Which end is server and which is client as long as the routing is correct. If you're using SSL/TLS then you may have been passing the routing from the server so switching roles may have corrected something there. Steve

It worked, and you were right it was a user's cert and not the server. Thank you!

@ashima: At the client site how should I configure so that if  WAN1 of headoffice goes down, it should automatically connect through WAN2 of headoffice. I just realised custom option in Advanced Configuration  can have remote WAN2 port udp This will connect to the WAN2 if  WAN1 at headoffice fails. But do I have to redistribute the certificates to the client after making the changes at Server. Thanks, Ashima

@stephenw10: Try using other GCM bit sizes, 128 maybe. Are you running any hardware offloading? Try disabling that. Steve Resolved, the server I was trying to connect did not have openVPN 2.4. After I specified the correct server it worked just fine!

That all looks reasonable. Custom options should be separated by a semicolon as it says on the page so if you've entered them like that, new lines for each, it won't work. The actual options look fine but those set to 1300 they may not right now. If the tunnel is up and you're receiving an IP address it's not an issue with your certs/CA. If it was you would never get that far. What exactly are you seeing happen? Traffic just goes out the WAN directly? What have you done to route that traffic via the VPN? Your screenshots don't show the tunnel settings there. Steve

Change your home network to 172.16.50.xxx or something else in private address range.

Problem solved. There is something buggy with the Android browser. I was able to download the client export via chrome.

@Soyokaze: My quick guess is that something (DPI system, or just ISP with weird hiccups) is messing with your connection. "TLS key negotiation failed to occur within 60 seconds" usually should be read as "No packets was received at all, so no connection at all" I advise you to test with TCP connection, that will at least show you if client from this location can connect to your servers AT ALL. It works!!!!! Finally We got a solution, The problem was related with a rule in the Firewall, It was not related with NAT or port UDP 1194, The problem was a content filtering rule, When They made an exception for OpenVPN, the problem was gone. Thank you for all your comments.

@johnpoz: T-mobile doesn't even give out IPv4 anymore.. Atleast not here in chicagoland on my cellphone. This is true on my iPhone but my hotspot device (one of the two they currently sell) is IPv4 only.

I'd add: push "route 10.0.0.0 255.255.255.0"; to the OVPN RAS server you have on 192.168.1.10 under Advanced Options / Custom Options in the OVPN settings.  You'd "push" that route to the client, thus forcing that network down the tunnel. Cheers!

@Jackish: As far as I know, "Force all client generated traffic through the tunnel" changes nothing on Pfsense side; it only pushes the default gateway directive to the clients. Interesting! Thank you very much for that hint. I guess I will have to set up some virtual machines and reproduce my setup to see what would change for me if I enable the option. I can not do this with my current physical setup.

Not anymore. My predecessor set up the vpn with tap in order to use our central DHCP server, but now we push addresses from the the OpenVPN server instead. I guess I'll have to bite the bullet and restructure the whole setup with multiple networks. I guess it won't need to be that disruptive - I can migrate users to the networks incrementally, leaving the old setup running in parallel until everybody gets on the new setup. Thanks.

Ok, in this case the outside router is my vpn provider and I have port forwarding set up there. I'll poke around some more, thanks.

Hi guys My situation and configuration is same as user angelbit described, but for now i have only one mikrotik client. Pfsense is an openvn server and mikrotik can connect to it with no errors. I have tried your suggestions about assignig new interface (vpn) in pfsenes but still no success. Can not ping from pfsense and pfsenes lan to mikrtoik lan ip and lan clients. Can ping from mikrotik and mikrotik lan to pfsense lan clients. When pinging from pfsense lan to mikrotik lan i can see pacekts on pfsense vpn interface but not seeing on mikrotik vpn interface (tcpdup, packet capture). Have any sugesstions ? Regards