route all traffic over vpn using openvpn connect on android?
Posted: Tue Jan 29, 2013 2:11 pm
Hi. I would like to use openvpn connect on an unrooted Samsung Galaxy Note in order to connect over 3G to my home Win XP box (which runs openvpn 2.2.2). My end goal is to be able then to run a remote desktop session on the phone over my vpn to a 3rd party Windows server that sits behind a corporate firewall. THat firewall has an exception to allow RDP traffic originating from the static IP address of my home broadband.
I already have this scenario working on an old Nokia N800 smartphone (which gives root without hacking), and I also had it working on my samsung whilst it was rooted using the 'original' openvpn client by friedrich shauffelhut.
In both cases the phones were connecting using TAP and the XP box had an ethernet bridge setup such that the clients got local IP's on the same subnet as my XP box (192.168.222.0/24). My openvpn server script used push "redirect-gateway def1" to force all IP traffic to go over the vpn, and this had the desired effect that, when I had the vpn established and then started an RDP to the 3rd party server on my phone, the IP address presented to their firewall was that of my home broadband's static IP, and therefore my RDP session connected OK.
Unfortunately, I have had to unroot my samsung, and I'm now trying to replicate the above RDP access solution with the new "non-root" openvpn client for android, but I can no longer use the TAP device as it isn't supported on openvpn connect.
So, I set up a second openvpn instance to listen on a separate port on the XP box, and configured it as tun. Other than the tap->tun changes the rest of the server and client config files are the same.
The XP box is at static IP 192.168.222.10, and is connected over powerline ethernet to my netgear modem/router (182.168.222.1). The subnet IO used for the vpn is 10.8.0.0/24.
When I connect with 'push "redirect gateway loc1"' in the server config file, I get connected OK to my XP server, and I can ping 10.8.0.1 (vpn endpoint on server) and 192.168.222.10 (server's static IP on my LAN) but I can't ping any external IP's, use the phone browser to surf, or connect to my 3rd party server over RDP. Note - this isn't a DNS problem, it's total lack of routing to external IP's. I've confirmed that by overriding the DNS servers locally on the phone.
If I comment out 'push "redirect-gateway def1"' from the server config file then I can connect, I can ping 10.8.0.1 but NOT 192.168.222.10, and I can browse the internet but with the traffic NOT transiting my vpn. All ow which is as I'd expect, but of course I can't RDP to the 3rd party server as I'm presenting the wrong IP.
I know I need to do something with the routing tables on the phone and/or server ends to change the default gateway such that I can force all traffic over the vpn and still have traffic bound for external IP's get to their destination, but I have stumbles around for days making "suck it and see changes" with no joy and I'm now stumped. Can anyone advise?
TIA to any kind soul who can help me!
I already have this scenario working on an old Nokia N800 smartphone (which gives root without hacking), and I also had it working on my samsung whilst it was rooted using the 'original' openvpn client by friedrich shauffelhut.
In both cases the phones were connecting using TAP and the XP box had an ethernet bridge setup such that the clients got local IP's on the same subnet as my XP box (192.168.222.0/24). My openvpn server script used push "redirect-gateway def1" to force all IP traffic to go over the vpn, and this had the desired effect that, when I had the vpn established and then started an RDP to the 3rd party server on my phone, the IP address presented to their firewall was that of my home broadband's static IP, and therefore my RDP session connected OK.
Unfortunately, I have had to unroot my samsung, and I'm now trying to replicate the above RDP access solution with the new "non-root" openvpn client for android, but I can no longer use the TAP device as it isn't supported on openvpn connect.
So, I set up a second openvpn instance to listen on a separate port on the XP box, and configured it as tun. Other than the tap->tun changes the rest of the server and client config files are the same.
The XP box is at static IP 192.168.222.10, and is connected over powerline ethernet to my netgear modem/router (182.168.222.1). The subnet IO used for the vpn is 10.8.0.0/24.
When I connect with 'push "redirect gateway loc1"' in the server config file, I get connected OK to my XP server, and I can ping 10.8.0.1 (vpn endpoint on server) and 192.168.222.10 (server's static IP on my LAN) but I can't ping any external IP's, use the phone browser to surf, or connect to my 3rd party server over RDP. Note - this isn't a DNS problem, it's total lack of routing to external IP's. I've confirmed that by overriding the DNS servers locally on the phone.
If I comment out 'push "redirect-gateway def1"' from the server config file then I can connect, I can ping 10.8.0.1 but NOT 192.168.222.10, and I can browse the internet but with the traffic NOT transiting my vpn. All ow which is as I'd expect, but of course I can't RDP to the 3rd party server as I'm presenting the wrong IP.
I know I need to do something with the routing tables on the phone and/or server ends to change the default gateway such that I can force all traffic over the vpn and still have traffic bound for external IP's get to their destination, but I have stumbles around for days making "suck it and see changes" with no joy and I'm now stumped. Can anyone advise?
TIA to any kind soul who can help me!