@jimp: A /30 makes no sense for remote access. OpenVPN's internal behavior changes significantly when using a /30 tunnel network, it's intended only for site-to-site VPNs. When using a /30 the server cannot push settings and it has several other limitations. Understood.  Thanks for the clarification.  I'll just use a /29.

https://doc.pfsense.org/index.php/Why_can%27t_I_ping_some_OpenVPN_adapter_addresses

Common Name - Interface Name -        Network    -        IP         LAN        -      PCILAN      - 192.168.1.0/24 - 192.168.1.1     VPN Clients  -        Dorm        - 192.168.0.0/24 - 192.168.0.1         WAN        -  OnboardWAN  -  10.90.13.0/24  - 10.90.13.224 (assigned to me not by choice)       PIA VPN    -          PIA          -  10.38.12.0/24? -  10.38.12.6    (assigned to me not by choice) Now that I typed that out I tried what you said and changed all the outbound OpenVPN rules to PIA and that fixed it. Thanks

anyone have a solution for this? I've got the same problem but I'm using Asus Merlin router instead of dd-wrt. I do have the IPv4 remote network setup right (include local and remote LAN IP).

@johnpoz: "UDP link remote: [AF_INET]10.10.2.1:1194" How and the F could you connect to a rfc1918 address?  Is your pfsense behind a NAT?  If so you can create firewall rules on its wan til doomsday and nothing will happen..  Is that your lan IP.. Why would you have pfsense openvpn listen on the lan interface? Current client of openvpn is 24.1 – what client are you using that is 11.5 ??? thank you John, i dont know what happens but after i rebooted the firewall and everything starts working. Thank you so much for your support

I think I already tried that… Oh well, I'll try it again. Actually, I've found an easier way. I've just moved something else to the IP I was trying to get the  VPN to work on, and moved the VPN back to the primary, all works now. :) Told you it was a blonde moment!

Much better. I am online now. Thank you. I removed the port forwarding and add the suggested IP monitor of 8.8.8.8 and 8.8.4.4 I did the the hybrid nat. See below. In firewall/nat/outbound, do I still need those four OpenVpn interfaces? [image: pf4.JPG] [image: pf4.JPG_thumb] [image: pf5.JPG] [image: pf5.JPG_thumb] [image: pf6.JPG] [image: pf6.JPG_thumb]

Well you can certainly try the VPN solution and see if it helps. There's probably a VPN provider out there with a free trial. I wouldn't consider upgrading your hardware unless you confirm a VPN to help you out and even then only if you aren't satisfied with the performance you're getting out of your current setup.

Had this same problem today. In testing a new pfsense install on my home network, the WAN address is being assigned a 192.168 address. The resolution ended up being to turn off "Block private networks and loopback addresses" and "Block bogon networks" in the Interfaces->WAN configuration. After i turned these off, i could connect to the WAN:1194 UDP port. I will turn these back on when i deploy this device and the WAN is assigned a public address.

Derelict, I think you nailed it with the CARP interface specified in the gateway group.  I had one of them set and the other was using the interface, not the CARP.  Must have been through my tinkering I must have adjusted and the several layers of disconnection between the vpn client and that config never had me check again.  Going to test during a maintenance window or if we lose ISP, whichever happens first. Thanks Peter

jimp and johnpoz - thank you both very kindly for your great help! I manually modified the installers for a couple quickly-needed deployments, but I'll upgrade shortly.

@jimp: With /30 topology the server address in the /30 is completely virtual and often cannot be pinged. You have to set your own monitor IP address for that case, it can't be automatically determined in a reliable way. I can't set the gateway manually because the gateway change at each connexion. Again, it's usefull to ping local IP address, it could be nice if user sould be able to choose dynamic remote address. @jimp: For the status, that is pulled directly from OpenVPN's management interface. If it's wrong, it's a bug or quirk in OpenVPN's behavior, so you'll have to raise the issue upstream with OpenVPN directly. You're right, I confirm the IP address is wrong in OpenVPN interface, I'll check with openvpn project. For that moment, do you know if it's possible to push the new gateway IP address manually to pinger with a script (without pfSense GUI) ? Thank you,

Can u please specify the changes you made? i have the same problem.

Yeah you are correct to turn that off. All that does is allow your DHCP server to  override your settings. Check these articles out: https://doc.pfsense.org/index.php/Unbound_DNS_Resolver https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers

Yeah sure, but in your OP you specified that you didn't want to route by specifying ports. Any firewall rule can be made to use a VPN gateway, you just select your VPN as the gateway in the advanced rule settings.