check your config again or paste it here again, there are errors in the logs which need resolving:

Apr 13 14:36:10 openvpn[27464]: OpenVPN ROUTE: failed to parse/resolve route for host/network: no-pull
Apr 13 14:36:10 openvpn[27464]: RESOLVE: Cannot resolve host address: no-pull: [HOST_NOT_FOUND] The specified host is unknown.

That depends on your specific mode of OpenVPN server. In SSL/TLS and SSL/TLS+User Auth mode, it does include the certificate.

Updating this old thread because it comes up in search results. In 2.0.2 release and newer, you just need to bind the OpenVPN client instance to a CARP IP, and the system automatically handles starting/stopping the client instance with the CARP status.

@jimp:

Put your allow rule for OpenVPN above any of the pfblocker rules.

Once the connection is active the firewall state lets it through so it ignores the rules from that point on since it's an active connection.

cant believe it was that simple!  I did not know you could move up the rules, my bad. Thanks!

Worked first time - can't do better than that

Thanks

Andrew

Sure, either by pushing a route to the clients for the IPs you want to go over the VPN, or using the option to force all client traffic through the VPN.

The default automatic outbound NAT config will do NAT for the VPN tunnel network so it should work with minimal effort. If you're using manual outbound NAT you'll need to make sure you have a rule that covers the VPN client subnet.

Beyond that, make sure your OpenVPN tab rules allow the traffic through and it should work fine.

We backed up the config, then did a factory reset on those two machines. With nothing but LAN/WAN IPs and the VPN configured, everything works flawlessly as expected. Will see if we can find out the breaking difference by comparing the configs :-)

Chris,
I want to thank you for all your hard work in furthering pfSense to what it is today.  What an extremely powerful and useful solution.
For a home user like myself,  the support option is pricey to say the least.  My system to date has cost under $400 running an Atom based board and Ubiquiti Unifi AP Pro.  I'm positive someone with the requisite knowledge could solve my issues in a relatively short period of time.  Spending $600 though is out of my budget and the reason why I came to the forum.  I bought The Book of PF, pfSense 2 Cookbook, and your Definitive Guide and still was having difficulty solving my issues on my own.  
My plan was to use either freelancer or elance to try and get someone to solve them then post up the solution here for whomever wanted the same setup.  
I would wholeheartedly trust the world's foremost pfSense experts but unfortunately I just don't have the budget at present to support that option.

I installed pfsense 2.1beta using snaphots. I configured it in "tap" mode. After dealing with windows firewall everything seems to be ok now.
Except, when i try to connect to vpn server from local network, it connects but nothing works. It's not a big issue since nobody needs to use VPN in local network but it was working in v2.0.2 though. I noticed "Backend for authentication" line is missing in openvpn/server page. I thought this is issue or maybe tap mode is causing it. It would be better if i could test vpn from local network though.

I had exactly the opposite problem. I couldn't ping lan computers. Here is what i did.
First I installed pfsense 2.1 beta because 2.0.2 was too messed up by trial and error.
I followed this guide. It tells it for "tap" vpn mode instead of "tun". Tap is more suitable for me. I tried tun mode too.
http://hardforum.com/showthread.php?t=1663797
Again I faced the same exact issue. But later I found it was a windows firewall issue. Just turning it off and on again somewhat solved the problem.
If you want to follow the guide, dont forget to put rules for OpenVPN and bridge interfaces.
And dont try to connect to your vpn from local network. Try from another computer because in 2.1beta they didn't put a backend handler so nothing works if you connect from local network. At least I couldn't do it. It was working in 2.0.2 though

Cheers

You're using shared key mode with tun, which requires that you set an IP with ifconfig.

If you use a server mode (ssl/tls) then it can automatically supply an IP to clients.

This issue is solved.

My ISP at this time claimed the problem wasn't on his side.
Since I wasn't able to find a solution, I changed the ISP.

Now, I don't experience these disconnections anymore :-)

Fixed, Had manual NAT enabled and didn't add the OpenVPN Network NAT Rule

Care to share the root cause and solution?

There isn't a master switch for OpenVPN that would do what you're attempting.

What is it you're really trying to accomplish? Perhaps there is another way to make it happen?

One possible solution might be to "killall -9 openvpn" to stop it, and run /etc/rc.openvpn to start again.

That would only be temporary though and it wouldn't survive any action that would normally cause OpenVPN to start again (e.g. reboot, WAN down/up event, etc)