... or take the OpenVPN using the horrible TAP out of the equitation.

@bcruze shows me the access point of my vpn connection.

Double posting anyway 👿
https://forum.netgate.com/topic/146813/unable-to-on-outlook-after-connecting-open-vpn

-Rico

@viktor_g Here it is with some of the names redacted.

a16d73d2-ab19-4554-b15d-077947174fce-image.png

@JeGr said in OpenVPN auth via Samba4-ADS / LDAP:

@sgw said in OpenVPN auth via Samba4-ADS / LDAP:

the "CA(-chain)" ...?

Yeah but your ca.crt should have that. You can always check whats inside the PEMs but from the file size I would guess those are both 2k certs. And if there would be an intermediate to chain, it possible would be inside the ca.pem as well - or all certs (the whole chain including the host cert) would be in cert.pem. That's what's normally done with certain services. all in one or ca-chain in a separate file.

I am not quite sure what to do or check now ;-)
From the fact that it works sometimes it should be ok mostly, right?
What I did today: added the two DC-IPs as NTP-servers to pfsense ... to make sure there is no time drift.

Forgot to attach some logs. These are from the server, log level 4:

Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ] Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> SENT CONTROL [ripdog]: 'PUSH_REPLY,route 192.168.178.0 255.255.255.0,route-ipv6 <snip>::/64,tun-ipv6,route-gateway 10.1.0.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fe80::1000/64 fe80::1,ifconfig 10.1.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1) Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> PUSH: Received control message: 'PUSH_REQUEST' Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> MULTI: primary virtual IPv6 for ripdog/<android IP>: fe80::1000 Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> MULTI: Learn: fe80::1000 -> ripdog/<android IP> Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> MULTI: primary virtual IP for ripdog/<android IP>: 10.1.0.2 Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> MULTI: Learn: 10.1.0.2 -> ripdog/<android IP> Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_4a096a81963c2dc7629027cfc8e3c7ca.tmp Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> MULTI_sva: pool returned IPv4=10.1.0.2, IPv6=fe80::1000 Sep 25 16:59:54 openvpn user 'ripdog' authenticated Sep 25 16:59:54 openvpn 66643 <android IP> [ripdog] Peer Connection Initiated with [AF_INET6]::ffff:<android IP>:4730 (via ::ffff:<pfsense IP>%pppoe0) Sep 25 16:59:54 openvpn 66643 <android IP> Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Sep 25 16:59:54 openvpn 66643 <android IP> TLS: Username/Password authentication deferred for username 'ripdog' [CN SET] Sep 25 16:59:54 openvpn 66643 <android IP> PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2 Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.8 Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_TCPNL=1 Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_COMP_STUBv2=1 Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_COMP_STUB=1 Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_LZO=1 Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_LZ4v2=1 Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_LZ4=1 Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_NCP=2 Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_PROTO=2 Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_PLAT=android Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_VER=2.5_master <snip TLS> Sep 25 16:59:54 openvpn 66643 <android IP> TLS: Initial packet from [AF_INET6]::ffff:<android IP>:4730 (via ::ffff:<pfsense IP>%pppoe0), sid=91b4984b ce8c5424 Sep 25 16:59:54 openvpn 66643 <android IP> Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client' Sep 25 16:59:54 openvpn 66643 <android IP> Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server' Sep 25 16:59:54 openvpn 66643 <android IP> Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ] Sep 25 16:59:54 openvpn 66643 <android IP> Control Channel MTU parms [ L:1621 D:1172 EF:78 EB:0 ET:0 EL:3 ] Sep 25 16:59:54 openvpn 66643 <android IP> Re-using SSL/TLS context Sep 25 16:59:54 openvpn 66643 MULTI: multi_create_instance called

There's nothing interesting on the client logs, they're very short.

I could solve the problem. Seems that is an issue between opnsense and pfsense. I installed an pfsense box on the other site and now it works.

Thank you for your time!

@Rico

1.JPG 2.jpg 3.JPG 4.JPG

So uh... I totally disabled the VPN in order to be able to actually upload anything. Screenshot fail! Should be a little more enlightening here...
IMG_2374.jpg

That does sound similar. However, that bug report is 18 months old and hasn't had any replies or movement at all.

@Derelict I was able to resolve this issue by deleting the OpenVPN Server that was created by the wizard and creating a new VPN Server and assigning it to an interface. Once that was completed, I then created rules for that interface by adding the rules on it's tab and a rule on the WAN1 tab. Then I created a NAT outbound rule for that interface and everything is working correctly now.

I have this setup working. The IPsec tunnel connects my home & remote office, which are “some distance” apart. I connect via OpenVPN to whichever is closer when I travel, I then have access to my servers at both sites.

Step 1: make sure you have a working IPsec tunnel and you can browse the network(s) at the remote end.
Step 2: add your remote networks to “IPv4 Local network(s)” on your OpenVPN Server (your.pfsense.ip/vpn_openvpn_server.php?act=edit&id=0)
Step 3: configure appropriate firewall rule to allow OpenVPN clients to access the remote network destination.

Good luck.

@bkcberry i was able to fix the asymmetric route with a policy based route on my router. Thanks everyone!!

Damn.

So I made a typo in the IPv4 Remote network(s) on the server-side.

Now everything works.

Thank you so much for you help @Derelict

@gtrdriver said in Problem with Openvpn on IOS - Android is working fine:

Does anyone have a starting point or a idea ?

What is the exact version of the client? What is the connection of the client, some hotspot, their LTE cell connection? What does the log say on the client, what does the server log say?

This info would be needed to "start" any sort of troubleshooting.