Thanks a lot for fast reply!
You need to add some custom options.
You need to push the new DNS your client will be using, and you need to use the command to redirect all traffic.
you need to push a DNS entry that's reachable through the tunnel because after the tunnel is established, DNS requests will be redirected too.
"your client" - I guess you refer to the PC's and other equipment on the branch office LAN. They are not affected by any change of dns-server. Their primary dns server is on their local LAN and the secondary is on our central location, that is within the tunnel allready.
I mean with "your client" your pfSense-box (as openVPN-client) in your branch office.
I assume the rest of your PC's in your branch office get routed through your remote pfSense.
So if the routing table of the pfSense gets changed in a way that everything goes through the tunnel, all your other PC's get redirected through the tunnel.
If your primary DNS-server gets routed through your remote pfSense you will have to setup some kind of policy based routing that this DNS server still has direct access to the internet.
(Setup a firewall rule for the IP of the server and select as gateway not * -->pfSenses routingtable, but the gateway you want the traffic to go out)
After the redirect is in place this Server would be routed through the tunnel too. (or do you want that?)
As a side note: You say you added static routes. Dont do that. Use the custom options of OpenVPN. If you enter in the field: "remote network" 10.0.4.0/24 then that does nothing else than add the line:
"route 10.0.4.0 255.255.255.0"
to the config. You can add many more "route" lines in the custom options.
When the tunnel comes up the OpenVPN-process automatically adds these routes to the routing table and if the tunnel goes down removes them.
The static routes are for my internal networks - several hundreds. I cannot see how the pfSense OpenVPN server box otherwise would know the address of my backbone router. My theory of operation in this case is to lead all traffic from the branch office into the tunnel, which terminates in the pfSense box. Internal traffic is then forwarded to the backbone router and Internet traffic make a u-turn in the pfSense box, and leave through the corporate firewall.
I dont really follow you here.
Could you provide a small picture?
What i tried to tell before: if you want to specify what lies on the other end of the tunnel, dont use static routes, since the "route-command" (and iroute) from openVPN adds and removes dynamicly the necessary routes to the table.
Or do you mean that yur remote box wouldnt even know where your main office is without these entries?
If you use openVPN you dont reallly need to add any manual static route since everything (adding and removing static routes) is handled by the openVPN-process.
Thanks for the info. I'll dig into that. Sometimes it takes some extra energy to map that kind of information to the setup in the pfSense GUI.
Alfter all that said, I have tested your suggestion. Still I'm unsure what to put in the "Remote network" box in the pfSenseclient box. I tried leaving it blank, as that was an option too. No success. Perhaps the solution is to make two tunnels. One for 0.0.0.0/1 and one for 128.0.0.0/1. But that's an ugly one...
The remote network box is here to add the routes to the remote network. but since you created static routes thats no longer necessary. This box is why i meant not to use static routes
If you fill in the infos here you dont need the static route.
If you want to add more that one route through the tunnel you just need to add the commands under "custom options" (since you cann specify only one network in this box).
The 0.0.0.0/1 and 128.0.0.0/1 is not meant to be done manually.
This is just what the openVPN process does behind the scene to redirect all traffic.
I think this link is more about what you want to do:
http://openvpn.net/howto.html#scope
pfSense Forum
