Seems ok, certainly not worlds apart from my own config which does work fine.

It would be good to check:

Is it only this person Is it only that remote location

as it's probably either networking related or a problem with that individual client.

http://openvpn.net/howto.html#redirect

for embedded this should work…

fetch -o /etc/inc/openvpn.inc http://pfsense.trendchiller.com/patches/openvpn/_etc_inc/openvpn.inc
fetch -o /usr/local/pkg/openvpn.xml http://pfsense.trendchiller.com/patches/openvpn/_usr_local_pkg/openvpn.xml
fetch -o /usr/local/pkg/openvpn_cli.xml http://pfsense.trendchiller.com/patches/openvpn/_usr_local_pkg/openvpn_cli.xml
fetch -o /usr/local/pkg/openvpn_csc.xml http://pfsense.trendchiller.com/patches/openvpn/_usr_local_pkg/openvpn_csc.xml

Well i can confirm Debian box as OpenVPN client to pfsense server has been up solid for over 24 hours now no problem. Link is still solid. This is probably something to do with the client, i will post the client configs tomorrow.

I appreciate what you say about bugs and reporting, i am sure it would have been reported also and maybe this is something i have done wrong but one things for sure i have seen weird stuff like this before like with OpenWRT and netfilter working ok with NAT redirects for 24 hours and then randomly remapping to a different port for no reason!

Thanks for the time really appreciate it.

Regards,

Chris

http://openvpn.net/
http://openvpn.net/index.php/community/mailing-lists.html

You might be interrested in this:
http://openvpn.net/index.php/documentation/install.html?start=1

Notes – Firewall on the Windows client

In general, it's a good idea to always protect a VPN client or server with a firewall.

The important points for setting up firewalling on a Windows system running OpenVPN are:

1. Make sure that your connection to the internet is always firewalled, especially when you are running a VPN. VPNs create trusted relationships between geographically disparate networks, and if any network on the VPN is compromised by a virus or worm, the exploit has the potential of jumping across the VPN and infecting other machines.
  2. You can enable firewalling on a given network adapter by going to Control Panel -> Network Connections, right-click on the icon that represents your link to the internet, select "Properties", go the the "Advanced" tab, and enable "Internet Connection Firewall".
  3. If you are running OpenVPN as a server on a Windows machine, you will need to configure your firewall to allow incoming clients to connect to OpenVPN's port number which is "UDP 1194" by default.
  4. In general, running OpenVPN as a client doesn't require any special firewall configuration, provided you use the --ping option to preserve the state of the OpenVPN connection in the firewall.
  5. In general, you don't need to enable firewalling on the TAP-Win32 adapter. Once an IP packet appears to be "coming in" on the TAP-Win32 adapter, it has already been decrypted and authenticated by OpenVPN, even though the connection between OpenVPN peers might transit an untrusted network such as the internet.
  6. One case where you might want to firewall the TAP-Win32 adapter is if you are connecting to an untrusted machine, or a machine which will route or bridge your connection with an untrusted network.

Make sure you are using unique users for each client. If you login with the same user from another location the old session will be disconnected. It's the same for PPTP for example.

Umm, this is about running OpenVPN on pfSense - if you want to ask general OpenVPN questions you're best on the OpenVPN list ;)

That said, yes - or you can just tell the OpenVPN server to listen on all interfaces.

@chazers18:

Thank you Guys you are all great.

i will work with some of the scripting that i know how to do and post the results also.

Again THANK YOU!! :)

now from a window pc couldnt i just create a static key and with winscp ssh in to the ddwrt thing and place the static key in there under one of the permanet files. and then just run this command?

echo "dev tap
link-mtu 1492
remote public IP
resolv-retry infinite

ifconfig 192.168.1.0 255.255.255.252
client
–---BEGIN OpenVPN Static key V1-----
  ...INSERT YOUR OWN CONTENT HERE...
  -----END OpenVPN Static key V1-----
" > /tmp/static.key

#ca /tmp/openvpn/ca.crt
#cert /tmp/openvpn/client.crt
#key /tmp/openvpn/client.key
#comp-lzo
persist-tun
persist-key
verb 3
cipher AES-256-CBC" > /tmp/openvpn/openvpn.conf

killall openvpn
openvpn --config /tmp/openvpn/openvpn.conf

i would jus t set up a server that can be reached via internet and then password protect it.

