I'm not sure that this is a pfSense problem, but probably more of a general VPN VoLTE problem. I have my VPN configured to not route all traffic through the VPN, it only sends the traffic on my work network through the VPN. Public internet still goes out on the regular public gateway. I've got AT&T and called them today to try to troubleshoot the issue. The lady was surprising knowledgeable and actually reached out to their Tier 3 when she was on the phone with me. He did a call trace and said it looked like a device issue not a network issue so they referred me to Samsung. They offered to conference the call with them, but I had to jump on a conference call. If you have any success or further input on what you found out about this I'd love to hear it. My guess is that the call signaling still goes out over the regular voice network and they just reroute the audio payload over the data network. My phone will initiate the call, but it usually drops before the other side ever even rings; at most I get 1 unanswerable ring.

Actually it was a misconfiguration on one of the clients, it was missing the remote subnet option. I did not need to add the client-to-client option on the server side, it looks like when selecting peer to peer it's already there by default. Everything seems to be working now, thanks

192.168.101.101 is the server address in your case. You cannot push it to a client.

This works perfectly as what I want. Thank you viragomann

The wizard is pretty much IDIOT proof, yet seems like every other day we have someone trying to use a user cert for the server… [image: wizardservercert.png] [image: wizardservercert.png_thumb]

I'm really late here but i can tell you expressvpn would be great tool for you solution :) its mos tsecure vpn service provider list on mostsecurevpn.com

Hi, ref 1), advice on how would I do the correct routes? Thanks.

Tunnelblick works perfect with with config  exported via Inline Configurations: Others

Well i solved the problem. Rebuild the VPN using http://blog.stefcho.eu/building-site-to-site-connection-with-openvpn-on-pfsense-2-0-rc1-with-pki/ that Rebooted Both Firewall…. Than to redirect the internet throught the vpn just chect the related boxes and and create the nat routes...

Glad you go it sorted… and happy I could point out how simple it was ;)

Hi again, thanks for your comments. I have tried saving the server config again with no luck. I am not using subnet 192.168.80.X por any other purpose. I think the problem might have anything to do with the fact that the client gets assigned ip address 255.255.255.255 instead of 192.168.80.X (see the image). Any other suggestions?  

Found the problem, I'm also using "User Auth", and I had "auth-nocache", apparently after one hour I have to renter the user and password! I removed "auth-nocache" and the problem is solved. Is this a security hole? Allowing the cache of the user credentials? Thank you all Best Regards

@skaaptjop: Could you describe what you meant by "single OpenVPN configuration file"? Sure. All my users are using the exact same OpenVPN configuration file(s), but every user can login with his own Active Directory login. The files are OpenVPN Configuration file Security certificate Key file Each user has to import those three files in his […]OpenVPN/config/ directory to be able to connect to pfSense VPN. If they connect with this connection/settings, they will see a login prompt for username and password and there they can use their Active Directory login credentials. :) Well… At the end I just had to create one single OpenVPN configuration package and user and don't have to create always a OpenVPN configuration for each user. Also I don't have to delete all those users after they may have left the company or just don't need the access anymore. To manage the access to pfSense, I've created a security group in our Active Directory, which has members like me and other users, which should have access to pfSense VPN. If somebody shouldn't have access anymore, I just have to remove his membership of this group. Very easy. :)

yes, I did that. After I switched to automatic, all other rules got disabled. After that I checked that all network applications are still running as intended and it turned out they were obsolete anyway :-D