Thank you for your help, another user just PM'ed me with another method of fixing the issue. The killswitch now works using the link I just posted above and I'm ready to move on in my network issue 'todo' list. Thanks so much for you help. Also I had already deleted the redundant/useless rules. I had just started making any rule on whim to see if I could stumble on the solution.

You'd have to manually craft the OpenVPN server settings to match your server config. You don't have to import the full CA unless you want to manage the keys on pfSense, but if you do want to import it all, see https://doc.pfsense.org/index.php/Using_EasyRSA_Certificates_in_2.x If you just want to run the server on pfSense, you need only import the CA Cert and server cert.

sorry guys i already fix the image.. Derelict, that what i already did.

Thanks!  I got it working..

Reboot! Doh! Nothing to see here…

hey guys, not that anyone cares but I think I found the solution.  I was using a smart DNS service that was getting around Netflix geoblocking.  Part of that had static routes on my edge router.  One of them was the google dns which I think the VPN client was trying to use for it's own DNS.  As soon as i turned off static routes, my mobile devices can connect through the VPN and access the internet and everything else.

@Pippin: In OpenVPN Server config you can select it under: DH Parameter length (bits) Oh ok I see it. Do you still feel that 2048 is necessary ? I'm worried about a performance hit

@blacklotus: However I can't seem to have communications FROM the firewall WAN interface to use it's real IP address. DDNS from the firewall registers the PIA address IPSEC originates and Identifies as the PIA address Same with GRE or any other type of service I wan't to use port forwarding for certain types of services to/from the WAN IP Heh.  I'm having the exact opposite problem.  I'm trying to get pfsense to send DNS queries out over a PIA tunnel but they keep coming from the WAN interface instead.  Can you post your routing table?  You can get it from the GUI with Diagnostics > Routes or from the command line with "netstat -r" EDIT:  If you do post your routing table you should obfuscate your public IP address.

There isn't, but there is also no point in tuning it. It's a symptom of the root connectivity problem, not the source of any problems. Nothing you change will fix connectivity issues.

What did it for me, at least as far as preventing everyone from going through the VPN by default, was enabling the "Don't pull routes" option under VPN>OpenVPN>Clients>edit your VPN. It's the 2nt option above the  Advanced Configuration header. All I need now is a 'Killswitch' so if the VPN goes down any client routed into the VPN doesn't just go back through the WAN. Hope this helped.

URL is dead - Error establishing a database connection (July 28 and 29, 2016)

thanks viragomann it's all working now!!

where i can put the same parameters in pfsense

"VPN" is your vpn clients gateway? If so it should work, when the client is connected.