:-\ :-\

Ok, I got it to work but not in a way that is useful outside of the lab.  Here are the remaining hurdles:

I need to use tls auth and there is no way I can see yet to make the upload of the ta.key survive a reboot.  Maybe a full install on a microdrive…

When I added the line to nat on the tun0 device to the lan subnet it worked, packets were passed from the lan to the tunnel but I don't know how to add the line into the pf.conf file permanently.  It seems to go away when the tunnel goes down and comes back up too and it of course goes away on reboot.

Thank you for your assistance.

Does your pfsense openvpn server have multiple WAN connections?
What firewall rules do you have on the interface with the stations you're trying to ping?

Ok here it is my network layout
Maybe you guys have some other opinions… all of them will be apreciated :D

ISP [Poll of 5 Pubic IP's]
                                        |
                                        |
                                        |
                                  [16 Ports HUB]
                                        |
                                        |
                                        |
                                        |–--------------------------[router Drytek Site to Site other Office]
                                        |
                                        |
                                        |
                                        |
                                        |
                                        |–--------------------------[PFSENSE - VPN SITE to SITE][Lan-192.168.1.254][Wan-Public IP]
                                        |
                                        |
                                        |
                          [IP NOKIA 330-Firewall-Def. Gateway]–------------------[DMZ - Linux - Trustix - SMTP - PostFix + Squid]
                                        |
                                        |
                                        |
                                        |
                                        |
                                  [192.1168.1.1]
                                        |
                                        |
                                        |
                                        |
                                        |
                                        |
                          –----------------------------------------------------------
                          |                                    |                                            |
            [D.C->192.168.1.17]        [Exchange->192.168.1.30]              [App Server->192.168.1.20]

IP330 NOKIA -> default gateway for servers and pc's with fixed IP's

PFSENSE -> default gateway and Proxys for lan PC's

–--------------------------------------------------------------------------------------------------

Its Pfsense that i want to connect to someother pfsense or cisco etc etc need to be IPSec
But i dont want that the other end of the site to site vpn see / browse my office pc's / Shares etc etc

Thanks

the gateway, I always forget about the gateway.  That was it. Thanks!

Well you should have thought about the expiration time before.
If your Identification Card expires there's no way to extend the current one and you need a new one….

http://openvpn.net/archive/openvpn-users/2002-07/msg00033.html

(there is always google you can ask if you dont beliefe me that you have to redistribute your certificates)

Gruens that is what i would have told him too. ;D

Still would like to know how to do this in Linux but I figured it out in Windows.  I am going to try some more with Linux later tonight.

I downloaded PSKill for windows and was able to accomplish this by using 2 scripts.  Run the Connect_Script then Run Disconnect_And_Backup_Script 10 seconds or so after.

PSKill can be downloaded here http://technet.microsoft.com/en-us/sysinternals/bb896683.aspx

Connect_Script.bat
openvpn –config "C:\path\to\file.ovpn"

Disconnect_And_Backup_Script.bat
FOR /f "tokens=2-4 delims=/ " %%a in ('DATE/T') do SET tmpdt=%%a-%%b-%%c
wget -q --post-data=Submit=download --http-user=username --http-passwd=password --no-check-certificate https://IP:PORT/diag_backup.php -O "C:\path\to\backup%tmpdt%-firewall-config.xml"
pskill openvpn.exe

The log file makes it pretty clear you're not pushing any routes to the client.  As such it doesn't know how to get packets anywhere, so it'll never work ;)

I'd guess you either need to add 192.168.1.0/24 to the "Local network" field or add push "redirect-gateway" to the "Custom Options" field.

In your OpenVPN config (i.e. OpenVPN\config\client.ovpn) on the client machine what do you have set up as "proto"?

If it is set to "proto tcp-client" it needs to be changed to "proto udp"