Thank you for the quick reaction, Jim

@Murrayd222: Greetings, I'm curious if it is possible to run an OpenVPN server to permit remote connections to my network, via iPad and scuh, while also taking advantage of the benefits offered by Private Internet Access.  I finally got my OpenVPN server up and running and remote connects now work flawlessly.  However, when I installed PIA as instructed in the PIA pfsense router setup, the status shows as "down."  The only step I skipped was deleting the various certificates required to make the OpenVPN server work. I'd like the benefits of remote access to my network as well as the benefits provided by PIA.  Any suggestions or guides that I've missed.  My experience with pfSense consists of about a month, with MANY failures trying to get the OpenVPN server up and running. EDIT: Ok, after more tweaking, factory resetting, and more tweaking…I have everything working except one thing.  I can connect to my network via the OpenVPN server, I have the PIA VPN Client pushed to the network IP addresses I want going through the VPN.  I can remotely access both Plex and my Blue iris surveillance server.  However, there is one thing I cannot get figure out and I'm sure it has to do Firewall Rules or NAT Outbound rules.  When remotely connecting to my OpenVPN server, I want those connections to be able to access the Internet as well.  Currently, any remotely connected client to my OpenVPN server can access network IPs only and any attempts to connect to the Internet are being blocked.  The OpenVPN Server is assigned its own openvpn interface and the PIA Client is assigned its own unique PIA Interface.  If I disable the PIA client, then my OpenVPN Server connections are able to access the Internet.  Once I restart the PIA client, the Internet access of the OpenVPN Server connected clients stops.  Anyone have a suggestion or guide on how to setup the needed rules? EDIT 2:  Well, the recently changed NAT Outbound (posted below) granted my OpenVPN Server remotely connected clients to access the Internet, but it broke their ability to access LAN clients.  How can I get both Internet and LAN access for clients remotely connected to the OpenVPN Server? EDIT 3: Never mind, all is working correctly, but for some reason the remote desktop cliet on my iPad isn't connecting this morning where as the RD app on my iphone is. Current NAT Outbound Rules: [image: y4mEXk7KoQU4B6sPRulJ_3SN2BOScjfJynnv8r4UlVNvOxBcscO3eIZrI4cg39LE1QJHkYVcJRHesBtzdJy9YpkBIvgAfmQEyUXF0HzPY-tQvEGfVGMT8ASmZNu3vtbX_qsT1GVVagx9fzJTUBvkDl4pw3T9nC_ZGQAVKtt6-ymNDlFKnz-uZeb_olGAoKDIvPpjWS8vVK-RhlFUg45izcphg?width=1153&height=681&cropmode=none] Current Firewall Rules for WAN: [image: y4mySYudi7gkWW8wEFYd_G1W890iw462qh1MsshjdxO1-fGHQZqHwDQszktCJ2WcdIG5zV5VYNNEzbofY1wXUvEqx4JxzmpLmU3d5Er9QcSb9ARWxe8HAMYgZnS753dpHfGBzQtRTjLWtD1tM3LC0V-p5q1cLvVUVOMHNv8t3s6iy3KwXCZd1-qKRy_NzUl-cxkTXJs9khUZCIutISxj-Z0Nw?width=1151&height=401&cropmode=none] Current Firewall Rules for LAN: [image: y4mrTSc2Ovy84OczAWnfQoe0StvXA3q0zTRXuopL8cSTC6L4OYTBZbtKXdcCrDHgjI-BbIsQRl3XWxreywm08I12hgOh98twt297-sKOFcNulD4g-AFnbE3jD7np9LhRdXx4ozY3YutyPmDw438yNhhgeTItJ5v20wTJ2UiWsVpJVfPL0133FVTt_4KGHYHHZlq7wtq2ZD76mqe3wcWiErDTA?width=1151&height=541&cropmode=none] Are these above your working settings? Can you please please share your current working settings? I can't get them to work together no matter what I tried. I've spent the better part of the past 3 days epxerimenting with all possible combinations. I did factory resets, installed the server first and then the client and vice versa. Played with all the possible rules I could think of. Duplicated the existing outbound NAT with values both for OpenVPN and PIAVPN. I would be greatful if you could share the server's and client's config as well as the rules in WAN, LAN (or anywhere else) and also your NAT/outbound tab. I have created separate interfaces for the PIA Client and the OpenVPN server while the ''don't pull routes'' option suggested by  @viragomann disables completely the PIA client and then magically the OpenVPN server will accept the connection from my Android client. I have already asked in several topics but failed to draw any attention so I'm hoping you could help me out. Otherwise I'll have to open a new thread. I just did not want to do as there are many like us who had the same issue and the forum is full of similar threads…

