Well one "way" (ugly hack) would be that you set up a second machine and define on it the OpenVPN interface as WAN.
Then i think you can NAT to the WAN.
http://devwiki.pfsense.org/OpenVPNasWAN

But this would require that you have more than one machine.
One as router and another one just for the openVPN tunnel.

(and i'm not even sure if that works….)

Ok now it works. It is due to a bad configuration.

I do stuff similar to this, but instead of having 1 VPN tunnel between the remote box and the pfsense box, instead each client on the LAN has to run openvpn client and connect to the remote box.   then all their traffic is routed over the tunnel.  this takes pfsense out of the openvpn equation

disadvantage - instead of one tunnel, there are many. more to manage,  scalability problems I imagine..

but end goal is the same,  clients on LAN all traffic goes through tunnel

The problem with the route is that when the openvpn tunnel is up, traffic destined to the remote network should be going to tunX interface, not the normal gateway.

This is what I have on my pfsense box that is a client on a site-to-site tunnel, my local LAN is 192.168.13.0/24, remote LAN is 192.168.42.0/24, transfer net is
10.13.42.0/24.

Destination Gateway Flags Refs Use         Mtu Netif Expire
192.168.42 10.13.42.1 UGS 0 32133 1500 tun1
(tun1 because tun0 is used by another site-to-site tunnel)

At the other end (the server):
192.168.13 10.13.42.2 UGS 0 1000282 1500 tun1
(tun1 in this case because the other end also has a server for roadwarriors at tun0)

Wow - I need sleep.  Thanks for pointing that out…

I have the same problem,
I try to use an static route with the server ip connection (openvpn) but when I
go to system logs - openvpn, I see the gw of wan1,
I don´t know how to use the gateway of wan2 with openvpn (client side).
Somebody help?
Sorry for my bad english…...

i know this is not recommended but i am using the same setup for pfsense as a server and the ddwrt as the client.

is there any way that i can just assign an (vpn ip) to the ddwrt and then set a static route of 192.168.1.0/24 and use the vpn ip as the gateway?

i would like to do this because i really like the fact that the ddwrt is a good platform for soho but a real pain in the ass to get the right syntax in for vpn site to site connect.

I already mailed him. No answer.
In the meantime you can find it here:
http://www.pfsense.org/mirror.php?section=tutorials/openvpn/pfsense-ovpn.pdf

Also note that on page 21 is a typo.
The field "Interface IP" should be 192.168.10.0/24 and NOT 192.168.1.0/24

Your questions have already been answered in the forum before.

To summarize:
Key managment should come in a future version.
Until then you have to do it manually. Read the sticky to that.

You can revoke single clients with the CRL (look at the webinterface for that and read about it on http://openVPN.net )

pfSense is not much else than a GUI to the creation of the server-config-files.
I you really want to use it you wont come around knowing how OpenVPN works.

OpenVPN can run in two "modes".
Shared Key and PKI.

In a shared key setup you connect two computers. Not more.
This is for site-to-site.

In a PKI every client has his own key and vertificate. (you cant have the same key for multiple clients)
This is for a RoadWarrior setup.

Why don't you put all the addresses of your pfSenses (the main and the failover backup) into the configuration of your clients? Then the client would just try to connect one server after the other until it works. You can even tell the client to randomly choose an IP to connect (which would more look like loadbalancing).

Ok I wont…....

Thanks for all your help.

hockey ;D

While I can't speak specifically to running multiple instances of OpenVPN, as someone who runs sshd on 80, 443, and 5190 (AIM; Continental Airlines used to allow 5190 through to any address, not just AOL), I can suggest that you want to move the management interface to another port and run an OpenVPN listener there - places that are big on the walled garden often have cacheing proxies in the middle for http (https is impractical to proxy, so it is more likely to go straight through).

-rob

Then I added a 64.208.129.0/24 route with the OpenVPN link as the gateway.

I wouldnt add routes like these static.
You can just add the -route command to your config.
OpenVPN adds these routes dynamically when the tunnel comes up and removes them when it goes down.

I have discovered that the password is needed for the decryption of the private key(my private key, the file with .key extension).
So i have removed the password with a tool. Now, using OpenVPN it does not request a password to connect.
so, i'm trying to configure pfsense but it does not work !

On the logs of pfsense i see this

any idea ?
thank you

PS:I have noticed that my .key file begin and end with –--BEGIN PRIVATE KEY-----,
instead pfsense need a key with ----BEGIN RSA PRIVATE KEY----.
Trying to copy and paste my key it does not work, so i have added the word RSA.

@Cry:

You should have searched the forum…

Currently there is no way of applying NAT or firewall rules to the OpenVPN traffic.  ISTR that this will change in 1.3, but you should search the forum for details.

I assume I can make openvpn run an "up" script that creates things behind the scene to do this, though I haven't tried yet.

If you dont do anything, the openVPN server will bind to all interfaces to which it can bind.

Can you view the Bindings anywhere?

I'm sorry.
I didnt read right.
kpa describes it a bit better than i did :)

What i mean: in a shared key setup: you have on the server-log something like

openvpn[2560]: /sbin/ifconfig tun0 172.16.40.1 172.16.40.2 mtu 1500 netmask 255.255.255.255 up
and on the client something like
openvpn[2560]: /sbin/ifconfig tun0 172.16.40.2 172.16.40.1 mtu 1500 netmask 255.255.255.255 up

While in a PKI setup the client usually has something like
openvpn[2560]: /sbin/ifconfig tun0 172.16.40.6 172.16.40.5 mtu 1500 netmask 255.255.255.255 up

Yes, making the client use the company dns through the tunnel should usually be enough.

Yes, I saw this today.

I edited the configuration today and made a mistake.
I moved it to the previous configuration but I still had the same problem.

I redid the vpnconfig from source, I reconfigured the Rule and I found a bug in my config (one device used a gateway who wasn't anymore in use).

I managed to get it working. So it was a silly mistake of me.

Thank you anyway for the help.