You need a tap bridge, but that only works properly on 2.1.x. IIRC there are howtos here on the forum … somewhere, I wrote one of them somewhere. You can do it on 2.0.x with the tap bridge fix package that fixes a few things in 2.0.x for tap VPNs that didn't make it into a 2.0.x release. Basically you setup the VPN in tap mode, no tunnel network, set it to bridge to LAN, set the DHCP options you want, and then you have to assign the VPN interface under Interfaces > (assign), enable that, then setup an actual bridge between the LAN and that new interface.

You would connect in from OpenVPN client on your laptop, from anywhere on the internet to the OpenVPN server running on pfSense at home. The traffic from your laptop back home to your home network would not be going through PIA. You can set your laptop-to-home OpenVPN connection to "redirect all traffic through the VPN". Then when you browse the internet from your laptop, that traffic will go from laptop to home pfense, then out of home pfSense to the internet by whatever way the rest of your home LAN gets out to the internet. For that, you can have an OpenVPN client on pfSense connected to the OpenVPN server on PIA. And you can send all traffic through that. So you pfSense would have an OpenVPN listening for connects from your remote laptop, and an OpenVPN client connecting out to PIA.

OK, I just exported the config again and and has in fact no tls-auth  now. Sorry, my fault. I got confused after all that testing.

Sorry, yes they do. The pfsense at the house is virtualized on a hyper-v box. Pfsense at condo is an Alix board.

Were you able to figure this out? I am battling this issue as well

Hi, I think you need to add option 66 to your home DHCP Server. So when your IP Phone boot he can find the PBX IP / hostname via option 66. Regards

Phil, Thanks for the reply. I found something in the meantime that worked. I was able to SFTP in using root for the username, and just copy the 2 files to /etc I needed to get OpenVPN working again.

If you use the HMA software what speed can you achieve ? I am interested in this myself as I will be upgrading to fibre soon and I use HMA myself.

You might want to look at this. https://forum.pfsense.org/index.php?topic=32429.0 Could look at implementing this myself soon. Ricky

Thanks for replying Phil. You where right about the Failover being the problem. I raised a support ticket and Jim advised adding the following rule before the failover. [image: rupo.png] I also changed my Tunnel network to /30 on advice. Ricky

@KOM: You're using the 2.1 release? Yes I am. Here's just a screenshot before I edit the settings (Please note that I can connect, but my traffic doesn't get routed to my LAN and thus I can't browse the web) And a screenshot after I edit it without changing anything. And the screenshots of the actual script, which works when I enter it manually… [image: before.png] [image: before.png_thumb]     [image: after.png] [image: after.png_thumb]

That's a good point.  I left that out.  I am setting up DDNS as well.  =)

You need your LAN rules the other way around. Rules are matched from the top down, first match wins, so all your traffic will be matched by the "Default allow LAN to any rule". None of it will get to "LAN thru ExpressVPN" - put "LAN thru ExpressVPN" above "Default allow LAN to any rule". On WAN and EXPRESSVPN rule tabs you should not need any pass rules - unless you have a public server or similar, you do not want to allow incoming connections from the big wide internet. Traffic initiated from you (on LAN) is passed by your LAN rules and pfSense recognizes and passes the data flowing back in the reverse direction for that.