It depends on why it stopped. If it fails because of an auth error at PIA, then OpenVPN considers that fatal and exits. We have a fix for that on 2.4.1 and later (using "auth-retry nointeract") If there is something else causing it to exit, then the fix would be different. Have to see the error in the OpenVPN logs to know for sure. If the process is exiting, then using the Service Watchdog package to monitor it will help treat the symptom, but not cure the original problem.

Ok, so I finally figured it out. OMG. I had created a cert with a type-o in it and the verify-x509-name was erroring when I tried to connect to machines that were on the domain. That's why some worked and some didn't, because some were on the domain and some weren't. Once I got that all fixed up everything else was easy. Thanks so much for taking the time to look at this with me.

I am using UDP, currently I have disabled the vpn and am using the windows client. Would really like to use pfsense as I have more than one machine that I would like to vpn. As I said above if anyone needs any more info just ask.

I'd probably put a route to the server in the openvpn client side and a route to the client subnet on the server side…  However, I'm not super genius, so may not work.

I've got this working, in case someone else stumbles on this and has issues my problem was that the username didn't match the certificate name. Andy

Damn I totally forgot to add rules on the only interface firewall that I had to let users use that OpenVPN like I have done with 53 port from DNS Resolver. Thanks anyway.

Thanks for the info. I have done as suggested & posted to the OpenVPN forum.

I should qualify this, it only happens when I am connected to the web page via OpenVPN. Is his normal? The OpenVPN Connection I am attempting to kill is not my web connection, but a separate router

Yes, I use SSL/TLS (+ user auth) for my OpenVPN instances. Thank you for your advice, that was it. So the lesson learned - you need to have a separate CA for a new OpenVPN instance.  :) I created a new CA, then both server and user certificates, assigned them to the 1195 OpenVPN instance and my user respectively. Then finally in Client Export Utility I could select a new entry in the  Remote Access Server drop-down and my user was under this new server. Yes! Exported files had the correct name (with 1195) and worked as expected on my laptop. I only had to correct a few small bugs in my firewall rules.

PFSense is currently running version 2.3.4 and it says there is the option to upgrade to version 2.4.1 I am a little reluctant to do this as it could potentially lead to other issues (especially after reading through some of the problems others have had after doing the same) and it is only affecting one person. There is an option on the 'Certificate Export' page to use the 'Old Windows Installer' ver 2.3.14, as this is also a 2.3 release (as the server), could trying this potentially 'fix' the issue? I will give this a go. It should be noted that several users have been using the 2.4.1 client, as issued by the Client Export page, with no problems.

error=unsupported certificate purpose Generate a new server certificate and re-export the client configuration.

It restarts the openvpn daemon and adds all the routes again. It is possible that route existed due to something else adding it and when you started the client with that route there it could not add it for itself. Then it was subsequently removed. Or something. Impossible to know without seeing that event actually occur.

Thank you for your answer, we have found the error was on the IP dresses of the WAN thank you

Yes, I bounced the tunnel. Didn’t help at all. Then I manually restarted the vpn client. The changed IP was reflected on the web interface. But the result still the same, no traffic is flowing. For now, no clue at all

Awesome.  Enable SMB on your Linux file server.  You will have it all.  I've never needed something as dedicated as a large NAS.  They seem to be resource hungry. I do all my sharing out of a linux box with only SMB and SSH enabled and a script to mount the drives on boot.  Nothing amazing.  Yours will no doubt be much more feature-rich and many people likely require such beasts.

I wasn't sure if you were saying I needed to modify the Firewall->Rules->WAN rule for that VPN connection or modify the default OpenVPN rule to change the default gateway, I changed the OpenVPN rule and success.  Thanks! I didn't actually want Site 3 to be able to access anything on the Site 2 LAN

Yes, I have created VLAN interfaces for the corresponding subnets and I have created an interface for my VPN. DNS resolver is setup to do all DNS queries through NordVPN's DNS. Everything works correctly except the 10.0.1.0/24 subnet which I've designated to route through the VPN via NAT. It cannot leave my LAN. These are my NAT settings: https://imgur.com/a/LwdD1

Looks like that was it. The box with 10.0.0.118 was provided by out external supplier and when first connecting it to our network, they chose "public network" (for whatever reason). I changed it to "home network" and I can ping it now as well as connect to RDP. I can sure tune the Win 7 firewall in advanced settings but it is good for now. Gateway is okay, the PC got its IP from our DHCP server. Thank you, guys!  :)