SUCCESS! I did as you said, added the openvpn server as a separate interface. Then I copied the any/any OpenVPN rule to the new interface, and deactivated it on OpenVPN interface. Both internet and LAN hosts are now reachable through my VPN server, and the VPN providers port forwarding to me works. :)

I do plan to eventually make the SG-1000 my primary router for myself, but currently I have a lot of special configuration on the router that I don't want to replicate and I don't want the "production" network to go down if I screw-up the SG-1000 configs. Also, I want to have the option to use SG-1000 as an "OpenVPN appliance" that I can just "drop-in" to client networks by having it completely pre-configured.  The LAN port would get an address by DHCP, so the only configuration I would have to do is define a DHCP address reservation on the foreign/main router and add one port forward to it and then the SG-1000 would just be a "plug and play" device to add a short-term inbound VPN to the network.  A "keep in the toolkit" and deploy so I could minimize time onsite and do the more advanced network administration (of the other stuff, not the SG-1000) via a secure remote access VPN.  (Theoretically, I might even be able to FedEx it to a client and talk them through the minimal installation without a physical trip.)

Is your work LAN subnet really 192.168.1.0/24? Also, your tunnel network is fairly narrow (/29) which means it can only handle 6 clients max (depending on your topology)… even less if you switch to net30 .. is that what you wanted?  Although, you're not even getting that far, you're having handshake issues... so first... we'll need to see more of the log and second, were the client certs created upon user creation?  If not, that may be your issue.

I found the answer on a commercial vpn guide page. Basically I had to setup outbound nat rules to route the traffic.

i could go back to tomato but wanted to have a more secure setup on one end. thank you for your help anyway. was looking for a more stepbystep idea. i mentioned iptables just as a reference..

Anyone have any kind of feed back? Did I post this in the correct section of the forums?

@viragomann: That should be possible though. However, you have to care, that each client connects through the WAN gateway. So in the client settings of each check "Don't pull routes" to avoid that the server sets the default route. Now you have to control VPN traffic by firewall rules (policy routing) and each client should connect well. Thanks Viragomann!!! That worked.

I just upgraded to advanced tomato version. everything seems fine settings wise but still i need 3 certificates: CA, Client certificate and a Client key… when i do a export from pfsense i get just one certificate... how can i get the other ones?

if your telling the client go down the tunnel for EVERYTHING, there is little reason to have to send routes for your specific networks since EVERYTHING will be coming down the tunnel ;)

@ThePieMonster: haven't been able to find any guides on how to use Windows AD authentication with pfSense's OpenVPN Server. How much time have you spent searching? 0 secs? https://www.google.com/#q=pfsense+openvpn+radius+active+directory

Yes, the problem was, that I haven't created a certificate for the user itself, but used the VPN's CA… After the modifications everything goes well now. Thank you for your help and I wish you a happy new year!

Solution: we have to stop routing service

Got it to work.. The biggest problem I had was determining the correct external IPV6 address to use as I made it more complicated on myself as I did not have my cable modem in bridge mode. But, figured it out. Thanks again for trialing this so that I at least knew that it did work (or didn't have some sort of bug). Then I knew I just had to play around to get the right addressing and port forwarding. Awesome!

I saw this thread from 2013 and wonder if anyone has found a solution to syncing from iOS over OpenVPN to iTunes on the other side of the tunnel. Thanks…

@johnpoz: That really should have zero to do with it.. Is your remote client a member of your AD?  And you want it to register its vpn IP when it comes in via vpn? Yes this is a AD Member, as i say the same Device and Shrewsoft Client with IKE without any Problems only openvpn.

you guys were spot on! much appreciated !

@sos: I've reset my pfSense setup back to factory default, and just re-set up my openVPN server using the wizard, before setting any other services or firewall rules up. Glad to report that all is working, using my android phone and linux clients, via a 3G connection. As I carefully rebuild the rest of my configs, I'll keep checking functionality and may retrospectively be able to figure out what caused the issue in my case. Perhaps there was some stale firewall rule or state. Will report back if I find anything, but in the meantime, thanks for all the suggestions. Yesterday, I did the same: reset to factory defaults -> start new configuration with openvpn-server first and now it works ??? After setting up the ovpn-server, I reconfigured all (nat-)rules, snort, webproxy, vpn-clients, outgoing vpn-failover and wan-failover and did a connection test after every single step, without any errors. Now the configuration is exactly the same as before and openvpn-server is reachable. So I have no idea what the problem might have been.