If the server pushes the default route to you and you did something wrong that's normal. You may aviod to get the default route pushed by checking "Don't pull routes" in the client settings for testing. Maybe you're missing the outbound NAT rule for the vpn. So enable the interface and set the outbound NAT rule. The outbound NAT must be set to hybrid or manual mode. Then add a new rule: Interface: <the vpn="" client="" interface="">Source: any Dest: any Translation: Interface address</the>

Ah, good info. I'll give that a try, thanks. I'm just doing the prep work at the moment before I add any rules to the firewall. All I've done is Create the CA, for OpenVPN client Create the OpenVPN client (showing as UP) Create the interface OPT1 and set it to port ovpnc1 the problem i have is, as soon as i enable OPT1 interface and reboot, all my internet traffic stops nothing has been configured by me to use OPT1, so why is this?

Which end is server and which is client as long as the routing is correct. If you're using SSL/TLS then you may have been passing the routing from the server so switching roles may have corrected something there. Steve

It worked, and you were right it was a user's cert and not the server. Thank you!

@ashima: At the client site how should I configure so that if  WAN1 of headoffice goes down, it should automatically connect through WAN2 of headoffice. I just realised custom option in Advanced Configuration  can have remote WAN2 port udp This will connect to the WAN2 if  WAN1 at headoffice fails. But do I have to redistribute the certificates to the client after making the changes at Server. Thanks, Ashima

@stephenw10: Try using other GCM bit sizes, 128 maybe. Are you running any hardware offloading? Try disabling that. Steve Resolved, the server I was trying to connect did not have openVPN 2.4. After I specified the correct server it worked just fine!

That all looks reasonable. Custom options should be separated by a semicolon as it says on the page so if you've entered them like that, new lines for each, it won't work. The actual options look fine but those set to 1300 they may not right now. If the tunnel is up and you're receiving an IP address it's not an issue with your certs/CA. If it was you would never get that far. What exactly are you seeing happen? Traffic just goes out the WAN directly? What have you done to route that traffic via the VPN? Your screenshots don't show the tunnel settings there. Steve

Change your home network to 172.16.50.xxx or something else in private address range.

Problem solved. There is something buggy with the Android browser. I was able to download the client export via chrome.

@Soyokaze: My quick guess is that something (DPI system, or just ISP with weird hiccups) is messing with your connection. "TLS key negotiation failed to occur within 60 seconds" usually should be read as "No packets was received at all, so no connection at all" I advise you to test with TCP connection, that will at least show you if client from this location can connect to your servers AT ALL. It works!!!!! Finally We got a solution, The problem was related with a rule in the Firewall, It was not related with NAT or port UDP 1194, The problem was a content filtering rule, When They made an exception for OpenVPN, the problem was gone. Thank you for all your comments.