Answering my own question.
I had 2 OVPN servers, each with different port config's running.

This didn't work for me.  Disabling one of the server config's allowed 443/udp to work very well on an iPhone over a cell connection.
I haven't tried this yet from a wifi connection outside of my home.

Definitely a client error. Completely uninstall OpenVPN and the tap adapter from the client and then download the most recent release from the OpenVPN site and try that.

Off course this is possible. pfSense is a firewall, that's its primary job.

How to do depends on whether you want to restrict access to a particular user or to all vpn users.
If all users should be restricted modify the default allow any to any rule on OpenVPN interface (assuming you have used the wizard for setup) and change the destination to "single host or alias" and enter the host you want to permit access to the vpn users.

If you want to restrict only certain users you have to configure client specific overrides at first to assign static IPs to these users and then use these IPs as source in the firewall rules.

Nevermind. Found it. DHCP Service on that Interface lets you specify all that.

My point was how you would access your machine would be via your normal wan IP from the public internet.

I would not go through some vpn tunnel you have already set up with some vpn provider.. I would go direct to your wan IP.  But would just vpn in via a vpn server you run on pfsense not some client to some vpn service.

I ran into the same issue a while back and solved it using the instructions from the user Efonne in this post:
https://forum.pfsense.org/index.php?topic=43507.msg225465#msg225465

@iorx:

By using NAT on the the routed OpenVPN connection, all client OpenVPN clients will originate from the the same, accepted IP, address. It's a solution, but I would like to see that each client poses with a unique IP (They've got some medical software which backtracks the clients IP and connects back to the client)

You can use outbound NAT to translate a whole subnet. So you can get a unique IP for each client as well.
E.g. the VPN tunnel network is 10.10.10.224/27, outbound NAT can translate it to 1.1.1.224/27. To wit 10.10.10.228 will be translated to 1.1.1.228 , 10.10.10.229 to 1.1.1.229 and so on.
What's the problem with this???

Yeah because those instructions are no longer valid.. Put in your username and password..  The username and password can be put in the gui now.

I was just showing them because you have a username and password to auth with, etc. When you were saying you didn't have any..

PM me your username and password for torguard and I will walk through a setup giving you pictures, etc.  I would do this on my own if they had a free trail, but don't really feel like giving them my cc.. To be honest not really a big fan of any of these vpn sites.  I just run my own off vps I have all over the place.    Once I am done you can change your username and password, etc.

Been here a long time, don't think I am going to try and do anything or steal your vpn account ;)  Just trying to help.. And sure clear instructions for 2.3.2 will be useful for the other users here as well.

no you can listen on port X on ipv4 and port X on ipv6..

I would assume as soon as openvpn 2.4 comes out of beta they will move to it..

In the OpenVPN server settings "inter-client communication" have to be checked to enable it.
The GW-client should have a static IP. Use client specific overrides on server to set this up.

On the GW-client you need a firewall rule on OpenVPN interface which allows Internet access.
Also there is an outbound NAT rule necessary on WAN interface which translates the addresses from source = VPN tunnel subnet to the WAN address.

There is no reason to push more routes to the client with redirect gateway set. That option pushes a default route.

2.3.2_p1 on Firefox hides local networks when redirect gateway is set on both new and edit. What specific version and browser are you using.

You could renumber your 192.168.1.0/24 network
They could renumber their 192.168.1.0/24 network
They could exchange traffic with your 192.168.16.0/24 if they implement 1:1 NAT on the VPN but that would have to be done at their end.

The best solution is for one of you to renumber off 192.168.1.0/24

What interests me is the OpenVPN connection site-to-site. In fact I attach firewall configurations of both the server (192.168.10.1) that the client (192.168.8.1).


So this server accessing your friend is an access server?
If it is check "Redirect gateway" in the server settings to direct any client traffic over vpn and add an outbound NAT rule for the vpn tunnel subnet. Firwall > NAT > Outbound.
The outbound NAT has to be set to automatic or hybrid mode.
In the NAT rule select WAN at interface, at source enter the vpn tunnel subnet and at translation "interface address".

Yes, I find it wierd behavior. But the device is otherwise good - and this has to be a one device environment. Asus AC-55U. It's got proper syslogging, good wifi and good 4G with antenna support. Compared to others, this is enterprisey. And comes with a OpenVPN -client built in. The specs with just one device is pretty unbeatable.

I hate the NATtin though, and hope to find some obvious misconfiguration being the reason.