How exactly did you create your certificates? If you generated them all with the same serial number, that would explain why revoking one blocks them all. CRLs work by certificate serial, and if your certificate generation script or system did not give each certificate a unique serial number, then they all will be revoked if you revoke one of them. Look at the full cert details from a few of your certs and compare the serials.

Problem solved, user certificates was missing.

In the server settings check "Redirect Gateway". This should push the default route to the client. Remember that you run OpenVPN on Windows with admin privileges. On the pfSense server go to Firewall > NAT > Outbound and check if there is a rule for WAN interface, with source = your vpn tunnel network and NAT Address = WAN address. If it isn't there, add it manually.

Success! I accomplished this with two LAN rules, which I forgot to move to the top, duh. One for Hulu/PC routing to WAN, another for Server routing to PIAVPN. Marked the latter one as NO_WAN_EGRESS. Created then a floating rule. Question: PIA has a few US servers. Can I create multiple interfaces and use them for failover? E.g. PIA1 US-EAST, PIA2 US-NY, if PIA1 goes down, pfSense will try to bring up PIA2. Action: Reject Quick: Checked Interface: WAN (you can also select multiple WAN interfaces or an interface group here) Direction: out Protocol: any Source: any Destination: any Description: Reject outbound traffic marked NO_WAN_EGRESS Advanced: You can match packet on a mark placed before on another rule: NO_WAN_EGRESS

Replying to myself, I found the solution thanks to this post: https://forum.pfsense.org/index.php?topic=88467.msg504596#msg504596 Go to "System->Advance Networking" and disable: Hardware Checksum Offloading Hardware TCP Segmentation Offloading Hardware Large Receive Offloading and reboot.

Don't push a default route and put rules on your OpenVPN tab only allowing access to LAN.

do you allow ping to your wan?  If not then ping would fail.. Is the site using a proxy?  If so you have to tell the openvpn client to use a proxy. So your saying the tcp openvpn works at hotspot location #1 but not at this #2 site?  Or is your tcp vpn not working anywhere?

Glad you worked it out. Perhaps you could update the title of your first post with "[Solved]".

Everything I've read seems to indicate that my choices are bridged or routed+NAT For a simple remote access setup, you don't need NAT.  There are situations where NAT is a workaround or puts a band-aid on certain issues, but none of them apply to your situation. I've searched and could not find a post or any documentation for running openvpn with an external dhcp server unless you setup a bridged solution.  Even if you could, it might mess with tracking on your dashboard. Configure a road warrior, routed solution where your clients get their IP from the OpenVPN server.  Problem solved…. and you can monitor your connected clients from the dashboard. Pretty straight forward -> https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server

Have a look at /index.php?topic=105810.0. You may be able to adapt the details there to your requirements.

I apologize as I do not have an answer to your question, but am seeking an answer to my own.  I am also using PFSense and OpenVPN and I am attempting to configure the firewall to allow only the VPN traffic and block everything else.  So, if/when the OpenVPN connection drops, so does all other traffic.  I accomplished this on a linux router previously using the following IPtables rules, but can not how to conceptually do the same with pfsense, as there is not a "source port" option in the GUI.  Any help would be awesome! :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p udp -m udp –sport 53 -j ACCEPT -A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT -A INPUT -j DROP -A FORWARD -j DROP -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT -A OUTPUT -j DROP COMMIT Completed on Thu Jan 14 11:13:06 2016 Generated by iptables-save v1.4.7 on Thu Jan 14 11:13:06 2016 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 192.168.2.2/32 -o tun0 -j MASQUERADE COMMIT

Hi stanthewizard, thanks four your explanation. I got it up and running as described below. installed OpenVPN with the Wizard to listen on the WAN interface, port 443, TCP, tun mode in "Advanced" I inserted the following "port-share 192.168.0.1 4443" and added a NAT Port Forward rule as following: | If | Proto | Src. addr | Src. ports | Dest. addr | Dest. ports | NAT IP | NAT Ports | | WAN | TCP | * | * | WAN address | 443(HTTPS) | 192.168.0.1 | 443(HTTPS) | as expected, the firewall rule was created automatically, which is why the following rules are defined for the WAN interface: | ID | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | | IPv4 TCP | * | * | WAN address | 443(HTTPS) | * | none | | | IPv4 TCP | * | * | 192.168.0.1 | 443(HTTPS) | * | none | | squid3 reverse is listening on the WAN interface, port 4443 In my case the IP "127.0.0.1" did not work. The problem was that the pfsense is located behind the ISP's router which forwards the port 443 to the pfsense box. Instead, I had to use the WAN interface's IP address "192.168.0.1" of my pfsense box. Thanks again.

You can either add 'OpenVPN" to the dashboard or go to Status -> OpenVPN.

I usually create a user account for each device - that way, if one gets lost/stolen, you can just revoke the account for that device, rather than having to put new configs on everything else that shared the same profile.

@mudmanc4: Here is a very good video to setup openvpn server and client on pfsense. https://youtu.be/VdAHVSTl1ys This will get the VPN server / client up and running. +1 to that video. I am a total noobie to VPN and PFsense and I got it up and running on my iOS devices and my Macbook within an hour or so.

I figured everything out –- the problem was with the OVPN export part. I needed to change the hostname resolution part because it was defaulting to the WAN IP address but because there is a Verizon Router in front of my pfSense box, that WAN IP address is still an internal subnet address. After I changed the host name resolution to use a name, everything worked fine. Hope this helps anyone else who runs a pfSense behind a Verizon router

I hate to assume, so I'll just ask…. have you verified that they are launching the app as admin every time?  Check the clients routing table when they are connected.