@phil.davis: Would it be possible to make the defaults configurable? Especially Host Name Resolution is critical. I forgot a couple of times to change it before exporting… I have this brain trouble also - I added a feature request to RedMine - https://redmine.pfsense.org/issues/3478 If the computer can remember for me, that is much better than relying on my memory or a separate doc. It may be possible but it would be quite a significant effort, development-wise. If someone does the work and submits a pull request, we'll consider it, but I don't see it happening unless the code shows up.

Yes, Firewall->NAT, Outbound. Select Manual Outbound NAT and Save. Then delete all the rules that are automatically put there for you. Then no NAT will happen - you will have just a plain firewall-router - still with load of extra features of course  ;)

Look under the Advanced box ;) Enter any additional options you would like to add to the OpenVPN client configuration here, separated by a semicolon EXAMPLE: remote server.mysite.com 1194; or remote 1.2.3.4 1194;

Oh woops… they weren't kidding the leave the encryption to bf-cbc, don't use aes

so.. outbound routing is the problem forwarding only works when VPNclient is pfsense's default gateway, doesn't work when WAN is default gateway, or when VPNclient is set as the gateway (via firewall rule )for the network where the port is being forwarded what can i do to fix this?

Not sure if you still have a problem? Maybe the firewall rule on Colo OpenVPN tab is only allowing traffic to destination LANaddress, and it should be LANnet? Maybe the target servers at Colo have their default gateway something else? so they don't know how to reply back to you through pfSense? or ?

site 1 Server (IPv4 Local Network): 192.168.59.0/30 Surprised your local LAN would be "/30" - perhaps you mean 192.168.59.0/24 ? IPv4 Tunnel Network: 192.168.50.0/31 You need to use "/30" mask - that gives 4 IP addresses, top and bottom unused, OpenVPN gives .1 to server and .2 to client. Every peer-to-peer tunnel network server-client pair must use a different subnet. The local LAN at every office must use a different subnet.

Not following entirely with your description… a drawing could help a lot here. pfSense usually just does what you configure it should do. What rules did you configure? (hint: for policy based routing & OpenVPN, use the floating rules)

You need a tap bridge, but that only works properly on 2.1.x. IIRC there are howtos here on the forum … somewhere, I wrote one of them somewhere. You can do it on 2.0.x with the tap bridge fix package that fixes a few things in 2.0.x for tap VPNs that didn't make it into a 2.0.x release. Basically you setup the VPN in tap mode, no tunnel network, set it to bridge to LAN, set the DHCP options you want, and then you have to assign the VPN interface under Interfaces > (assign), enable that, then setup an actual bridge between the LAN and that new interface.

You would connect in from OpenVPN client on your laptop, from anywhere on the internet to the OpenVPN server running on pfSense at home. The traffic from your laptop back home to your home network would not be going through PIA. You can set your laptop-to-home OpenVPN connection to "redirect all traffic through the VPN". Then when you browse the internet from your laptop, that traffic will go from laptop to home pfense, then out of home pfSense to the internet by whatever way the rest of your home LAN gets out to the internet. For that, you can have an OpenVPN client on pfSense connected to the OpenVPN server on PIA. And you can send all traffic through that. So you pfSense would have an OpenVPN listening for connects from your remote laptop, and an OpenVPN client connecting out to PIA.

OK, I just exported the config again and and has in fact no tls-auth  now. Sorry, my fault. I got confused after all that testing.

Sorry, yes they do. The pfsense at the house is virtualized on a hyper-v box. Pfsense at condo is an Alix board.

Were you able to figure this out? I am battling this issue as well