@bkcberry i was able to fix the asymmetric route with a policy based route on my router. Thanks everyone!!

Damn. So I made a typo in the IPv4 Remote network(s) on the server-side. Now everything works. Thank you so much for you help @Derelict

@gtrdriver said in Problem with Openvpn on IOS - Android is working fine: Does anyone have a starting point or a idea ? What is the exact version of the client? What is the connection of the client, some hotspot, their LTE cell connection? What does the log say on the client, what does the server log say? This info would be needed to "start" any sort of troubleshooting.

@Gertjan I am planning to setup the OpenVPN server as the central VPN gateway and expand the network if needed. If I fix this , I am pretty sure I can.

@sgw said in lock client hardware: My customer wants to make sure that his employees only use the openvpn-configs on company devices. As long as he doesn't lock the company devices down to almost "dumb" mode, a user can always run its own OVPN configuration as they could simply run the OVPN exe with their config. That won't work. Right now we set up authentication against Samba-ADS, so there is basically one overall ovpn-file for all the allowed users. If we can deploy that via group policy objects or so and let openvpn-client run as a service this should do the trick, right? Yes every client can/will get the configuration via the group policy. But that won't stop the user from making manual changes (OK could be depending on where you deploy the ovpn configuration and if they have local admin rights) or using their own ovpn config. Is the way to deploy/install the provided windows installer exe from the client export tab maybe? If you wanna roll out that config via group policy I wouldn't use the windows installer exe. AFAIK you'd need an MSI anyways. Simply install OpenVPN on the clients (either manually or per group policy and with the official installer from the website - I think they even have an MSI there anywhere) and just deploy the configuration to the necessary directory. It can either be in %programm_path%\config (C:\Program Files\OpenVPN\config or sth.) or in %user%\OpenVPN (C:\Users\%Username%\OpenVPN\config). But as it is I certainly doubt you can lock up the config in a way that a user couldn't just take it and copy it to another device if they want to. Only thing you can enforce is that one user could only login once with the same certificate/username combination so noone can use both at the same time.

nevermind. I think i fixed my problem. After setting a firewall rule for LAN. I had to reboot PFsense once and everything is woriing now.

Hi @JKnott, Our telco company here in country is so greedy

great tutorial, thank you! are these instructions still valid for the current version of pfSense?

The road warrior VPN clients need routes to the subnets at site 2. At site 2 you need a route tor the road warrior tunnel subnet. That is all done in the OpenVPN settings. So at site 1 in the access server settings add the subnets of site 2 to the "Local networks". That pushes the routes to the client. At site 2 in the site-to-site settings add the road warrior tunnel subnet to the "Remote Networks". So OpenVPN sets a route for it pointing to the remote endpoint when the connection is established. Also ensure that your firewall rules allow the intended access.

I intend to activate the firewall part in a second time. For now it's open door.

Perfect, that explains very well the use cases of the two options. Thank you

Problem has been resolved, I created a new Interface for VPN and made a Rule on Manual Outbound NAT and some Firewall Rules.

@Sparty thanks for your input. sorry for replying late. Yes . I was trying trying to access the remote client PC via the tunnel .

you can just use the export package.. And you can download an exe that has the client and the config already in it. If you want an msi, you could convert that exe to one.

@viragomann it's just for me and about 3 other people i think the long term plan (this is replacing a cisco vpn), will be to add an IP on the other firewall, (or a secondary IP at least) since it is still bridged on that vlan. then i can just add it to the firewall as a secondary ip, and add that subnet to the same policies and address book entries allowed to get to everything. depending on how many static routes there are elsewhere however, the masq/nat option works easier at least for now.