Don't push a default route and put rules on your OpenVPN tab only allowing access to LAN.

do you allow ping to your wan?  If not then ping would fail.. Is the site using a proxy?  If so you have to tell the openvpn client to use a proxy.

So your saying the tcp openvpn works at hotspot location #1 but not at this #2 site?  Or is your tcp vpn not working anywhere?

Glad you worked it out.

Perhaps you could update the title of your first post with "[Solved]".

Everything I've read seems to indicate that my choices are bridged or routed+NAT

For a simple remote access setup, you don't need NAT.  There are situations where NAT is a workaround or puts a band-aid on certain issues, but none of them apply to your situation.

I've searched and could not find a post or any documentation for running openvpn with an external dhcp server unless you setup a bridged solution.  Even if you could, it might mess with tracking on your dashboard.

Configure a road warrior, routed solution where your clients get their IP from the OpenVPN server.  Problem solved…. and you can monitor your connected clients from the dashboard.

Pretty straight forward -> https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server

Have a look at /index.php?topic=105810.0. You may be able to adapt the details there to your requirements.

I apologize as I do not have an answer to your question, but am seeking an answer to my own.  I am also using PFSense and OpenVPN and I am attempting to configure the firewall to allow only the VPN traffic and block everything else.  So, if/when the OpenVPN connection drops, so does all other traffic.  I accomplished this on a linux router previously using the following IPtables rules, but can not how to conceptually do the same with pfsense, as there is not a "source port" option in the GUI.  Any help would be awesome!

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p udp -m udp –sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A OUTPUT -j DROP
COMMIT

Completed on Thu Jan 14 11:13:06 2016 Generated by iptables-save v1.4.7 on Thu Jan 14 11:13:06 2016

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.2.2/32 -o tun0 -j MASQUERADE
COMMIT

Hi stanthewizard,
thanks four your explanation. I got it up and running as described below.

installed OpenVPN with the Wizard to listen on the WAN interface, port 443, TCP, tun mode in "Advanced" I inserted the following "port-share 192.168.0.1 4443" and added a NAT Port Forward rule as following:

| If | Proto | Src. addr | Src. ports | Dest. addr | Dest. ports | NAT IP | NAT Ports |
| WAN | TCP | * | * | WAN address | 443(HTTPS) | 192.168.0.1 | 443(HTTPS) |

as expected, the firewall rule was created automatically, which is why the following rules are defined for the WAN interface:

| ID | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule |
| IPv4 TCP | * | * | WAN address | 443(HTTPS) | * | none | |
| IPv4 TCP | * | * | 192.168.0.1 | 443(HTTPS) | * | none | |

squid3 reverse is listening on the WAN interface, port 4443

In my case the IP "127.0.0.1" did not work. The problem was that the pfsense is located behind the ISP's router which forwards the port 443 to the pfsense box. Instead, I had to use the WAN interface's IP address "192.168.0.1" of my pfsense box.

Thanks again.

You can either add 'OpenVPN" to the dashboard or go to Status -> OpenVPN.

I usually create a user account for each device - that way, if one gets lost/stolen, you can just revoke the account for that device, rather than having to put new configs on everything else that shared the same profile.

@mudmanc4:

Here is a very good video to setup openvpn server and client on pfsense.
https://youtu.be/VdAHVSTl1ys

This will get the VPN server / client up and running.

+1 to that video. I am a total noobie to VPN and PFsense and I got it up and running on my iOS devices and my Macbook within an hour or so.

I figured everything out –- the problem was with the OVPN export part. I needed to change the hostname resolution part because it was defaulting to the WAN IP address but because there is a Verizon Router in front of my pfSense box, that WAN IP address is still an internal subnet address. After I changed the host name resolution to use a name, everything worked fine.

Hope this helps anyone else who runs a pfSense behind a Verizon router

I hate to assume, so I'll just ask…. have you verified that they are launching the app as admin every time?  Check the clients routing table when they are connected.

Not currently. There is a redmine ticket out there already for it though. It would require some significant work to pull off.

That would be a question for OpenVPN itself.

https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage

Are these SSH sessions idle during the 80 seconds?
What happens if you run something that frequently updates like top?

@cmb:

What version are you running?

Deleting OpenVPN instances kills off the PID that OpenVPN writes to its PID file. There were issues with earlier OpenVPN 2.3.x versions where it doesn't correctly write out its PID file's contents, in which case deleting that instance will try to kill a PID that doesn't actually correspond to OpenVPN (and likely doesn't exist at all).

You'll find the PID file in /var/run/openvpn_server1.pid (assuming it was instance 1). Check the running instance with 'ps auwwx | grep openvpn'. Its PID that's running is 43054 judging by your logs. That PID file likely has some other number in it ('cat /var/run/openvpn_server1.pid' to check).

After verifying that, just run 'killall openvpn' and it'll be gone.

Thanks, killall openvpn seemed to clear it out. There was a process running with PID 43054 but could not find any file in "/var/run/" for openvpn_server.
Anyhow setup a new server and all seems to be working great.

Thanks