@fernandotcl: @moffl: Dec 23 05:38:27 openvpn[371]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 192.168.30.1 192.168.30.2', remote='ifconfig 10.190.115.1 10.190.115.2' @jette: Jan 19 09:49:40    openvpn[377]: WARNING: 'ifconfig' is used inconsistently, local='ifconfig 10.0.10.1 10.0.10.2', remote='ifconfig 10.0.200.1 10.0.200.2' Your address pool must be the same in both client and server. Thanks a lot for your reply.  The problem is fixed now.  But I still have problem in accessing the remote network.  I can ping 10.0.200.253 in the firewall (10.0.100.254) but I can't ping 10.0.200.253 in my lan (10.0.100.0/24).  Is there anything I missed in the setting?  Thanks a lot. Regards, Jette

@sullrich: @Helix26404: There IS a way to directly configure OpenVPN firewall rules, but it's not widely known nor talked about. It's through the LAN interface. Make a firewall rule on the LAN interface that is specific to this particular situation and put it on top. See if that helps. Most likely because that only handles one side of the conversation.  We do not talk about it because its not a real fix. Unless you control both ends of the tunnel you will feel secure but the oppisite is true.  Therefore we simply say there is no firewall rules possible on 1.0 across OpenVpn and IPSEC tunnels, but, we are working on this. Gotcha. So this is why anyone in the remote network can access anything in the local network (pfSense-side if we're assuming it's the server) provided the routes are set up correctly on the client-side. I was racking my brain trying to figure out why I could get traffic IN through the tun0 interface, but I couldn't get OUT unless I was using the pfSense box itself. At first I thought it was a route issue, but then realized that the firewall was locking it down. Setting up explicit rules permitting traffic from any source to destination OPVN interface and destination OPVN remote network did the trick. Thanks for the elaboration from the "inside". :)

at the terminal, type: which openvpn

Nice, I'll link it from the tutorials site later when I get time. Thanks!

Look in the package area.  There is a rc.d thread that is a sticky.

thanks I read the stickys and searched but didn't come up with those answers. i have a openvpn connection running.

@dairaen: cheers, tpunder, could you please send me or upload a screenshot of your working outbound NAT rules so i can add them to the tutorial? thanks. kind regards dairaen No problem, I just sent a PM with a screenshot.

Follow this nice tutorial http://www.uplinksecurity.de/data/pfsense-ovpn.pdf

me to :) (ipsec is easy) but i want it with Openvpn

If I'm understanding what you want…. On your WLAN... only create a rule to allow the OVPN connection. Then you'll push DNS,WINS, and GATEWAY via OVPN also add a push route to your LAN, if you want a connection there.

I haven't used openvpn yet but I have several locations running ipsectunnels. Biggest network consists of 12 locations that are all connected to each other through the mainoffice (only location that has a static IP) which acts as vpn concentrator. This setup is only using pfSense's everywhere. I also have another setup where a pfSense CARP cluster has VPN connections to a cisco pix, another pfSense and a sonicwall. Everything works smooth :-) For some examples how to configure the non pfSense systems see http://doc.m0n0.ch/handbook-single/#Example.VPN . Before you start to set this up you need to do some subnetcalculations. If you use IPSEC for that and need the remote locations to talk to each other through the central location you need to use some bigger subnetmasks at the central unit.

Someone was working on a status page.  Search the forum.

the site 2 site is very simple to set up (with the pdf document)…. but is it also possible to connect 3 pfsense client machines to one openvpnserver-pfsensemachine and routed the networks behind the 3 pfsense machines......(i don't want to open to much external (firewall) ports PC1                                              PC2       |                                                | NETWORK1                                NETWORK2                                NETWORK3       |                                                |                                          | OPENVPNCLIENT1                    OPENVPNCLIENT2                        OPENVPNCLIENT3       |                                                |                                          | PFSENSE1                                  PFSENSE2                                  PFSENSE3       |                                                |                                          |     ---------------------------------------------------------------------                                                       |                                                                                    OPENVPNSERVER                                                 PFSENSE4                                                       |                                                       PC3 So that PC2 can ping PC1 and PC3 and PC3 can ping PC2 and PC1 and PC1 can ping PC2 and PC3

@Numbski: billm, I hope you're wrong about this.  Here's why: I have a client that needed some serious entropy available to an application.  We purchased a hifn card to supplement /dev/random.  FreeBSD does not create /dev/hwrandom, and from all appearances, speed of the customer's application went waaay up, and the deployment passed some certification process that I was not involved in.  So….hmm. Interesting stuff.  Perhaps I should dig into this further?  BTW, another option if I recall correctly would be to insert a sound card, get the driver working, get the block device for the mic-in, then take and have that constantly dumping to /dev/random too. (don't hold me to that, never personally tried it!) You're probably correct. –Bill

Maybe a link in the tutorial to http://www.openvpn.se/mycert/ would be nice too.

Ok… Thanks... thought so... then I'll test a little more  :P

cheers, i will add all solutions & fallbacks to the tutorial so we can prevent further problems like these. will be online next week. kind regards dairaen