>For each tunnel with different ip ranges it's neccessarry to use a unique >OpenVPN server.
I don't, I have several remote sites that connect to one instance, each has its its own /30 assigned via client configs. There are rules defined with source/dest that control which sites see what on which other sites. The key here is iroute and 'not' client-to-client, see the man page for openvpn for the important bits on why this works. The important factor that allows filtering (without the use of openvpn's internal packet filter that isn't very configurable) is not to use client-to-client or the packets never leave the openvpn process and are therefor not subject to the kernels filtering rules then. Keep in mind the appearance of connections from each site depending on where they originate. A connection from a remote sites lan node appears at pfSense with its own ip whereas a connection initiating from the node instantiating the vpn appears from its defined p-t-p address based on the Client Specific Override parameters you setup. jlc _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list