Hi again, I found some posts on the internet on which they say that apple disabled "VPN on demand" on newer versions of iOS or newley shiped devices. I found out that there is an iPhone Configuration Utility (IPCU) which can be directly downloaded on the apple webpage which allows the to create and set profiles on an iPhone. Setting such a profile works but I had problems to get "Custom SSL with VPN on demand" to get working with my pfsense OpenVPN server. The intention is that I setup the domains from my intranet as the e-mail server and when the e-mail app tries to connect to this URL the VPN connection will start. Instead of using "Push Mail" I would try to use automatic check by the mail app every 15min - hopefully the vPN will start when "VPN on demand" is configured correctly. Perhaps someone can help me to configure this with the help of the following tutorial: http://simonguest.com/2013/03/22/on-demand-vpn-using-openvpn-for-ios/ This is my iOS inline config from the pfsense export utility: persist-tun persist-key cipher AES-256-CBC tls-client client remote xx.yy.xx.yy 443 tcp comp-lzo nobind keepalive 5 30 <ca>-----BEGIN CERTIFICATE----- ..... -----END CERTIFICATE----- <key>-----BEGIN RSA PRIVATE KEY----- ..... -----END RSA PRIVATE KEY-----</key> <tls-auth># # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- .... -----END OpenVPN Static key V1-----</tls-auth> key-direction 1</ca> Thank you for your help! –-- edit ---- I got it. My iPhone starts the OpenVPN connection to my pfsense OpenVPN server. The config I posted above is the one the OpenVPN Export utlity created. Follow the instructions on the URL I posted above - they are correct. I just had to modify some parameters on the config to get it working (Custom options with "key" and "Value": Export the CA.crt to your computer and replace every newline with  \n  to make it one line. (As described on the URL above) You need a password protected .p12 of the client certificate which contains .key and .crt. pfsense itself cannot do that from GUI. I exported the .crt and .key to pfsense /tmp. Then I ran the command on the webpage ( openssl pkcs12 -export -in client1.crt -inkey client1.key -out client1.p12 ) and set a password. I imported that new password protected .p12 into the IPCU. On the .ovpn config I exported from pfsense there is a part "tls-auth". I created this key in the custom options of IPCU and as value I did the same as for the "ca". everything in one line and every newline as   \n ca     –---BEGIN CERTIFICATE-----\nABCDEF112312.........\n-----END CERTIFICATE----- tls-auth     –---BEGIN OpenVPN Static key V1-----\nABCDEF112312.........\n-----END OpenVPN Static key V1----- comp-lzo     value persist-tun     value persist-key     value cipher     AES-256-CBC tls-client     value client     value key-direction     1 Push-Mail seems not to work with OpenVPN - probably because the VPN connection is in standby and will only be established if the iPhone app starts to check the E-Mails every 15min and so is using "VPN on demand". Will do some more tests with bigger delays to make sure iPhone awakes froms sleep with VPN and hopefully same will happen when disconnection the iphone from the USB data cable which I still have connected to view what is happening on my iphone in the IPCU cosole.

Well, I've done quite a bit of searching and I feel that I am getting closer. I am receiving this in my logs when trying to connect. Looks like an issue with the passwords, I've already checked that those are correct… May 18 20:30:32 openvpn[58267]: OpenVPN 2.2.2 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] built on Apr 2 2013 May 18 20:30:32 openvpn[58267]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock May 18 20:30:32 openvpn[58267]: WARNING: file '/conf/openvpn-server2.pas' is group or others accessible May 18 20:30:32 openvpn[58267]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts May 18 20:30:32 openvpn[58267]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file May 18 20:30:32 openvpn[58267]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication May 18 20:30:32 openvpn[58267]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication May 18 20:30:32 openvpn[58267]: Control Channel MTU parms [ L:1557 D:166 EF:66 EB:0 ET:0 EL:0 ] May 18 20:30:32 openvpn[58267]: Socket Buffers: R=[42080->65536] S=[57344->65536] May 18 20:30:32 openvpn[58267]: Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ] May 18 20:30:32 openvpn[58267]: Local Options hash (VER=V4): '0f816d6e' May 18 20:30:32 openvpn[58267]: Expected Remote Options hash (VER=V4): '2f3e190a' May 18 20:30:32 openvpn[58379]: UDPv4 link local (bound): 192.168.1.175 May 18 20:30:32 openvpn[58379]: UDPv4 link remote: My.IP.Address.123:1194 May 18 20:30:33 openvpn[58379]: TLS: Initial packet from My.IP.Address.123:1194, sid=a388832d cb9b06e6 May 18 20:30:33 openvpn[58379]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this May 18 20:30:33 openvpn[58379]: VERIFY OK: depth=1, /CN=OpenVPN_CA May 18 20:30:33 openvpn[58379]: VERIFY OK: nsCertType=SERVER May 18 20:30:33 openvpn[58379]: VERIFY OK: depth=0, /CN=OpenVPN_Server May 18 20:30:34 openvpn[58379]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1542' May 18 20:30:34 openvpn[58379]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC' May 18 20:30:34 openvpn[58379]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' May 18 20:30:34 openvpn[58379]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key May 18 20:30:34 openvpn[58379]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication May 18 20:30:34 openvpn[58379]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key May 18 20:30:34 openvpn[58379]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication May 18 20:30:34 openvpn[58379]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA May 18 20:30:34 openvpn[58379]: [OpenVPN_Server] Peer Connection Initiated with My.IP.Address.123:1194 May 18 20:30:36 openvpn[58379]: SENT CONTROL [OpenVPN_Server]: 'PUSH_REQUEST' (status=1) May 18 20:30:36 openvpn[58379]: AUTH: Received AUTH_FAILED control message May 18 20:30:36 openvpn[58379]: SIGTERM received, sending exit notification to peer May 18 20:30:38 openvpn[58379]: TCP/UDP: Closing socket May 18 20:30:38 openvpn[58379]: SIGTERM[soft,exit-with-notification] received, process exiting

