I've checked this, and its OK.
After some testing, this symptom appears even in 2.0.1 and 2.0.2.
The OpenVPN client regularly tries to reach the server on the wrong interface, and this cause the error message to appear in log….
This is really strange. pfsense is configured with double WAN interface.

Any idea ?
Is this misconfiguration or bug ?

Your OpenVPN server config does not mention what you put for "Local Network" and "Remote Network". On the server, you certainly need to specify "Local Network" - 10.20.0.0/24 - and that will be told to the clients.

RESOLVED.

Second network uses Captive portal. When I add VPN client address which I get from VPN server, to allowed IP's in captive portal, everything works perfectly.

I didn't be redirected to captive portal page when I put AP address in browser.

Presumably if you have the client still there to test that it still worked, you have the certificate there on the client PC.
Just grab the cert from the OpenVPN config dir and import it back into the pfSense GUI.

That is correct for an SSL-based tunnel with a tunnel network larger than /30.

Here is a how-to for doing a multi-site OpenVPN + certificate setup where you have one server process and multiple clients:

http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_%28SSL%29

Pay particular attention to the notes about client-specific overrides and iroutes.

:) lol… Sorry the Pfsense VM is not running under qemu but kvm.

The bare-metal is running on a HP Proliant M115

The host machine for the kvm pfsense running dual xeons (6 Cores each) Westmere. It has 4 cores allotted and  2gb ram.

I disabled encryption to see if the problem was CPU bound...

dns was not the issue.. had to create a trust between the domains, works so i'm up and running.. thanks for the answers and advise.

I only have two items in my bag of tricks:

Shut down and restart
Wipe and reinstall

If you take those away I have nothing  :'(

My guess is that you didn't install the openvpn client package in windows as admin.
When you install the package, you have to right click, run as admin and accept all the following dialogue boxes.
I also make a habit of right click and running the openvpn gui as admin even after install, but its not required.

If you are not sure that you installed as admin, please uninstall openvpn completely and and then reinstall with the right - click run as admin.
I also use TUN usually and not TAP so much.  If you have other VPN solutions installed along side openvpn, those can also cause issue.

(windows firewall or any firewall can also break things - Might want to deactivate those during troubleshooting)

Just wanted to post a follow-up. Not sure why, but this config (NAT through the LAN address with the posted config) is working properly today. Thanks for the replies!

Good news. It's working! It's just our one site that's not connecting properly, and of course that was the one I was using for testing.

Great guides posted by everybody.

all errors resolved.. thanks all

@phil.davis:

What pfSense version?
OpenVPN server or client bound to a gateway group should fail-over and fail-back on pfSense 2.1

pfsense version 2.0.3-RELEASE (amd64)
OpenVPN client running in pfsense. Failover works well, no problems. When the failed WAN interface comes back online, traffic is still routed through secondary OPT1 and does not switch back to faster WAN.
I should switch to 2.1?

What you want in the client config is:

Thx, I'll give it a shot later today…

I think he won't release his "Intranator" 800€ hardware box! But yeah that would definitly make things much easier...

Greetz
Mircsicz

Apologies for the slow reply, I've been on site all day today.

@phil.davis:

I'm impressed - quickly changed all that network stuff and got it to work again in a reasonable time! The network design looks good.

Thanks. Despite the "noob" questions I do actually understand most of the technology and I'm pretty handy . What isn't so clear is the pretty dire explanations of things at times. It's all perfectly fine if you need/want an identical setup but useless to understand whats really going on under the hood. However I digress ;)

Ok.

We have progress. I'm not quite sure why it's working but it is. I did make a tweak to the rule last night which off hand I can't remember now so it might have been that.

I now have to figure out why I still can't access the console of my VMware VM's due to the "MKS" error. I expected that to go away as I'm technically on the same LAN as it but seemingly not :(

Thanks once again

G