Hi! Thanks for replying. I've Pfsense 1.2-BETA-1, and with the OpenVPN package, i'm already capable of doing this three things:

Listen on multiple ports Listen on multiple protos (tcp & udp) Listen on multiple IP's (multi-WAN)

I just put on the "custom options" of the my two openvpn tunnel configuration this line:

local 85.35.218.x;remote 85.35.219.x # for tunnel A

local 85.35.219.x;remote 85.35.220.x # for tunnel A

and doing a netstat -an it shows:

udp4      0      0  85.35.218.138.1194    .
udp4      0      0  85.35.219.219.1195    .

So openvpn daemon is listening correctly on both two wans fo incoming connections (with tcpdump i've tested it). And changing the protocol tab of the config, should also do the trick to listen on different protocol (tcp/udp).

But my question was referred to the possibility of doing policy routing for the two vpn, for the hosts inside the lan subnet of both sites. If i create a firewall rule, the tun0 and tun1 interface should appear in the gateway tab, so that i could choose the tunnel to use for a particular host/subnet to host/subnet communication. Is there another way to do this, waiting for the possibility to choose also the tun interfaces in the gateway tab of firewall rules option?

Thanks again.

PS. For failover over vpns i can wait, but the policy routing would be the choice to decide to switch or not to this great product.

@fumes87:

Is there a way I can connect to all elements on my LAN without changing their gateway to the PFSENSE machine?

Appropriate routing configured on whatever device is their default gateway.

http://doc.pfsense.org/index.php/Setting_up_OpenVPN_with_pfSense

part at the bottom: "advanced hackery"

Hi all,

Just wanna update with the current issue…I'm currently running 1.2-BETA-1 version...

I just get the solution for this problem...I change the user configuration from "route-delay 2"  to "route-delay 10" and the OpenVPN can successfully accessing OpenVPN Server and also can ping the LAN.
float
port 81
dev-node vpn
proto udp
remote 10.10.100.223 81
ping 30
persist-tun
persist-key
tls-client
ca ca.crt
cert 21.crt
key 21.key
ns-cert-type server
cipher BF-CBC
route-method exe
route-delay 10
pull
verb 4

Any info regarding this issue why some client can connect successfully without any problem and some clients need to change the configuration as above. Need feedback from the expertise..

Thanks…

@sbarreros:

I found what my problem was, when I was creating my client certificates in the common name I was entering the same name myserver.mydomain.com thinking this was refering to the openvpn server name.
I created my certificates with different common name and now it works.

Thank you gentlemen. ;D

Hi sbarreros,

I'm also have a problem same yours. What's actually u change? I'm also do like yours above, give a different name for Common Name (for client certificates), but it's also same. Both client if wanna access OpenVPN server will get the same IP Address.

Thus will give this kind of error :

"
NOTE: FlushIpNetTable failed on interface [65539] {3890476B-0667-4DE4-832E-0FB996C0862A} (status=1413) : Invalid index.
"

Somebody if can help me on this.

Here is my OpenVPN and user setting:

OpenVPN Server
–-------------

#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto udp
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
server 10.20.2.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
push "route 10.20.20.0 255.255.255.0"
lport 81
ca /var/etc/openvpn_server2.ca
cert /var/etc/openvpn_server2.cert
key /var/etc/openvpn_server2.key
dh /var/etc/openvpn_server2.dh
persist-remote-ip
float

Client1 and Client2 Setting

float
port 81
dev tun
dev-node ovpn
proto udp
remote 10.10.100.223 81
ping 30
persist-key
persist-tun
tls-client
ca ca.crt
cert aslahuddin.crt
key aslahuddin.key
ns-cert-type server
cipher BF-CBC
pull
verb 4

Hope there is somebiody can help me on this.

the diff is on it's way to scott by mail…

wait till it's applied and a new snapshot is built...

have a look on the dhcp server options in further snapshots…

in the next snapshot DHCP-Options are enabled…

Hi GruensFroeschli.

Yes the option:

push "route 10.8.0.0 255.255.255.0"

Did the trick.

I will check my settings, right now we are testing, thanks for your right answer  ;D!!!

Might it be possible to firewall on the LAN interface?
That you add a block rule on the LAN tab which blocks all IP's of the VPN-subnet as destination?
So the VPN clients can talk to the LAN, but LAN never answers.

Figured it out.
1. Killed the process based on pid in /var/run
2. Built the conf file using openvpn.inc
3. Called openvpn command with conf file as argument.

Bingo… went on well.

Or this…

http://forum.pfsense.org/index.php/topic,4594.0.html

So, finally I have learnt what is a setting.
Current situation is like this:

1. VPN client do not connects with message like this "cannot reach gateway"
2. Later it should connect to remote desktop: of course does not work correctly if VPN not established - connected.

I have bypassed pfsense and plug directly into a modem-router, disabled firewall and it works.
So there must be some trouble with pfsense.

It works on 192.168.4.x - LAN, I used the same IP mask with pfsense and do not work.
I suppose 10.0.0.x will not help.
Any other ideas.

Thanks much for any help.

Hi Sullrich ! please reply!
Thanks!

@sullrich:

#2 - http://wiki.pfsense.com/wikka.php?wakka=SubmittingPatches

Thanks, but maybe I'm a little bit retarded  :)
Is there (I didn't find it) a simple guide like "What to do, from the beginning to the end, to put a new a new page into the project"?
Also i need to cooperate with the person who manages the OpenVPN config page
Bye

the DNS-entry you make on the mainpage is for the PfSense itself. NOT for the clients.
to push DNS entries to the clients you need to the "Custom options" field the following:

push "dhcp-option DNS xxx.xxx.xxx.xxx"

if you want more than one entry you hae to separate the different entries with a ";"

Hello Helix26404,

Afer 2 weeks of forums searchs and configs changing, i find your post and i do the change and all works fine.

Tahnk you very much Helix26404, maybe your post must be introduced to the main pfsense-openvpn tutorials.

HICHAMB