I'm bumping this topic because I still haven't found a solution. I have done some more troubleshooting and discovered that the problem lies with the home pfsense gateway not forwarding ip traffic from the tunnel (ovpn interface) to the LAN interface. Basically, everything goes just fine for a while, and then suddenly, the pfSense router ceases to forward the traffic to the LAN. This means that the router itself has full access to the work network. It also means that all work network machines have full access to the pfSense home router on the tunnel IP address. But there is zero connectivity between the home LAN and the work LAN. Any ideas?

You have to set your real WAN connection as the default gateway and then use a firewall rule to point all your LAN traffic to the VPN tunnel. In the system DNS settings you need tohave the IP's of opendns (or your ISP) set. This will get the tunnel working reliably. Now go into your DHCP server LAN settings and enter the opendns IP's into the DNS settings. DHCP clients will now use opendns trough the tunnel instead of the DNS forwarder in pfsense. So no more DNS leak. :) The downside is that not using the forwarder might resolve addreses slower and that you will not be able to use local dns names for devices on your lan. If you really need local dns names you could always setup a DNS server and DHCP server on your LAN using another machine. The main point to remember is to not set the VPN as the default gateway for pfsense itself. The pfsense box needs a working internet connection first, THEN you build the vpn tunnel. The reason it works on bootup in your case is because pfsense will skip to the next tier of gateway if the default is down. After openvpn starts running and creates the VPN interface you have the catch-22 problem you describe.

Known issue at the moment, creator working on a fix. https://forum.pfsense.org/index.php?topic=74948.msg409848#msg409848

wunderbar! Yeah, I have a few other rules but they were created from NAT, and DMZ rules were created by me guided by the pfsense community. The only rules in Lan tab is the anti-lockout rule and the default Lan rule. Now all I have to do is update pfsense to 2.1.2 tonight and hopefully no surprises. Thank you so much.

@goodbyte: Dec 22 23:48:23    openvpn[7866]: ERROR: FreeBSD route add command failed: external program exited with error status: 1 I had the exact same issue a bit earlier and it was driving me nuts as it seem only to happen when I was adding a 2nd VPN connection. The first exactly configured the same was working fine. I rebootet pfSense and all worked like a charm

You either need to stop using same certificate for both connections, or check the proper checkbox in OpenVPN configuration to allow this.

If you are using the exact same certificate on all of those, make sure you checked "Duplicate Connections" on the server config.

@phil.davis: You still do not know if 192.168.3.33 can correctly route back to 10.0.8.0/24. From 192.168.3.33 do a "traceroute 10.0.8.1" and see how that goes. The path it takes and where it stops will help you find the device/s that do not know how to route to 10.0.8.0/24. OK, will be next week at the location and will be able to perform the test. Thanks a lot for help, stay in touch for replies next week ;-)

@jimp: Yeah I'm doing that right now actually. Going to move it to 2.3.3. I'll bump the export pkg version when I'm done. Export should be OK now – https://forum.pfsense.org/index.php?topic=74948.0

@BradWaite: For others with this issue, be sure to add a pass rule on the OpenVPN interface. The firewall rules for traffic inside the VPN has no relation to the outside of the VPN, that would have been a coincidence or otherwise unrelated.

@phil.davis: The user certificates for all the users that connect to 1 server must all be under the same CA. Thank you Phil, i just created a RADUIS configuration with my domain controllers and it works really great. thank you so much to other who might have the same issue or want to have a RADUIS to AD. please follow the below link. https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory

That's kind of a major thing to not have a dedicated option for.  I'm thinking the GUI should have an option specifically to enable or disable that.  Is there a way I should officially propose that? Feature requests and bug reports are entered at https://redmine.pfsense.org

Um, because some people don't like mass surveillance by governments and large corporations? Your data and DNS requests… are encrypted between you and the VPN provider end point. But the VPN provider knows who you are, and your DNS requests go to their DNS server, and your ordinary data to and from the various public internet sites you use goes between the VPN provider and those sites as ordinary data. One has to assume that these agencies are gathering the data they want from VPN providers and matching it to user VPN accounts. So actually I don't see how any of us can really "hide". But it might be fun to try ;)

I figured it out! So it looks like I do need to have that manual outbound NAT after all, it's just a bummer that I can't use aliases for that either. So I looked in my openvpn logs and saw there were a bunch of encryption/decryption errors. So I changed my cipher from AES-256 to BF and now I am up and running! Now to test for any leaking. Thanks for all the help guys, you were all very helpful and friendly.

edit: solution https://forum.pfsense.org/index.php?topic=74743.0

I am doing basically the reverse of what you are doing. Check this out for an idea on what needs to happen: https://forum.pfsense.org/index.php/topic,29944.0.html You can create rules that are based on Aliases, hosts, network range, etc. That can re-route your traffic however you define. You just have to setup the interface and gateway correctly.

Try changing the monitor ip address in system->routing