Thanks - solved my problem as well. I would have thought this was a pretty common configuration.  An easier to find guide for newbies would be helpful.

pfSense will add a static route for the monitoring IP via the given interface. If there is a x.x.x.x address is used there then the router will always send traffic for that IP to PIA, adding latency for non-VPN users and breaking Geo lookup (in DNS case). I'm using there one of Level 3 DNS resolvers (4.2.2.1 - 4.2.2.6)  which I don't need to contact for any other purpose.

How is the client supposed to know which DNS server to use? Before it knows the answer to the query it has no idea if the destination is out on the internet or over the VPN. You are probably best off sending the queries to the DNS server over the VPN and letting it return the appropriate answer.

@SpaceBass: out of curiosity, it looks like your screenshot is of the client end. Does the client eventually time out and reconnect? Yeah, it's a client setup to a 3rd party VPN provider.  And nope, the client doesn't time out and reconnect on its own.  The service is completely stopped in pfSense until I manually log in and restart it. I've had success testing the Service_Watchdog package in a VM.  Just enabled it in production.  This may be a decent workaround. I'm still curious what the root cause of the service failing in the first place.

Also upgrade the OpenVPN clients.

I have the same issue with a IKEv2 VPN. The VPN clients don't route through squid / squidguard. Does anybody have a solution / configuration to get this working together?

I have confirmed that the issue is defintely linked to the multiple remote networks in the open vpn config as if I remove the additional remote networks and only have one subnet per vpn server it starts working again. The problem with this is the remote client networks then can't communicste with each other, only the server network.  While this isn't critical, as I can remote desktop into the server lan and access the other subnets from there, it isn't very elegant.

Thanks again for pointing me in a useful direction.  I clearly had not done all of my homework.  I am using TUN.  However, after further reading the TAP configuration might better fit my use case. Currently the connection to the VPN is rather fast.  I have no issue navigating documents, pictures things of this nature.  However, when I open my accounting software it takes 3-5 minutes to load the file.  Once it has loaded lag is barely noticeable in most cases.  I do have adaptive compression enabled. You're Awesome!

Yes, that's what I'm trying to do. It always me using different devices..

Hate to bump!!!

@jahonix: @Ryu945: Though I think I will be going with this case instead. Oh boy, if the case is one of your major concerns, then take a consumer router and start painting it or so. That could lead to more satisfying results for you personally. It has a shelf it needs to be able to fit onto.

Kb8wfh, A couple of things that helped me(and continue to help me) are: making sure to look in your firewall logs to see what is being blocked attached are my rules I have on my wifi interface, they are fairly hardened, I sense you are trying to do the same. It might not work for you…FYI - your LAN rules basically allow everything, rule 1 isn't doing anything that rule 2 would do. Try to understand my rules vs just copying them. when writing a rule, go into "Advanced settings" and you can pick a "gateway" i.e. Either WAN or PIA. I use this vs changing my default gateway get to know "easy rules" that can be turned on in your firewall log, it will add what was being blocked, you can modify these easy rules but it helped me understand the flow of data. Make sure to possibly change the order of the rule in your interface if necessary. make an alias for your Apple tv and WAN only devices (notice in my rules I have SEVLAN as a source, these are aliases I set up after setting up fixed dhcp leases), make rules allowing access using the alias as the "source", in advanced setting for those rules use the WAN. Dig into your log(NAT or Firewall), I suspect you'll see what's going on.... (As mentioned by someone else, your dashboard is showing your PIA as offline, dig into your gateway settings for PIA and look for the field for "monitoring IP",  use googles 8.8.8.8 as the monitoring IP...I had that issue as well and was fixed with adding a google monitoring ip) [image: IMG_0042.PNG] [image: IMG_0042.PNG_thumb]

Thank you for your answer, I managed to get it fixed by using the IP address of the VLAN on the authenticator in the active directory.

On the client at Remote I assigned the new ovpnc1 port to an interface and enabled it. This created a gateway for the connection. Then on the client at Firewall > Rules > LAN I created a new rule at the top to catch all IPv4 traffic (any protocol, any source, any destination, any port) and route it through the gateway created by the VPN interface. This is completely unnecessary and only serves to introduce policy routing into your environment, causing other effects and complexity that are fine if you understand them, but you do not (yet). I would delete any assigned interfaces to OpenVPN servers/clients, put the pass any any any rules on the OpenVPN tabs, and stop/start OpenVPN on both sides. Another thing that I see is networks are not 10.0.0.1/24 or 10.0.3.1/24. They are 10.0.0.0/24 or 10.0.3.0/24. It looks like the proper routes are being added by OpenVPN but when I look at it I tweak a little. Work one hop at a time. For instance, from host 10.0.0.X can you ping the pfsense interface address on the other side? Presuming 10.0.3.1. If you can, all the routing is in place. After that, can 10.0.0.X ping something on the 10.0.3.0/24 LAN? Be sure the target of the pings:     Has pfSense set as its default gateway     Will actually respond to pings     Does not have some local firewall (think windows firewall) preventing it from accepting traffic from foreign subnets Then do the reverse: Work one hop at a time. For instance, from host 10.0.3.X can you ping the pfsense interface address on the other side? Presuming 10.0.0.1. If you can, all the routing is in place. After that, can 10.0.3.X ping something on the 10.0.0.0/24 LAN? Be sure the target of the pings:     Has pfSense set as its default gateway     Will actually respond to pings     Does not have some local firewall (think windows firewall) preventing it from accepting traffic from foreign subnets ETA: Since it is shared-key the tunnel network will be treated as a /30 anyway….

I had some issues getting this to work, don't forget to add lines for auth, cipher, etc. for you OpenVPN configuration.  Perhaps those are obvious, but it wasn't to me. "Auth": "SHA256", "CompLZO": "adaptive", "Cipher": "AES-256-CBC", Lastly, the template is great, but I used the HTML ONC generator (https://github.com/CharlesErickT/oncgenerator/blob/master/index.html) to help me.

Okay, so presumably the office router is missing the route to 192.168.2.0/24. You may also do well with NAT. That's only results to translating the source address to the clients vpn address, so you're not able to determine the really origin device at office site. If you don't like this behavior you have to set the routes at the server. Have you already set the CSO on the office pfSense with 192.168.2.0/24 in the remote networks field? If that is done, establish a vpn connection from home and check the routes on the office router.