I recently installed a PIA VPN using OpenVPN and ran into issues that have been resolved, so I thought I’d share my experience with whomever might benefit.
Context: I have several VLANs and want to run some of the devices in some of the VLANs through the VPN. I don’t need a “kill” rule, because if the VPN fails, I want the devices to have access through the WAN. I added an interface for OpenVPN named PIA, and in Firewall/NAT/Outbound added the PIA interface only for the VLANs for which I wanted to direct traffic to the VPN. (I believe I could have left the added interfaces as OpenVPN and this would have worked as well.) In the OpenVPN client definition, I did not enable the “Don’t pull routes” option. (That is not suggested in this forum that I’ve seen, but I experimented with it because it was suggested in the forums for pfSense and/or PIA.)
The most important learning was to add a firewall rule in my main network to permit access to other VLANs (e.g., 192.168.0.0/16). Absent the VPN rule, the “Default allow LAN to any rule” (which does not use the Advanced settings) did permit unrestricted access to other VLANs. However, when I added a similar rule for VPN (“anys” all the way across but with the advanced setting under Gateway for the PIA interface) above the Default rule, I wasn’t able to access other VLANs. To solve that problem, I had to add the extra rule above the VPN rule to permit access to the other networks.
The other important learning was to modify the “Default allow LAN to any rule” for all of my subnets. I needed to get into the advanced settings and specify the WAN interface under Gateway. That is normally set to default, but I had already set WAN as the default interface under System/Routing/Gateways, so that wasn’t enough. Without doing that, the traffic from all devices on all of the VLANs is routed to the VPN, even from the VLANs for which I had not added the PIA interface under Firewall/NAT/Outbound.
I’m relatively new to pfSense, so don’t understand why these things are needed. I’m just reporting what worked for me. If someone with more experience has more elegant solutions, I’d be interest in learning the “why’s”.
One other learning not specifically related to VPN policy routing is that it’s important to increase Firewall Maximum Table Entries (System/Advanced/Firewall & NAT) to something greater than one million. I kept getting errors about the firewall not being able to access or save to the bogons IPv6 table, which apparently has grown very large. The errors sometimes prevented rules from being saved correctly and might have interfered with reboots.