Tried with no remote networks in remote site field, tunnel came up but nothing being pushed.  Changed mode from TUN to TAP on both ends, that did not work either.  Tried multiple entries with the help of the OpenVPN documentation, which causes pfSense to generate an error if metric is entered in remote networks field.  Also tried setting metric in Custom Options based on the same documentation. Apparently, from the OVPN docs, you can do what I am trying to achieve, it just seems that pfSense is preventing me from making those settings: _–route network/IP [netmask] [gateway] [metric] Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in reverse order prior to TUN/TAP device close. This option is intended as a convenience proxy for the route(8) shell command, while at the same time providing portable semantics across OpenVPN's platform space. netmask default – 255.255.255.255 gateway default -- taken from --route-gateway or the second parameter to --ifconfig when --dev tun is specified. metric default -- taken from --route-metric otherwise 0._

The attached indicates he has no concept of what the firewall rules on an OpenVPN interface actually do. What he is telling you to do is pass any connection that ARRIVES into that OpenVPN circuit into your firewall. The exact opposite should be done. An OpenVPN client to a provider such as PIA should be treated as a WAN, with only specific traffic passed inbound. If you can receive port-forwarded connections at all. Nice of him to promote my NO_WAN_EGRESS technique, though. It's the only way to be sure.  

I got it sorted. I setup the wrong vpn type (SSL instead of shared key). Now it works fine

Looks like several balls were dropped during the setup. This is helpful, guys. I appreciate your responses. The customer is obviously due for a pfSense/OpenVPN upgrade so I can get it set up correctly while I'm in there. Thanks again for your help!

The VPN tunnel network must not be a part of another network assigned to pfSense. Yours is a part of LAN! So change your tunnel subnet to an unused network.

Here's the problem I'm trying to solve.  The WiFi network is connected to a pfSense box which sends its traffic out over VPN.  The same pfSense box acts as a OpenVPN server allowing access to the LAN remotely.  The problem is that because the configuration are set to redirect-gateway, the IOS OpenVPN app setting that allows you to select which network to use OpenVPN doesn't work properly.  What happens when you select "Cellular Only" is that IOS won't automatically switch back to the WiFi network.  If I take away the redirect-gateway, this problem goes away but now the IOS traffic goes out via 4G without passing through the VPN.  Anyone encounter this?

You have to add the interface addresses with /32 to the main page of OSPF settings, and mark them as do not redistribute and accept filter. I've made that quite a bit better in frr but it's not out for 2.3.4 users just yet. Soon, though.

@Derelict: If enabling the server has any effect on existing traffic, it sounds like you have chosen a subnet for the tunnel network that conflicts with something. Usually that means the server won't install the route because it already exists. Maybe you did something different. What did you use for the tunnel network? I used 192.168.3.0/24 for my tunnel network.  It's all working now after setting up the interface and adjusting NAT rules.  Thanks for that.  Now I just need to figure out if it's possible to use a different route when I'm on my home WiFi network.  I can't use the OpenVPN setting that says "Cellular Only" as I'm using redirect-gateway and that doesn't allow the iPhone to switch back to WiFi when it's available.

@Derelict: You will have to make the username and password match what PIA is expecting. Might need to talk to them about it. They are the ones you are paying cash, after all. Else port more logs surrounding that. there might be something else in-play. Reenter the username/password and re-save. I guess I'll try a third time setting it up.  /sigh

;D

No, I do not see they need a TLS key. Create a CA in pfSense using the blob contained within<ca></ca> Create a certificate in pfSense using the blobs contained in the and In the OpenVPN client: Server Mode: Peer-to-Peer (SSL/TLS) Protocol: TCP Device Mode: tun Interface: WAN Server host or address: vpn.trust.zone Server port: 443 Place the correct username and password Be sure TLS authentication is unchecked Be sure the CA you created is selected in the Peer Certificate authority Be sure the certificate you created is chosen in the Client Certificate. Encryption Algorithm: AES-256-CBC Auth Digest algorithm: SHA512 (eyeroll) Be sure Don't pull routes is unchecked

On 2.4-RC i'm using the "Service watchdog" package, for some other tasks. Maybe it can restart OVPN too. /Bingo