Well you can certainly try the VPN solution and see if it helps. There's probably a VPN provider out there with a free trial. I wouldn't consider upgrading your hardware unless you confirm a VPN to help you out and even then only if you aren't satisfied with the performance you're getting out of your current setup.

Had this same problem today. In testing a new pfsense install on my home network, the WAN address is being assigned a 192.168 address. The resolution ended up being to turn off "Block private networks and loopback addresses" and "Block bogon networks" in the Interfaces->WAN configuration. After i turned these off, i could connect to the WAN:1194 UDP port. I will turn these back on when i deploy this device and the WAN is assigned a public address.

Derelict, I think you nailed it with the CARP interface specified in the gateway group.  I had one of them set and the other was using the interface, not the CARP.  Must have been through my tinkering I must have adjusted and the several layers of disconnection between the vpn client and that config never had me check again.  Going to test during a maintenance window or if we lose ISP, whichever happens first. Thanks Peter

jimp and johnpoz - thank you both very kindly for your great help! I manually modified the installers for a couple quickly-needed deployments, but I'll upgrade shortly.

@jimp: With /30 topology the server address in the /30 is completely virtual and often cannot be pinged. You have to set your own monitor IP address for that case, it can't be automatically determined in a reliable way. I can't set the gateway manually because the gateway change at each connexion. Again, it's usefull to ping local IP address, it could be nice if user sould be able to choose dynamic remote address. @jimp: For the status, that is pulled directly from OpenVPN's management interface. If it's wrong, it's a bug or quirk in OpenVPN's behavior, so you'll have to raise the issue upstream with OpenVPN directly. You're right, I confirm the IP address is wrong in OpenVPN interface, I'll check with openvpn project. For that moment, do you know if it's possible to push the new gateway IP address manually to pinger with a script (without pfSense GUI) ? Thank you,

Can u please specify the changes you made? i have the same problem.

Yeah you are correct to turn that off. All that does is allow your DHCP server to  override your settings. Check these articles out: https://doc.pfsense.org/index.php/Unbound_DNS_Resolver https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers

Yeah sure, but in your OP you specified that you didn't want to route by specifying ports. Any firewall rule can be made to use a VPN gateway, you just select your VPN as the gateway in the advanced rule settings.

Is there a different default gateway set on this Windows server, another than the Vyatta?

