;D Will check that out - thanks

all right, that sounds great - thank you guys!

Thanks for the info. We arnt using multi-WAN link via PFSence, we another method for multi-WAN. The three hosts are on 2.0.1 rather than 2.1 as a test system i did an upgrade to 2.1 on ended up breaking half the packages and needed a reinstall! :( 2.0.1 is working for now, "if it aint broke dont fix it" :p

@tomelgato: Feedback: Works perfectly, thanks a lot! Good to know it works for others - thanks for the feedback.

The selection of WAN1 or WAN2 in priority order is done in pfSense by making a gateway group with the required WANs listed in priority order, then telling the OpenVPN server/client to use that gateway group as its "interface". pfSense does the rest underneath to bind the OpenVPN to the "best" WANin the gateway group as conditions change. So you don't need OSPF for that. What you say about ISPs and reach-ability is true, and that is a failure mode that could benefit from having OSPF. I have had times when SiteA cannot reach SiteB, but SiteA can reach SiteC and SiteC can reach SiteB, so there is a possible path. So yes, OSPF should learn and route around that.

@phil.davis: Would it be possible to make the defaults configurable? Especially Host Name Resolution is critical. I forgot a couple of times to change it before exporting… I have this brain trouble also - I added a feature request to RedMine - https://redmine.pfsense.org/issues/3478 If the computer can remember for me, that is much better than relying on my memory or a separate doc. It may be possible but it would be quite a significant effort, development-wise. If someone does the work and submits a pull request, we'll consider it, but I don't see it happening unless the code shows up.

Yes, Firewall->NAT, Outbound. Select Manual Outbound NAT and Save. Then delete all the rules that are automatically put there for you. Then no NAT will happen - you will have just a plain firewall-router - still with load of extra features of course  ;)

Look under the Advanced box ;) Enter any additional options you would like to add to the OpenVPN client configuration here, separated by a semicolon EXAMPLE: remote server.mysite.com 1194; or remote 1.2.3.4 1194;

Oh woops… they weren't kidding the leave the encryption to bf-cbc, don't use aes

so.. outbound routing is the problem forwarding only works when VPNclient is pfsense's default gateway, doesn't work when WAN is default gateway, or when VPNclient is set as the gateway (via firewall rule )for the network where the port is being forwarded what can i do to fix this?

Not sure if you still have a problem? Maybe the firewall rule on Colo OpenVPN tab is only allowing traffic to destination LANaddress, and it should be LANnet? Maybe the target servers at Colo have their default gateway something else? so they don't know how to reply back to you through pfSense? or ?

site 1 Server (IPv4 Local Network): 192.168.59.0/30 Surprised your local LAN would be "/30" - perhaps you mean 192.168.59.0/24 ? IPv4 Tunnel Network: 192.168.50.0/31 You need to use "/30" mask - that gives 4 IP addresses, top and bottom unused, OpenVPN gives .1 to server and .2 to client. Every peer-to-peer tunnel network server-client pair must use a different subnet. The local LAN at every office must use a different subnet.

Not following entirely with your description… a drawing could help a lot here. pfSense usually just does what you configure it should do. What rules did you configure? (hint: for policy based routing & OpenVPN, use the floating rules)

You need a tap bridge, but that only works properly on 2.1.x. IIRC there are howtos here on the forum … somewhere, I wrote one of them somewhere. You can do it on 2.0.x with the tap bridge fix package that fixes a few things in 2.0.x for tap VPNs that didn't make it into a 2.0.x release. Basically you setup the VPN in tap mode, no tunnel network, set it to bridge to LAN, set the DHCP options you want, and then you have to assign the VPN interface under Interfaces > (assign), enable that, then setup an actual bridge between the LAN and that new interface.

You would connect in from OpenVPN client on your laptop, from anywhere on the internet to the OpenVPN server running on pfSense at home. The traffic from your laptop back home to your home network would not be going through PIA. You can set your laptop-to-home OpenVPN connection to "redirect all traffic through the VPN". Then when you browse the internet from your laptop, that traffic will go from laptop to home pfense, then out of home pfSense to the internet by whatever way the rest of your home LAN gets out to the internet. For that, you can have an OpenVPN client on pfSense connected to the OpenVPN server on PIA. And you can send all traffic through that. So you pfSense would have an OpenVPN listening for connects from your remote laptop, and an OpenVPN client connecting out to PIA.

OK, I just exported the config again and and has in fact no tls-auth  now. Sorry, my fault. I got confused after all that testing.