When configuring any OpenVPN access on a single pfsense as it is described in the documentation it will work fine. The section about the firewall rules

[https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/firewall-rules.htm](link url)l

proposes to add a rule on the WAN tab and set among others Destination: WAN Address. This works fine as long as the WAN address is not virtual. As soon as a CARP VIP is set for the High Availability configuration this firewall rule will block the connection of any external OpenVPN client.

Setting the destination to WAN Net or This Firewall instead allows the OpenVPN clients to pass this firewall rule. As it took me a while to find this I thought it might be helpful to mention it here. It would be nice to add such a note in the pfsense documentation.