@pfsensory: What I decided to do was revert my pfSense box to a backup (before I started messing around with this), and redo everything again.  Now everything is working great. One question though - I am using a tun connection, which is working fine for my purposes except for one issue.  I use Syncthing, and I would like to be able to have it sync files when I am connected to the network via VPN.  However, because Syncthing accesses devices by IP addresses, and the VPN client device now shows up under a different subnet (10. for the VPN client, 192.168. for the main LAN), the syncing devices do not see each other.  Is there some way I can get these to connect? And one more question - this time when I set things up (using the VPN wizard), no interfaces got assigned to ovpns1 or ovpns2, and there are no corresponding tabs under the Firewall rules (although rules were set up for me at the end of the wizard), unlike when I did everything manually last time. Everything seems to be working fine, but should there be something there? Hello. We have a similar setup running both OpenvPn Server and a PIA client and I was hoping you could share your settings as I can't get them to work together…. That would be greatly appreciated as it seems I'm not getting any support from anywhere for such a common thing.

Hi, my Site to Site is now running and i have setup according recommendation, it means that i have no static routes. The final solution was to reset the states and take a /30 tunnel network. Thx and Bye

At least on 2.4.2, I can't find any problems. No CRL = Connects Empty CRL = Connects Cert in CRL = Doesn't connect (and it shouldn't) Using a different cert not in the CRL = Still connects. Maybe it got fixed along the way with something else, but it doesn't seem to be an issue on 2.4.2.

If you haven't set the default route manually in NetworkManager it must be pushed by the server. So please post the server configuration and the clients routing table.

Same with me or like i did. Deleting it solved ALL the problems there were with the gateways, the ifconfig problems and everything else. In a second :(

Thanks, this was a really helpful hint as I had exactly the same problem with openSUSE Tumbleweed!

@dad311: Ive successfully setup OpenVPN remote access and PIA OpenVPN client.  Both work, but both dont work at the same time. If I have the PIA cleint enable, remote OpenVPN clients will not connect.  I believe the issue is remote access traffice is coming in the WAN interface and going out the PIA interface. Anyone know how to force my Openvpn server to use the only WAN interface?? thx Have you by any chance found any solution? I suspect there is a Firewall rule conflicting between the 2 interfaces/instances of OpenVPN - the PIA side (client) and the OpenVPN server which we inetnd to use to connect to our home network form a remote address.

@viragomann: I don't know about latency issues in 2.4.1 and trouble to install the Client Export package in 2.3.4. However, you can export certs separately if you want. The Client Export tool only bundles config, certs and Windows installer. But why want you use WinSCP? Just use the GUI: System > Certificate Manager > Certificates Thank you very much for your answer. I ended up updating and installing the Export Tool. I'm just hoping I won't have any issues with speeds now…

firewall > rules > lan add the ip of the devices to the list, then under the settings change the gateway to WAN_dhcp. this is how i allow netflix to play on my TV while the rest of the network is under PIA VPN

Thanks viragomann!

Shared key can only have one client per server. You would have to switch to an SSL/TLS setup to have multiple clients on a single server.

It depends on why it stopped. If it fails because of an auth error at PIA, then OpenVPN considers that fatal and exits. We have a fix for that on 2.4.1 and later (using "auth-retry nointeract") If there is something else causing it to exit, then the fix would be different. Have to see the error in the OpenVPN logs to know for sure. If the process is exiting, then using the Service Watchdog package to monitor it will help treat the symptom, but not cure the original problem.

Ok, so I finally figured it out. OMG. I had created a cert with a type-o in it and the verify-x509-name was erroring when I tried to connect to machines that were on the domain. That's why some worked and some didn't, because some were on the domain and some weren't. Once I got that all fixed up everything else was easy. Thanks so much for taking the time to look at this with me.