amazing..such a simple fix! thank you so much!

Awesome! I'm glad it worked for you. I don't know why the system gets out of sync but it's happened to me a few times and you can find threads back in 2013 with people having the same problem. I don't know if anyone's ever looked in to fixing it?

There's a few possibilities. You might try switching to a different PIA server, they are not all created equal. Here's their list. https://www.privateinternetaccess.com/pages/network/ Another potential issue, is your Nighthawk router running as an AP only (all services DHCP, DNS, QoS, NTP, etc. turned off at the Nighthawks WebGUI)? If it's trying to do a bunch of stuff it may be working against pfSense and causing issues. My guess is that you've already done this but I thought I'd ask. Last option, if neither of the above two work is that your CPU is probably the limiting factor at 1.6Ghz, if this is the case then you have two options. One, obviously buy a new CPU. The ASrock Apollo Lake SoC's are cheap, have the latest AES-NI, have higher clock speeds while remaining low power and fanless. Unless you need 4 cores for something else CPU intensive you are doing, I would recommend the J3355 for its high clock speeds and low cost. The other option is keep your existing hardware and create two OpenVPN client processes. All you do is create a new OpenVPN client, just mirror the one you already have, then go to System >  Routing > Gateway Groups and create a new group, select both of your VPN clients and set them both to tier 1. Finally, go to your firewall rules and for everything you want to use the VPN, select your gateway group as their gateway in advanced settings. What you are doing here is splitting your VPN into two streams, since OpenVPN is purely singlethread, this lets your CPU use two of its cores to process your traffic. By setting both of the clients to tier 1 your computer will balance the load between the two processes. This isn't a magic bullet, your per instance VPN total speed will not double, if your CPU maxes at 50Mbps and you do this then if only one computer is using the VPN, it will still noly get 50Mbps. But, if you have two computers each trying to use 50Mbps at the same time they will now each get the full 50Mbps. So even though it isn't a perfect solution, I still recommend you do it for another reason(s). PIA servers sometimes (rarely) go down completely and more often suffer from decreased performance during peak hours. If you configure two or more clients in this method and select a different PIA server for each, you can mitigate this shortcoming by spreading your traffic over multiple servers. Here's the thread where I learned of this, which links to another thread with more instructions if you're interested. https://forum.pfsense.org/index.php?topic=123927.msg690987#msg690987

Thank you! I'll definitely try it.

Thanks for the response.  I'm not looking to get the list of IPs… I'm looking to set it, and update the settings on a schedule based on DNS lookups.

Stop gap measure, check for missing route every hour, reinstate if missing. Ugly, but reduces stress until root cause found. Improvement suggestions welcome. #!/bin/sh # # check if 10.4.52.0 route has gone missing if [ "$(/usr/bin/netstat -r4 | grep 10.4.52)" ] then   echo 'Found 52, no further action' else   logger -p local3.warn 'Route 10.4.52.0 not found in route table'   echo 'Route 10.4.52.0 not found in routing table, added'   route add -net 10.4.52.0/24 10.4.9.2 fi

Under Windows some route is missing From VPN / OpenVPN / Client Export Utility (when the client export package is installed) Management Interface Use the OpenVPNManager Management Interface. This will activate management interface in the generated .ovpn configuration and include the OpenVPNManager program in the Windows Installers. With this management interface, OpenVPN can be used by non-administrator users.This is also useful for Windows Vista/7/8/10 systems where elevated permissions are needed to add routes to the OS. NOTE: This is not currently compatible with the 64-bit OpenVPN installer. It will work with the 32-bit installer on a 64-bit system. What I've found strange No, no you don't get to comangle two questions in one with insufficient detail. You said previously everything works great . Cannot ping is not great, it's broken.  It may not be allowing icmp on Firewall / Rules / OpenVPN.

You can browse direct to the pfSense in tunnel ip address, it is listening. You will need a Firewall / Rules / OpenVPN allow access to self  (same as anti-lockout rule on wan) From the example you list it would be https://192.168.204.1 You should also be able to browse to the pfSense inside LAN address https://192.168.20.1 from example. The server side router knows how to get to all of those addresses, as seen in Diagnostic / Routes.

Yes, can be done with NAT, and does work. Setup regular openvpn connection, in your choice of flavour. Additional changes… client - change port to alternate chosen 53, 21 etc, ie not 1194 server - if 53, set DNS Resolver/Forwarder to not listen on WAN, by selecting only LAN, OPT, localhost etc server - firewall / NAT / Port forward   interface WAN, protocol UDP, destination WAN address, destination port 53 (or 21 etc), redirect target IP x.x.x.x (WAN actual address, or an alias of it,  but not localhost), target port 1194 vpn then connects., or at least in my lab it does. YMMV. Not sure how it would work with dynamic public IP on server side. Now you can vpn from places that block most outbound ports, but allow common ports like 53 , 80 etc, or to make it less obvious you are using vpn.

Firewall / Rules / OpenVPN Add a rule to allow the traffic you want. Below first rule, add another rule to drop everything (else).

You could use NAT 1:1 on the pfSense box. NAT the VPN clients onto some useful network range, ie hide whatever remote address they're using.

You're right, the gateway. I didn't notice.

It's in a seperate pluggable package. System / Package Manager / Available Packages OpenVPN client export

I have your scenario working reliably on a 867 Differences I can see from my config to yours ip virtual-reassembly ip virtual-reassembly in ip nat inside source static udp 10.20.0.2 1194 x.x.x.170 1194 extendable ip nat inside source static udp 10.20.0.2 1194 interface GigabitEthernet0/0/0 1194 (Assuming 10.20.0.2 is your pfSense box, which it could only be with 252 mask) Plus you need the access-list or access-group permit udp 1194 stuff

Cellular ISP does carrier grade NAT within their network.  Cell connections are generally not on connectable public IPs. You shouldn't need any NAT on your side to get a site to site connection working More like a) pfsense VM as OpenVPN server peer-to-peer on a regular fixed connection (fibre/cable/dsl)     Can be with public IP (bridge mode), or port 1194 udp forwarded from ISP side router b) pfSense router behind 4G connection, as Open VPN client, peer-to-peer. b) connects a), and maintains the connection, over 4G , 3G, whatever. You can access all of b)'s network from a), or even do a NAT port forward on pfsense a) to any b) address.

No worries, I'm glad it worked out!

Thank you very much for your help.

OpenVPN is routed, IPsec traffic selectors are in the kernel You can policy route into OpenVPN, not so with IPsec Along those lines you can forward traffic from the internet over OpenVPN to a target host and get the benefit of reply-to for the reply traffic. Not so with IPsec. IPsec generally performs faster than OpenVPN You generally don't have a lot of interoperability issues with OpenVPN. IPsec, particularly IKEv1, can be, umm, challenging. That's my short list of important differences

I figured out the problem guys, if anyone is interested. I guess my wireless carrier is utilizing some IPv6.  In the APN settings on my cell phone, it was set to IPv6/IPv4.  As soon as I set it to IPv4 only, my VPN started working as normal over the cell network.  It may be a bandaid solution but at least it is all working now.