I made some additional code changes to check the Framed-Route format to ensure it complies with the RFC. /etc/inc/openvpn.auth-user.php /** *  Convert Framed-Route format to iroute for the CCD file */ function FramedRoute($cidr) {     $baseip = substr($cidr,0,strpos($cidr, '/'));     $prefix = substr($cidr, strpos($cidr, '/') + 1) * 1;     $netmask = str_split(str_pad(str_pad('', $prefix, '1'), 32, '0'), 8);     $ipLong = ip2long($baseip);     if ( ( ($ipLong << $prefix) ^ 0) == true ) {         foreach ($netmask as &$element) $element = bindec($element);         return $baseip.' '.join('.', $netmask);     } } if (isset($attributes['framed_route'])) {         $iroute = FramedRoute($attributes['framed_route']);         if (!empty($iroute)) {             file_put_contents("{$g['varetc_path']}/openvpn-csc/{$username}", "iroute {$iroute}\n");             syslog(LOG_NOTICE, "user '{$username}' iroute '{$iroute}' created\n");         } } I'm creating static openvpn-csc file that could cause issues in the future. Should I be looking at, deleting the created openvpn-csc on client disconnect using the openvpn_resync_csc function

@scurrier: Two thoughts. How can it change your IP so fast while still allowing others to maintain a connection to you? It's pretty common, it wouldn't affect most things. How would someone on AOL Dialup for example maintain a connection? Have you tried disabling IPV6 on your phone?  On Tmobile there is a way to do this by changing your APN settings, I think. I'll give it a look.

As usual, the reason I could not get a pfSense feature working was an oversight on my part. I discovered and fixed the problem and now its working just fine. I had a 1 to 1 NAT on the secondary WAN's primary address that took over after I removed the port forward that was redirecting the OpenVPN port to where it was listening on my LAN. After moving that port forward to another virtual IP, everything works as designed. OpenVPN is now listening on my WAN Group. Failover to tier 2 and recovery to tier 1 now works flawlessly.

Same thing happening in this thread: https://forum.pfsense.org/index.php?topic=77637.0

Yes, others are having this problem.  See here: https://forum.pfsense.org/index.php?topic=77637.0

Yes.  I responded in the thread you linked, OP.

When you say "My DC pfsense is acting oddly", what does the "DC" reference? It's difficult to help troubleshoot without details. 1. Change your FW rule to any/any on the openvpn tab 2. Post your server1.conf.

Add any/any rules to both sides on the openvpn tab. Post the server1.conf from the server end and client1.conf from the client end.

AFAIK you can only have one OpenVPN Server and one OpenVPN Client pair using the shared key method. You can have multiple Server/Client pairs for each remote network though, if that makes sense. The remote computers will just need to use the pfSense fw running the OpenVPN Client as their gateway, that or you would need to setup a static route on each remote PC.

Have you configured a rule to allow access in Firewall > Rules > OpenVPN tab?

My bad…. looks like I looked at the wrong line, when setting the extension to NAT=yes (it didn't want the other subnet to register) the phone was working just fine.

I need to say that the pfsense Router acts as a VPN Client

I noticed that when I ran with that config, that my Windows PC no longer had any routing information in it for the remote networks. I returned it the two simple push statements. I no longer believe that the problem is in the OpenVPN configuration, but rather, is in the lack of static routes in the gateway and router at each of the sites. Your link https://community.openvpn.net/openvpn/wiki/RoutedLans pretty well documents the problem in the section called, "ROUTES TO ADD OUTSIDE OF OPENVPN". Thanks for the links! They were very helpful in my understanding of what iroutes really do.