Using a custom OpenVPN interface as WAN

Problem: You want to connect to a tunnel provider (like prq.se) with OpenVPN but you can’t use the web interface due to no encryption/login/certificate.

Solution: In this example I’m connecting to prq.se.
Configure your machine the way you want it. Then make a backup of the configuration. Open the configuration in a text editor and insert these two lines at the end of the <system> tag.
<shellcmd>openvpn --ifconfig xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy --route rrr.rrr.rrr.rrr yyy.yyy.yyy.yyy --remote sss.sss.sss.sss --port pppp --dev tap --comp-lzo --ping 15 --verb 3 --daemon</shellcmd>
<shellcmd>/etc/rc.filter_configure_sync</shellcmd>

xxx.xxx.xxx.xxx is your IP at the end of the tunnel
yyy.yyy.yyy.yyy is the net mask
rrr.rrr.rrr.rrr is the network
sss.sss.sss.sss is the IP to the OpenVPN server
pppp is the port on the OpenVPN server

The shellcmd lines will be loaded after the firewall rules get loaded. Therefore you have to reload the rules after the tunnel is created. That’s what the second line does.
Save you changes and use the restore function in web interface to load the files. The machine will reboot.
Assign the new interface using Interfaces -> Assign in the web interface. Enter the IP and the gateway in the settings for the new interface. Then you have to reboot the machine. It will then enable PF on the tunnel interface (When the tap interface has a gateway it will be treated as a second wan interface)

Known problems
Every time the machine reboots you will get this error message:
[filter_load]There were error(s) loading the rulesrules: pfctl: DIOCSETSTATUSIF The line in question reads [ DIOCSETSTATUSIF]:
That’s because of the rules get loaded before the tunnel is loaded but don’t worry. The second shellcmd line reloaded the rules after the is created and it will work.