I was able to finally resolve my issue. After trying to use telnet, ping and tracert commands with no success I finally figured out that I was missing the outbound PIAVPN interface NAT rule for my DMZ source IP range. Even though this did not help to send out mail outbound from my mail server, I was able to use the commands to figure out what worked. Finally I used the mail forwarder in hmailserver to a out.myprovider.com 1025 server from my ISP. Now I happy to say I can send out mail with "don't pull routes" deselected.

Baby steps.

After several months of troubleshooting work with Cisco engineers and even escalating to their Nexus developers the culprit could not be found… However, upgrading the pfSense to the latest 2.3.1 version SOLVED the problem!  :o I hope someone could explain what was changed in the 2.3.1-RELEASE (amd64), built on Tue May 17 18:46:53 CDT 2016 in regards to the OpenVPN code to make it work.

Yep - Very common affliction.  Its a good idea to go with the 192.168.x.x - for both the Xs pick a random number between 2 and 254 or so. The reason I asked about admin rights its because its always a good idea to right click the install icon for openvpn and run as admin - and then always run the program as admin after from then on.  Saves lots of grief. Anyway - Sounds like you already have it worked out.  Enjoy.

Thank You so much!!!1 I did not even know what to search for. And when I finally finish my server rack it will look so much better with out a router just sitting there for my OpenVPN needs.

You can do this in the OpenVPN setup with "Locale Networks" and "Remote Networks" on server and client site. How exactly, depends on which site is the server and which is the client. Just enter the one host you want to access. But if you have also set a route form IPSec for the same destination, I don't know which one has the higher priority. However, you may also be able to direct the traffic to OpenVPN by policy based routing, after assigning an interface to the VPN instance. If you just want get access from site A to B, the simplest solution would be to do NAT for this connection at B (by adding an outbound NAT rule).

Aha! Stupid me, you are indeed correct! Thanks!

There is an existing thread: https://forum.pfsense.org/index.php?topic=112877.0

Kindly bumping. Anyone with any assistance on the firewall rules to allow my OVPN bridge to speak to my LAN? Thanks!

@BeerBelli: Spent hours on google and this forum. A few have tried with the PIA patch that is out, but I can't find anyone who actually has it working. If anybody got the SHA256/AES256 settings working, please post here how you achieved it. Thanks. here my settings https://forum.pfsense.org/index.php?topic=112877.msg633588#msg633588

You can delete them once they're expired or revoked. Might want to only delete the expired certs just in case the CRL gets messed up at some point so it's easy to add them back to the CRL/to a new CRL. Of course could always restore from backup as well in that case.

Might be the difference, I gave up on shared key rather early on in my switch from IpCop to pfSense (early 2000's). As l mentioned, all the site-site connections I've done (including a half-dozen or so DD-WRT) were PKI and worked just fine. Once you get your head wrapped around what you need for certificates (the Certficate Manager makes it pretty easy) it no big deal.

Being in the same local lan is a lot easier for my tasks, which don't require any road warrior worker setup  8)

@alfredo: ad pan_2. Haven't had time to test you Single CPU question on our 'big' server. https://forum.pfsense.org/index.php?topic=113167.0 Why do you find on big server questionable? It is fully configured with all thinkable redundancies. It is still only one server. Need to reboot? No connection. Need to upgrade? No connection. Something broke along the way? No connection. (and to continue - need to update FW on host server? No connection for a hour. ESX PSODed? No connection. And so on..) So I would push for redundant setup anyway, even if you have only one host server - more room to maneveur. And it is simpler to utilize VM Host resources by running multiple instances. More so - I doubt pfsense team ever tested OpenVPN WebGUI with so much VPN server definitions, there could be some hidden rocks in it.