OVPN not working outside from mobile


this is my current setup:
internet - Fritx Box router - RPI3 with IPFire (red on

I created the OpenVPN server, putting in Global Settings - “Local VPN Hostname/IP” field:

  1. I created the new connection as Host-to-Net, and delivered the .P12 / key / ovpn file, into the mobile.
  2. imported p12 and ovpn into “OpenVPN connect” app.

In the end:
VPN is working only when I’m at home using the mobile connected with WIFI of the router FritzBox.
When I’m outside home, OpenVPN Connect is not able to connect to the IPfire OVPN.
What is missing?
Router rule to forward all trafic from External to RED and Port 1194?
Dedicated firewall rule (and which rule)?

I’m lost!
Anyone have experience on this topic,and can give me some hints on how to solve?
Thanks… appreciate your support

Your fritzbox is your border router with the wan. I imagine that you either have a fix IP or you have dynamic dns, therefore I assume that when you are outside and you open your client, those packets find their way to your fritzbox. With this assumption, the question becomes: now what? Does your fritzbox knows what to do with all those incoming packets asking to be delivered to a service on port 1194?

from local provider, I have got a public fixed IP Address… but in this case:
have i to put this public IP address in the global settings “Local VPN Hostname/IP” ?
I think not…
therefore I tried to include a port forwarding rule in Fritz, in order to route trafic to port 1194… but it seems not working.

Question to me: how openVPN connect app, knows that has to use the public IP address?

If you open the .ovpn file with a text editor you will find the remote directive, for example:

remote public_ip 1194
;remote local_ip 1194

This is where the clients gets the info to where to send the traffic.
Here the local IP is commented out, therefore if you try to connect your phone to your OpenVPN server outside your lan, it will work, but when you are inside, it won’t. Vice versa, if you comment out only the directive with your public IP the opposite will happen. If you do not comment any of them, then the client will try first one, then the other (this is called round robin). With this last setting it will work inside and outside your lan, if there are no other problems.

1 Like

It seems running…

So in this case, I can create another connection to be used when I’m at home :slight_smile:

Thanks for your support
Have a nice day

yes, you can have two profiles. But if you put both remote directives in the same .ovpn you do not need to switch profile. It should work seamlessly. At least, it did it for me.

1 Like

good… will give a try and let you know…

WORKS as well!!!

Thanks… SOLVED!

1 Like

Just a suggestion for next time you need to troubleshoot. Look at the logs from both sides (server and client). You would have figured out immediately the problem if you had a look to the OpenVPN Connect logs.

OK will do.

Well that was new to me. Always opportunities to keep learning your whole life. Thanks for the knowledge.

I think this would be good to have somewhere in the Open VPN wiki pages. :+1:

agreed too…
Infact , I was looking at somewhere in wiki before… without success.
Anyway… SOLVED!

I am procrastinating on updating those pages. I would like to put in my tutorial on roadwarrior connections using mobile devices, as the current tutorials are obsolete. I will do that and add this information as well.

1 Like

Below is a link to a small addition to what @cfuso wrote

Best regards

1 Like

Hi guys… VPN seems working… but:

  1. In the log I see the message “TLS Error: incoming packet authentication failed f rom [AF_INET]”
    and “Authenticate/Decrypt packet error: bad packet ID ( may be a replay)”
  2. maybe this is why I can’t enter in ipfire gui port 444, when I’m under VPN.

My Incoming Firewall access rule is set as:
Source - STD network: OpenVPN
Destination - Firewall: green
Protocol - TCP Port: 444

… and the same occur when I try to enter in NAS…
what can I do?

MTU problem, I think. You need to adjust it.

Explanation: If you send a message that is bigger than a packet, it will be broken up in several packets, whose size is based on the Maximum Transmission Unit (variable depending on the network characteristics). Then the message is encrypted and sent to the other side of the tunnel. If even one hop in this trajectory has an MTU smaller than the initial one, the packet will be further broken up, but now this is an encrypted packet that is atomized. When al these fragments arrive finally to the tunnel end, they need to be reassembled and decrypted, which leads to all sorts of bugs and slow down.

The fragmentation has to happen before encryption or you will have a very slow, very buggy connection. Hence, you need to choose the MTU equal or smaller than the smallest hop between the two ends of the tunnel.

ok…in effect… following your documentation, ping with 1500 says too long!
I decreased the ping by 10 each step … and the first occurency with ping success is 1470… this means 1430 as MSS. I will adapt the global settings as 1470 and adding mssfix 1430 to the .ovpn .

and regarding the FW Rule… is it OK from your point of view?

you do not have much choice, unless you decide to use the fritzbox as a glorified cable and set it up in bridge mode (avoiding a double nat would be the positive trade-off).

EDIT: I thought you were talking about the NAT rule in the fritzbox. For accessing the WUI I do not think you need to add a rule to the firewall.

the error is still there… i decrease again.

can you ping the NAS and IPFire machine? Maybe you need to add some push rule.