many thanks :)

Humm, today I gave up and installed IPCOP. OpenVPN works fine on IPCOP and has been solid so far, any ideas on what could be causing this with pfsense? It is obviously not hardware. Thanks Keith

Yes you can do it i have it set and running right now i *think set up a test and let it rip

The WARNING: 'ifconfig' **** "statement means that you have not setup the client in openvpn properly, going off the information you have provided the client machine must have interface Ip = 192.168.252.0/24 and remote network = 192.168.1.0/24

Just for the record. My problem had to do with routing. And I can confirm that the server-side pool addresses are the same as the remote LAN. What I dont understand is how I got everything to work following that documentation if it is fundamentally wrong in that aspect. Thanks again, Pedro

OK, I understand now. Thanks for your help I appreciate it ;D

The only subnet that's created is a "transfer net" between the two OpenVPN nodes. You can use some completely different one (10.x.x.x or 172.16.x.x) and it is only used for communication between the OpenVPN endpoints. In normal use you don't have anything to do with it, you just work as the other sides ip range is a local one. Nothing to get worried about. There's a nice howto explaining the steps setting it up that way. I suggest looking into it. Greets Grey

However, a clean (and common) solution is to simply arrange for the pfSense host to be powered up N minutes after the ADSL router/modem, which is what we're suggesting.  Building a list of services that need restarted, while a fully-featured solution, isn't likely to be trivial (you need to build a full dependency list for a start) and I'd suspect that you'd need to raise a bounty for such work. As for the OpenVPN config, if you SSH onto the pfSense host and look in /var/etc you'll find a file called something like openvpn_client0.conf.  If the connect-retry option is set you'll find it there.  If it isn't then you'll need to provide it in the "Custom options" field of the OpenVPN client config.  Note that this only works for TCP clients (as detailed in the OpenVPN man page).

@IsNoGood: any Idea about midnight commander that will work ? Yes, installed it here and working fine. Add it from a shell: pkg_add -r mc Don't know why but it's not working until you reboot the pfSense.

I must be mis-reading what was questioned at first - I got the impression the original sub-nets would stay the same (including the sub-net masks) but he wanted to use just one gateway… If so then - never mind :) gm...

I see. Only problem is I want (well, need) local PC's (on local LAN) to be able to access remote LAN with NAT address of server there. I do have full access to that machine. So, if I understand correctly, I should make route on remote server for local IP's with iroute, and push "route" commands, while setting NAT on remote server, where OpenVPN server is located? Well, will try to fiddle with this later tonight. Edit Well, found temporary workaround in other post that makes it work: Adding in /tmp/rules.debug line: nat on tun0 from 192.168.0.0/24 to any -> (tun0) .. and doing: /sbin/pfctl -f /tmp/rules.debug But, AFAIK, this won't work after reboots.. any way to automatize this?

I agree that in situations where you control both sides, this isn't an issue at all, and after giving it a bit of thought, I imagine that this is probably the vast majority of cases with OpenVPN.

Sorry to ask what is probably a dumb question but where can I find that utility?

The custom options are there for ppl who want to use custom functions (like a balanced server) ;). Using this field is the right way :)

@GruensFroeschli: Take a look at the openVPN-MAN-pages. Look for the "route" command. You can add on the server config an entry that when the tunnel comes up automatically adds the necessary route to the servers routingtable. When the tunnel drops openVPN automatically remoces the entries and adds them again if the tunnel comes back up. You cannot do this on the client side but on the server side. thanks very much. i knew there had to be something to do this.

Its not a problem, just something different.  The only annoying one is the P2P page on the traffic shaper as the check could be read as either disable or enable.

You can use the revocation list. No need for recreating all the key's :) Take a look at the how-to of the easy-RSA on how to creat a CRL. also there is a sticky in the openVPN-forum about your question: http://forum.pfsense.org/index.php/topic,4105.0.html