Pushing routes on android

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
wz2b
OpenVpn Newbie
Posts: 1
Joined: Tue Aug 03, 2021 12:38 am

Pushing routes on android

Post by wz2b » Tue Aug 03, 2021 12:45 am

I'm trying to troubleshoot why route pushes don't work on my OpenVPN for Android and this got me wondering: how does pushing routes work if OpenVPN is running unprivileged?

I tried server push, and I see in the log that the client got the route, but it doesn't seem to work. I tried adding it to the client side (the android .ovpn file) and that didn't seem to work either. I started an unprivileged adb shell and it didn't look like the route got added. The server is openvpn for openwrt

Client configuration:

Code: Select all

client dev tun
proto udp            #only if you use udp protocol
remote frogpond.homeip.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
pkcs12 client1.p12   #this is the p12 client certificate in the same folder
#auth-user-pass      #uncomment this row if you want to use two factor authentication
verb 3
comp-lzo
ns-cert-type server
The server configuration is nearly as simple

Code: Select all

ca /etc/config/pki/ca.crt
cert /etc/config/pki/certs_by_serial/DAB053BD637C788343FBCF268991EDBD.pem
comp-lzo yes
dev tun
dh /etc/config/pki/dh.pem
keepalive 10 60
key /etc/config/pki/private/server.key
push "route 192.168.0.0 255.255.255.0 10.232.0.1"
server 10.232.0.0 255.255.255.0
verb 3
so my client connects just fine, gets the address 10.232.0.6, but it doesn't _seem_ to get the route; nothing inside can ping the phone (except my router). I have a rule for "allow everything from lan to tun0" and another one in the opposite direction - all protocols.

This should work, right?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Pushing routes on android

Post by TinCanTech » Tue Aug 03, 2021 12:50 am

wz2b wrote:
Tue Aug 03, 2021 12:45 am
push "route 192.168.0.0 255.255.255.0 10.232.0.1"
Should be:

Code: Select all

push "route 192.168.0.0 255.255.255.0"
Also, that is the poorest choice of LAN that you can make .. best to change it.

Post Reply