@MoonKnight Thanks for the feedback. I have since gotten rid of the destination rule inversion on the IPGROUP_ROUTE_VIA_EXPRESSVPN and set it to Any. This gives me better protection to make sure absolutely nothing goes out that is in that group if it does not go out the ExpressVPN gateway.

@viragomann Yes, I think I tracked it down to the VPN instances getting the same virtual IP in pfsense, which is making it conflict. And these are not changeable.... so.... currently looking at setting up a dedicated vpn connection on the linux box for the static route for the mailserver.

@DominikHoffmann Since you can reproduce it I'd create a bug report at redmine.pfsense.org.

edit: Apr 26 11:17:34 openvpn 83673 do_ifconfig, ipv4=1, ipv6=0 Apr 26 11:17:34 openvpn 83673 /sbin/ifconfig ovpns4 172.16.10.1 172.16.10.2 mtu 1500 netmask 255.255.255.255 up Apr 26 11:17:34 openvpn 83673 /usr/local/sbin/ovpn-linkup ovpns4 1500 0 172.16.10.1 172.16.10.2 init Apr 26 11:17:34 openvpn 83673 /sbin/route add -net 10.4.0.0 172.16.10.2 255.255.0.0 Apr 26 11:17:34 openvpn 83673 /sbin/route add -net 172.16.20.0 172.16.10.2 255.255.255.0 Apr 26 11:17:34 openvpn 83673 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1800 tailroom:568 ET:32 ] Apr 26 11:17:34 openvpn 83673 Socket Buffers: R=[42080->524288] S=[57344->524288] Apr 26 11:17:34 openvpn 83673 UDPv4 link local (bound): [AF_INET]175.144.139.191:1120 Apr 26 11:17:34 openvpn 83673 UDPv4 link remote: [AF_UNSPEC] This is log from Server. Is there any indicator showing something wrong or its perfectly fine? VPN has been down for awhile when using openvpn after update on pfsense. anyone care to help?

@James92 It's pretty hard to tell you, what's wrong there, when only seeing two rows extracted from the log. Clear the OpenVPN log. Go into the server settings and set the log verbosity level to 4. Then try to connect from a client. Post the whole OpenVPN log after. You can obscure public IPs of course.

I want to force the client to use its own internet gateway. In my scenario, the client must definitely use its own internet. Some clients can send all traffic over VPN and the internet can be accessed through the VPN server's internet. I prevent this situation with security rules, but this time the internet cannot be accessed in any way. Even if routing is done to access the internet via VPN, my VPN server must not allow this and force it to use its own gateway. How do I do this?

@lifeboy Does the windows client machine have other network adapters such as vmware virtual adapters ?

@guillaume14 I made some tests with 2 pfsense box on the remote site: the first one (192.168.10.254) is the default gateway for the remote site computers (192.168.10.0/24) the second one (192.168.10.129) has only one interface (WAN) with 192.168.10.254 as a the default gateway and the OpenVPN client instance to the OpenVPN HQ instance If i add a route to the HQ site (192.168.14.0/24) on the first pfSense box using 192.168.10.129 as the gateway i cant access devices on the remote site (copier web interface for instance) from a computer in the HQ site but i can do a tracert to the same copier. Any clue ? Thanks

@JonathanLee Thanks this fixed worked for me. My iPhone would not connect without it.

Thanks @viragomann that works perfect

A reboot fixed it, but would be interesting what can cause this issue.

The problem still exists in 2.7. If during the OpenVPN client connection the interface, specified in client's config, is down, the connection happens through another gateway (which could be a metered backup connection for example). This is a major issue in my opinion. UPD: "Do not create rules when gateway is down" option is checked BTW.