PFsense routed VPN is not work with what i want.. Anyway i hope that i can make a successful case under GruensFroeschli help :)

or someone interest on it can study together. My network knowledge is level 1 only ^^

So, lets forget about my XP. While trying with my XP I was also trying with a Suse distro using the same settings as in the XP. The Suse is the router of the remote network I would liek to connect.

So to accomplish my mission, I need to:

Switch back to PKI - a road warrior setup.

I had that setup and almost no luck with the VPN. While changing settings, the most i got is to ping the remote VPN gateway, but not the network, so no success with s2s vpn! :(

Could it be from the RFC 1918 networks incompatibility???

10x

PS. I was just wondering, Can I still make ping from Pfsense network to my XP vpn gateway???

okay so everything was up and running yesterday, one of my employees for a reason beyond me rebooted the server side lastnight, after they did this the vpn stopped working agian, it still shows that it connects just fine from the logs but I can't seem to get any traffic to tunnel thru it.

It means that you missconfigured your tunnel.

You probably followed this tutorial: http://www.pfsense.org/mirror.php?section=tutorials/openvpn/pfsense-ovpn.pdf
which contains a bug as described in the sticky here:
http://forum.pfsense.org/index.php/topic,2228.msg53309.html#msg53309

I decided to go down the IPSec route, after banging by head against the wall and meticulously looking at the configurations to ensure they were the same at both ends I managed to get it working.  I say got it working I really mean I left it and went home and when I came in the next day it magically had connected, probably lost a days worth of effort due to my own impatience.

I never really run into this problem, but as far as i see it, you cannot use the redirect-command in a shared key setup.

You would have to add routes for the remote gateway and 0.0.0.0/1 and 128.0.0.0/1 manually.
But from that thread: http://forum.pfsense.org/index.php/topic,6056.0.html
It doesnt seem to be a problem :)

Let us know if it worked for you.

http://openVPN.net
–> documentation

Sticky: http://forum.pfsense.org/index.php/topic,2228.0.html
My post at the end of the thread.

Also: http://doc.pfsense.org/index.php/Tutorials

@GruensFroeschli:

I dont think a shared key setup is easier to manage with 50+ different tunnels.

In a shared key setup you dont use pushes on the server to add routes to the clients.
You have to add the routes in the client config directly.
Meaning if you ever add a new office you will have to change the configuration of every client.

If you use a PKI you just add a push command on the server and reinitialize the connections.
If you want to use pushes you have to use a PKI.

What about starting 50 instances of openvpn with shared key. Is it considerable load for the system or there is no real way to tell?

I will look into the PKI setup.

hello,

i have the same problematic, so if you have find a solution i am interested.

let me know, thanks