With VyOS you have to go IPSec not openVPN.

Site B default gateway will need a route to the network you assign to ovpn clients. Have you configured it?

What is the default gateway of clients on both sides? Is it the pfsenses?

Well I managed to figure it out. Turns out I am an idiot. When I moved the machine off my edge, I had disabled the firewall under advanced settings. I had forgotten about this, and it turns out, as the helpful text points out, this also disables any NAT functionality. So after enabling the firewall, everything works as expected! Thanks for the help! And sorry for the confusion.

Hi Derelict Thanks for replying Its a very basic setup really, My  satelite box vu+ solose has ftp telent etc and would like to have access to ftp, i cant seem away to change port settings. So a simple setup of pfsense working fine, setup port forwarding and got the ftp working fine too. setup my Pia vpn and both ftp and Pia vpn working. Tried to add a kill switch using the floating rules my ftp stops dead. If i follow the https://www.privateinternetaccess.com/forum/discussion/29231/tutorial-setup-pia-on-pfsense-2-4-2 and use https://www.privateinternetaccess.com/forum/uploads/editor/92/w00wmc2lq7yt.png Then i get no ftp anway On the bottom of the post i read Disabling NAT'ing for the WAN is AN ABSOLUTE HORRIBLE IDEA and DOES NOT STOP TRAFFIC ROUTING. Disabling NAT address translation rules does not stop traffic from being routed out an interface if the VPN is down.  It only prevents the IP addressing from being translated when traffic is routed out that interface, which can result in routing RFC1918 addressing onto the WAN. The only way this blocks traffic is that an upstream router is most likely blocking non-internet routeable RFC1918 addresses, but at that point your traffic has already been leaked onto the WAN interface. The better solution is to make sure unintended traffic never leaves the WAN by creating pfSense float rules that allow only DNS and OpvenVPN traffic out the WAN and block everything else going out the WAN.  Such rules would only have affect when the VPN link is down and the WAN is the default route, to allow DNS lookup of the PIA host, and creating the VPN link, all other outbound traffic out the WAN should be blocked or rejected.  Once the VPN link is up and becomes the default route traffic will route unblocked over the VPN link. Thanks

You were probably right!

@dims: In order machines from his LAN respond to my pings, I was to configure NAT. By default, Windows machines do not respond for packets, came from networks, other than LAN. Allowing such access can be set in the Windows firewall. If all your traffic goes through the vpn there will be set the "Redirect gateway" option in the server settings. If your brother doesn't need this for other purposes, he should remove the check and enter his LAN network in the "Local Network/s" box. If he need that option, you can prevent that by adding the no-pull option and a route to the remote LAN to your client config.

Still get no luck. Somebody can give me more advice, please.

It’s took me two weeks to get a working Connection in my sg 2220 and I literally just deleted my backup files.. I tried to different trials if Nordvpn and both tries could not get acceptable speeds so I canceled If you get this working I’d love to hear it… at 3 different facilities using various devices and operating systems I could not get a 20Mb download on at least a 100Mb internet Connection Totally unacceptable

Thanks, this helped me to understand, that key should be entered in the certificates section along with client certificate. This means that my problem is different. OpenVPN log says that (from bottom to top):     Exiting due to fatal error     FreeBSD ifconfig failed: external program exited with error status: 1     /sbin/ifconfig ovpnc5 10.11.0.34 netmask 255.255.255.0 mtu 1500 up     do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0     TUN/TAP device /dev/tap5 opened     TUN/TAP device ovpnc5 exists previously, keep at program end     OPTIONS IMPORT: route-related options modified     OPTIONS IMPORT: --ifconfig/up options modified     OPTIONS IMPORT: timers and/or timeouts modified     Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])     PUSH: Received control message: 'PUSH_REPLY,route 10.10.0.0 255.255.255.0,route-gateway 10.11.0.1,ping 10,ping-restart 120,ifconfig 10.11.0.34 255.255.255.0'     SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)     [server] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:1194 as far as I understood, server pushes ifconfig command, which fails. When I try to execute it manually, it also fails     >/sbin/ifconfig ovpnc5 10.11.0.34 netmask 255.255.255.0     ifconfig: ioctl (SIOCAIFADDR): Destination address required does this mean that server sends command with incorrect FreeBSD syntax? Or this incorrect syntax comes from OpenVPN? How to configure OpenVPN client to ignore such commands?

I found the setting in the Sierra Wireless RV50 OpenVPN Tunnel settings. There is a setting called NAT, which I had to set to disable. After I disabled it, the SNAT was removed and the true source IPs are now visible. Thanks.

According to this video https://www.youtube.com/watch?v=ov-xddVpxhc You can use firewall rules to exclude the hosts that you dont want to go through the vpn tunnel. So if you set static ip's for the hosts that use the vpn tunnel an make a firewall alias for the dhcp range and use this alias in a firewall rule which will pass the vpn tunnel and to go through the wan Wouldn't that work?

Jimp can you take a quick look at my other theard, basiclly the same issue but I noticed a change in routing table that effects my other vlans. i'm trying to understand what can cause the change in routing table. The "static" part is removed when openvpn dies, after it reconnects it's not replaced. I'm giving up on UDP for the moment, but i made more comments about that in the other thread. https://forum.pfsense.org/index.php?topic=145237.0 Before OpenVPN connection dies Destination        Gateway            Flags    Netif Expire default            10.75.1.2          UGS      pppoe0 PUBLIC-IP.static link#13            UHS        lo0 After OpenVPN connection dies. Destination        Gateway            Flags    Netif Expire default            10.75.1.2          UGS      pppoe0 PUBLIC-IP        link#13            UHS        lo0

Not a pfSense problem. You might want to consult your operating system or OpenVPN support/forums for that. (Viscosity tells me when I am disconnected…) Someone else might know. Personally I think you're overthinking it. I would figure out why your home pfSense is crashing. Mine never does.

I'm also using OpenVPN Connect 1.2.9 build 0 (iOS 64-bit) and there's no problem like that.

For anyone who stumbles across this thread, the solution was to add the OpenVPN connection as a Interface on the client side. After creating the interface, restart the OpenVPN service and add allow firewall  rules for the interface. For OSPF to work, you need to add the interface on both ends. It's also advised to remove/disable the default OpenVPN rules as they'll supersede the interface rules if matched first.