You may need to install one or more intermediate CAs so that your firewall can follow a chain all the way back to a trusted root CA.  You can verify this by checking /etc/ssl/cert.pem, which contains the list of CA root certificates that are trusted by your device.  If the issuer on your certificate isn't in that file, then you'll need to install intermediate CA certificate(s). For example, we use RapidSSL certificates here.  Since RapidSSL isn't a trusted root CA, we have to install their intermediate CA certificate, which bridges back to GeoTrust, which is a trusted root CA.  (Screen shots attached.)    

You can do this with the Rules section under the firewall settings, setup an Alias list for all the steam servers *.steam.com, then under the LAN rules, source LAN net, dest ALIAS NAME, all ports, then under advanced sections pick the OPT(OpenVPN) as the gateway.

There doesn't seem to be an option to just restore the certificates, but then as the machine name has changed I don't the certificates from our live system would work anyway. Since my first post I had a brain wave, create a new openVPN server through the wizard and that seems to have done the trick. Just need to test the VPNs work now. Cheers Dean

Thanks for the answer. Meanwhile I found the following on in the OpenVPN manual which describes the address assignment pretty well: “Specify an IPv6 address pool for dynamic assignment to clients. The pool starts at ipv6addr and increments by +1 for every new client (linear mode).” I believe that the linear mode is the only option for address assignment using a tun interface, and only tun is supported by my iOS devices. I’m going to request a feature like "Simulate IPv6 Privacy Extension" from OpenVPN, but I don’t see an straight forward solution for that.

Thanks,  you were right,  the provider's server will not reply to a ping.  I fixed it by monitoring another IP address only accessible via the VPN.  Thanks

I've managed to setup a few DD-WRT to pfSense OpenVPN links over the years and the experience has definitely improved. My earliest attempts (still working after 8+ years!) with Linksys routers involved scripting and other kludges to survive a reboot. My latest was with a pair of ASUS N66RT's allowing access to the owners office server(s) from two remote locations. The latest DD-WRT made it feasible to implement the whole thing through the GUI - no scripts required. That said, it's always an experience to find the most reliable firmware version to match the device you've got. I've tended to go for units with more Flash/RAM to avoid the feature "squeeze" of smaller units. All in all the setups have been very reliable. I would still rather find a small box to run pfSense, but where that doesn't work DD-WRT keeps things at least reasonably sane…..

@doktornotor: Have you noticed the "Disable this client" checkbox? I have noticed it. I could also shutdown my PIA interface but I was looking for more of a solution that leaves the service/interface enabled but just doesn't start on boot. Worst case I'll just use the disable client option as you pointed out.

I already linked what you nee to do above so that everyone can talk to everyone.

Attached the photos. Two more that I couldn't get on the previous post. [image: PFSensePing-1.png] [image: PFSensePing-1.png_thumb] [image: pingtest.PNG] [image: pingtest.PNG_thumb] [image: firewall2.PNG] [image: firewall2.PNG_thumb] [image: firewall3.PNG] [image: firewall3.PNG_thumb] [image: firewall4.PNG] [image: firewall4.PNG_thumb] [image: firewall5.PNG] [image: firewall5.PNG_thumb]

Most likely this is the firewall on the destination machine. Have you tried turning Windows Firewall off?

https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

Thanks for your suggestions. I now understand the problem. It turns out that the main location where I have been attempting to use the OpenVPN client is a network behind a NAT firewall that blocks the default OpenVPN port (1194). I am able connect as a client from other public locations. I am going to try reconfiguring pfSense to serve OpenVPN on an alternate port. Hopefully, that will solve the problem.

Post a network map.  Post the openvpn config (server1.conf, client1.conf) from both sides.

That's what I figured, but couldn't post 'til now.  Since 2.x, you can enter multiple subnets into the GUI and the routing directives will be generated automatically.

@Derelict: There is really no reason to use different IP addresses for that.  One IP address can have multiple outbound OpenVPN client connections.  You would then use policy routing to send traffic from, say, 192.168.1.2 out the correct OpenVPN client connection. But if you really want to, I believe you would create VIPs on WAN for the IP addresses then select that VIP as the Interface in your OpenVPN client config. Thanks for the prompt response. I have tried that initially, but every time I have an OpenVPN client established, I loose WAN traffic even at the default gateway (non-openvpn directed) level. I saw a guide for Private Internet Access, where they used one of the available interfaces to dedicate OpenVPN traffic. I gathered the point of doing so was to reinforce the requirement to use the OpenVPN and maybe not to have an imperfect messy NAT chain of rules. I have tried both ways. I don't mind utilizing OpenVPN client connections on the same IP, however right now I haven't filled all thats paid for, so I thought to dedicate two IPs for use of pftop viewing at a glance and maybe some analyzing down the road.

Don't know, dude.  It works every time I do it.