The full log if it's of any help: Mar 29 09:39:22 openvpn 18498 Initialization Sequence Completed Mar 29 09:39:22 openvpn 18498 ERROR: FreeBSD route add command failed: external program exited with error status: 1 Mar 29 09:39:22 openvpn 18498 ERROR: FreeBSD route add command failed: external program exited with error status: 1 Mar 29 09:39:22 openvpn 17204 Initialization Sequence Completed Mar 29 09:39:22 openvpn 18498 /usr/local/sbin/ovpn-linkup ovpnc2 1500 1558 10.43.10.6 10.43.10.5 init Mar 29 09:39:22 openvpn 18498 /sbin/ifconfig ovpnc2 10.43.10.6 10.43.10.5 mtu 1500 netmask 255.255.255.255 up Mar 29 09:39:22 openvpn 18498 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Mar 29 09:39:22 openvpn 18498 ioctl(TUNSIFMODE): Device busy: Device busy (errno=16) Mar 29 09:39:22 openvpn 18498 TUN/TAP device /dev/tun2 opened Mar 29 09:39:22 openvpn 18498 TUN/TAP device ovpnc2 exists previously, keep at program end Mar 29 09:39:22 openvpn 17204 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1558 10.51.10.6 10.51.10.5 init Mar 29 09:39:21 openvpn 17204 /sbin/ifconfig ovpnc1 10.51.10.6 10.51.10.5 mtu 1500 netmask 255.255.255.255 up Mar 29 09:39:21 openvpn 17204 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Mar 29 09:39:21 openvpn 17204 ioctl(TUNSIFMODE): Device busy: Device busy (errno=16) Mar 29 09:39:21 openvpn 17204 TUN/TAP device /dev/tun1 opened Mar 29 09:39:21 openvpn 17204 TUN/TAP device ovpnc1 exists previously, keep at program end Mar 29 09:39:19 openvpn 18498 [5ad846e5cc1f0de1b191851de6585c8b] Peer Connection Initiated with [AF_INET]209.222.23.62:1198 Mar 29 09:39:19 openvpn 18498 WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC' Mar 29 09:39:19 openvpn 18498 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542' Mar 29 09:39:19 openvpn 18498 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Mar 29 09:39:19 openvpn 18498 UDPv4 link remote: [AF_INET]209.222.23.62:1198 Mar 29 09:39:19 openvpn 18498 UDPv4 link local (bound): [AF_INET]82.16.99.44 Mar 29 09:39:19 openvpn 17204 [6c8636367fc1b43d257d7e0b8008e2ad] Peer Connection Initiated with [AF_INET]108.61.122.221:1198 Mar 29 09:39:19 openvpn 17204 WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC' Mar 29 09:39:19 openvpn 17204 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542' Mar 29 09:39:19 openvpn 17204 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Mar 29 09:39:18 openvpn 17204 UDPv4 link remote: [AF_INET]108.61.122.221:1198 Mar 29 09:39:18 openvpn 17204 UDPv4 link local (bound): [AF_INET]82.16.99.44 Mar 29 09:39:14 openvpn 18498 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mar 29 09:39:14 openvpn 18498 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Mar 29 09:39:14 openvpn 18213 WARNING: file '/var/etc/openvpn/client2.up' is group or others accessible Mar 29 09:39:14 openvpn 18213 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09 Mar 29 09:39:14 openvpn 18213 OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017 Mar 29 09:39:13 openvpn 17204 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mar 29 09:39:13 openvpn 17204 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Mar 29 09:39:13 openvpn 17106 WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible Mar 29 09:39:13 openvpn 17106 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09 Mar 29 09:39:13 openvpn 17106 OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017 Mar 29 09:39:13 openvpn 14626 Initialization Sequence Completed Mar 29 09:39:13 openvpn 14626 UDPv4 link remote: [undef] Mar 29 09:39:13 openvpn 14626 UDPv4 link local (bound): [AF_INET]82.16.99.44:1194 Mar 29 09:39:13 openvpn 14626 /usr/local/sbin/ovpn-linkup ovpns3 1500 1558 10.8.0.1 255.255.255.0 init Mar 29 09:39:12 openvpn 14626 /sbin/ifconfig ovpns3 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.0 up Mar 29 09:39:12 openvpn 14626 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0 Mar 29 09:39:12 openvpn 14626 ioctl(TUNSIFMODE): Device busy: Device busy (errno=16) Mar 29 09:39:12 openvpn 14626 TUN/TAP device /dev/tun3 opened Mar 29 09:39:12 openvpn 14626 TUN/TAP device ovpns3 exists previously, keep at program end Mar 29 09:39:12 openvpn 14626 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mar 29 09:39:12 openvpn 14313 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.09 Mar 29 09:39:12 openvpn 14313 OpenVPN 2.3.14 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 15 2017

Beside routing, you may want to check firewall rule on both Site A and Site B. It would be easier for comment if you share current configuration.

@johnpoz: "30 seconds of work adds an extra layer of security. " Sorry it doesn't - that is not how security works in IT.. Let me guess you also hide your SSID or don't broadcast it and use mac address filtering.. Since they are added layers of security? ;)  Do you also turn off your dhcp server as another layer? But yeah those keep grandma from hacking your wifi ;) No, I stand by my answer. The snark is irrelevant. Making something a little more difficult is good planning. The real security is not impaired if some nuisance security is tossed into the mix. It just makes brittle snobs all huffy.

You would enter the fully qualified domain name (e.g. hostname.domain.com) - Whatever hostname is in DNS that points to the firewall on the address used by OpenVPN

Hi Old but hey! Seems your VPN Provider has been possibly marked as been known for Fraud or Fraudulent Attempts in the past or current, so they may ear mark it for "Further Authentication" to mitigate these attacks,. Failing that, it could be due to the way your VPN & your Machine handles the Certificate that the site provides. Hope this helped.

Thanks Jim!

Oh that did it..thanks.  I thought that would have broken my policy based routing as well but it seems to still work.