I figured it out! So it looks like I do need to have that manual outbound NAT after all, it's just a bummer that I can't use aliases for that either. So I looked in my openvpn logs and saw there were a bunch of encryption/decryption errors. So I changed my cipher from AES-256 to BF and now I am up and running! Now to test for any leaking. Thanks for all the help guys, you were all very helpful and friendly.

edit: solution https://forum.pfsense.org/index.php?topic=74743.0

I am doing basically the reverse of what you are doing. Check this out for an idea on what needs to happen: https://forum.pfsense.org/index.php/topic,29944.0.html

You can create rules that are based on Aliases, hosts, network range, etc. That can re-route your traffic however you define. You just have to setup the interface and gateway correctly.

Try changing the monitor ip address in system->routing

using the current 2.1.1, originally setup on 2.1.0. both connect ok.

Try following the tutorial I linked above.

I am having an issue with speeds and also an odd time out fail to reconnect issue.

Hi Phil,
all working now I was expecting it to load balance across both openvpn no matter what I was doing. but it works per session which if fine with me.
I do get what I would call true load balancing when I use a download manger.
I have now moved VPN providers to PrivateInternetaccess and have 3 openvpns working in the group. 
Thanks for your help

Thank you all!!!  I really appreciate the help!

Should be no problem with pfSense behind your ISP router. As long as the PIA VPN link is up you are good.
Feels like deja vu - sure I have typed this stuff before.
Make sure PIA VPN client has an interface assigned.
Make rules on LAN that policy-route traffic to PIA VPN GW.
Firewall->NAT, Outbound, switch to Manual.
On 2.1 you will get some rules generated for NATing out the PIA VPN. They should help, press save.
On 2.1.1 and later, those rules are no longer generated (they were an inconsistent behavior). Add rules yourself to NAT out the PIA VPN GW.

Ok maybe openvpn cant do the whole but this is how i was able to get around and get my solution.

Make an OpenVPN Server with SSL/TLS only (thus no username password needed) on pfSense
Export a client, with OpenVPN Manager
Install openvpn manager on a workstation.Leave it with its default settings.

Now I created a bat file and with the following line only :
"C:\Program Files\OpenVPN\OpenVPNManager\OpenVPNManager.exe" -connect "xx-xxx-xxxx-xxxxx-config (service)"

Named that file Openvpn start

Now go to schedule tasks in windows and created a task to run as someone with administrator access, hidden,with highest privilages. Selected to run during startup and thats it.

It might not be the best way to do it but it does work and i am able to authenticate with AD no problem.

Hope this might help someone else.

Thanks to phil.davis for his input but unfortunately that did not work for me even though I would love his way to work as that would have removed the bit of running that file with administrator access.

If anyone else has any other way, let me know.

I did not test this with wireless connection.  Might not work on wireless.

Cheers,

Raj

Well, I have ended up just assigning static IPs to the different clients, this will work for me.  Still curious why it wasn't working before.

ok I think I got it working, I had the above settings - as recommended by phil - and
it turns out you need some NAT rules (firewall-nat-(manual)outbound) and add an entry:
select 'openvpn' as interface and 'from all' 'to all'

or in my case I narrowed it down to
from 10.0.7.0/24 to 192.168.2.0/24 and another entry 10.0.8.0/24 to 192.168.1.0/24 respectively (openvpn interface)

I did a traceroute from sat1 to sat2 and it timed out at 10.0.7.1 so tested with the nat rule,

I might have swapped the .7. and .8. but you get the idea…

now in a perfect world: how to route all internet traffic out of the main office's connection...

Hello,

I have the same situation. I tried to solved it following the instructions but I can not  make it  to work.

Can you give more detail instructions please?

Do they show running on Status > Services?

Any errors in the OpenVPN log?

Yes, so disable it?

Manual Outbound NAT needs a ruke on interface VPN. Outbound NAT is applied on the way out, the rules go on the interface/s where the traffic exits.
Also, the Outbound NAT rule on TESLAN is not needed - it won't break anything, but it will never match anything.

@TC10284:

Thanks for the quick response!

I've been doing some more Googling…
Is Tinc an easier/better solution or would you prefer OpenVPN?

I hav not tried Tinc, so I can't give a comparison. I use OpenVPN for site-to-site an Road Warrior "dialin" from Windows laptops. It works, so I use it - what more to say?

Ah! Im on 2.1 but didnt know about the multiple route possibility. Will try that later

@phil.davis:

System: Advanced: Miscellaneous
Skip rules when gateway is down - By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down

Check that box - pfSense is too nice, and when the target gateway is down it changes the rule to just pass the traffic to the dwefault routing table (= out the default WAN in most cases). This box disables that "niceness".

That fixed it. It seemed like it was some type of failover because it wasn't immediate. I looked and looked but was in the wrong area. Thanks for the help!

Well, i didn't findout to make it work so i used the hard way. Creating a list of all pc, create a batch to update lmhost and run it over each network. It's far then neat and clean but it works.

Thanks for everyone !