The attached indicates he has no concept of what the firewall rules on an OpenVPN interface actually do. What he is telling you to do is pass any connection that ARRIVES into that OpenVPN circuit into your firewall. The exact opposite should be done. An OpenVPN client to a provider such as PIA should be treated as a WAN, with only specific traffic passed inbound. If you can receive port-forwarded connections at all. Nice of him to promote my NO_WAN_EGRESS technique, though. It's the only way to be sure.  

I got it sorted. I setup the wrong vpn type (SSL instead of shared key). Now it works fine

Looks like several balls were dropped during the setup. This is helpful, guys. I appreciate your responses. The customer is obviously due for a pfSense/OpenVPN upgrade so I can get it set up correctly while I'm in there. Thanks again for your help!

The VPN tunnel network must not be a part of another network assigned to pfSense. Yours is a part of LAN! So change your tunnel subnet to an unused network.

Here's the problem I'm trying to solve.  The WiFi network is connected to a pfSense box which sends its traffic out over VPN.  The same pfSense box acts as a OpenVPN server allowing access to the LAN remotely.  The problem is that because the configuration are set to redirect-gateway, the IOS OpenVPN app setting that allows you to select which network to use OpenVPN doesn't work properly.  What happens when you select "Cellular Only" is that IOS won't automatically switch back to the WiFi network.  If I take away the redirect-gateway, this problem goes away but now the IOS traffic goes out via 4G without passing through the VPN.  Anyone encounter this?

You have to add the interface addresses with /32 to the main page of OSPF settings, and mark them as do not redistribute and accept filter. I've made that quite a bit better in frr but it's not out for 2.3.4 users just yet. Soon, though.

@Derelict: If enabling the server has any effect on existing traffic, it sounds like you have chosen a subnet for the tunnel network that conflicts with something. Usually that means the server won't install the route because it already exists. Maybe you did something different. What did you use for the tunnel network? I used 192.168.3.0/24 for my tunnel network.  It's all working now after setting up the interface and adjusting NAT rules.  Thanks for that.  Now I just need to figure out if it's possible to use a different route when I'm on my home WiFi network.  I can't use the OpenVPN setting that says "Cellular Only" as I'm using redirect-gateway and that doesn't allow the iPhone to switch back to WiFi when it's available.

@Derelict: You will have to make the username and password match what PIA is expecting. Might need to talk to them about it. They are the ones you are paying cash, after all. Else port more logs surrounding that. there might be something else in-play. Reenter the username/password and re-save. I guess I'll try a third time setting it up.  /sigh

;D

No, I do not see they need a TLS key. Create a CA in pfSense using the blob contained within<ca></ca> Create a certificate in pfSense using the blobs contained in the and In the OpenVPN client: Server Mode: Peer-to-Peer (SSL/TLS) Protocol: TCP Device Mode: tun Interface: WAN Server host or address: vpn.trust.zone Server port: 443 Place the correct username and password Be sure TLS authentication is unchecked Be sure the CA you created is selected in the Peer Certificate authority Be sure the certificate you created is chosen in the Client Certificate. Encryption Algorithm: AES-256-CBC Auth Digest algorithm: SHA512 (eyeroll) Be sure Don't pull routes is unchecked

On 2.4-RC i'm using the "Service watchdog" package, for some other tasks. Maybe it can restart OVPN too. /Bingo

I ended up switching to using ipsec, which I wanted to use anyway but didn't feel like working out the NAT translation. Ended up working out well. Though for some reason PFSense reports that VyOS didn't send the MODP for the ESP group even though I have it configured. Not the worst thing since the key is runs PFS, but still not ideal. Still would love to figure out why PFSense is having this routing issue. I suppose if it gets real bad I will have to convince my boss to pay for official support. Considering the thousands that we saved from not using Cisco….

Didnt realize it was that simple haha. Thanks a lot!

That would kind of be up to PIA. Then it would be up to you how you route traffic over both circuits if allowed by them.