As long as you're using an OpenVPN that supports it. Some clients (on phones/tablets?) might not support it.

Hi, good to hear you get it working… i was struggling on same thing couple month ago.... I think your problem was in routes (if openwrt didnt route your request back from pfsense when pinging behind openwrt to pfsense) did you set remote lan 192.168.4/24 (openvpn settings "route 192.168.4/24") (what pfsense routing table shows ? does it know 192.168.4/24 network ? did you use peer-to-peer or remote access ? Set pfsense "Manual outbound nat" -> wan interface NAT all outbound traffic its public interface ip. (thats the way i allways do it, 1 NAT in network everything else is fully routed between routers..) Make sure DNS request goes also to tunnel (dns queries coming from openwrt / openwrt connected networks(lan).. If you use own dns resolver(at endpoint pfsense) you need to set openwrt to allow dns queries coming from private network(from pfsense). br. .k @cgu29: it's solved the problem came from the nat rules on the pfsense server i had to enable manual nat and add a mapping between the remote LAN and the natted IP (PFsense wan interface) hope it helps now time to quit and go to the pub (in France)

By doing this, am I telling the computer to use the VPN on everything EXCEPT for when it is in one of those subnets? Yes. When the VPN comes up, it sets the default route to itself. All packets for destinations that are not on a directly connected subnet and do not have an explicit route, will go to the VPN. Will it still cause DNS leaks? I guess the DNS is another issue. When you first connect to the local LAN, pfSense DHCP gives you an IP address and gives itself as the DNS server (that is thee default behaviour). So your PC will have DNS pointing to pfSensse. Because pfSense is on your local network, your PC will happily send DNS lookups there, and the pfSense DNS forwarder will do the lookup for you out the pfSense WAN. I guess you don't want that to happen - the DNS should go over the VPN also. Someone else could give some advice here - how to make the OpenVPN client replace the DNS server?

It's solved, thanks to cmb On my client side, the tunnel was bind to WAN interface instead of CARP Address. I did not upgrade. Thanks everyone.

U cannot 'push' settings to client over peer-to-peer vpn. If you want have routes over openvpn -> use ospf (more than 1 network wich is configured on openvpn settings.. or use 'redirect-gateway def1' to route all traffic via tun) br. .k

If you are not already having the StrongVPN link out of siteA as the default gateway for pfSenseA, then you will need to use policy-routing on the OpenVPN rules mentioned by @Reiner30 - in the Advanced of the rules, select the StrongVPN as the gateway for the traffic. Make sure your pass policy-routing rules on incoming OpenVPN specify something like "source <network a|network="" c="">destination (or destination )" - you don't want to route packets from network a to network b, straight past and out the StrongVPN.</network>

yes, one of the parallel threads here gives the answer already TODAY (search function is right upper; makes always sense to use it before posting ;)) http://doc.pfsense.org/index.php/CARP_Secondary_Unreachable_Over_VPN

I was just able to solve the problem. My server side config had "ping restart" configured, which I replaced by "keepalive", now the connection is not restarted anymore :)

I resolve this by configuring the router?

I use the OpenVPN Client Export Utility package and there is an option "Use a password to protect the pkcs12 file contents or key in Viscosity bundle. " under VPN:OpenVPN:Client Export. Does that work for you? (I haven't tried myself)

For the configs, just post the text.  For the firewall rules… take screen shots, upload them to photobucket and post using img tags.

No one can help me?

What version of PFsense? Post a network map. Post your server1.conf Post your firewall rules.

There are threads/howtos here for StrongVPN and I think VyprVPN. Anything OpenVPN-based should work similarly.