Page 1 of 1

dropped responses on Android, but PC VPN connection is just fine

Posted: Sun Sep 29, 2019 10:15 am
by vpnconnectPro
My vpn client config works just fine on my Mac OSX, but has some issues via Android. I can connect on Android, go to google and query what my IP is and see that it is coming from the VPN server, but anything I try to access on AWS and quite a few other sites gets the response dropped/aborted.

My VPN server is hosted on AWS, and also pushes the subnet for our VPC. Works great on Mac via tunneblick, no issues there.

Not only cannot the Android client access the private subnets, it can't even access public networks hosted on AWS.... well it can't receive the response. I can see in the apache logs for services on the private subnet in AWS that the android client connects and receives a success response from the server, but it's timing out on Chrome on Android ... not getting the response there.

I checked the server logs and the exact same config is being push to the OSX client and the Android client.

OSX connection:
Sep 29 02:29:21 ip-10-33-90-199 openvpn[7267]: client/xx.xx.xx.xxx:56003 SENT CONTROL [client]: 'PUSH_REPLY,route 10.33.0.0 255.255.0.0,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.1.9.1,topology net30,ping 10,ping-restart 120,ifconfig 10.1.9.10 10.1.9.9,peer-id 1,cipher AES-256-GCM' (status=1)
Sep 29 02:29:21 ip-10-33-90-199 openvpn[7267]: client/xx.xx.xx.xxx:56003 Data Channel: using negotiated cipher 'AES-256-GCM'
Sep 29 02:29:21 ip-10-33-90-199 openvpn[7267]: client/xx.xx.xx.xxx:56003 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 29 02:29:21 ip-10-33-90-199 openvpn[7267]: client/xx.xx.xx.xxx:56003 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Android:
Sep 29 02:31:29 ip-10-33-90-199 openvpn[7267]: client/xx.xx.xx.xxx:40477 SENT CONTROL [client]: 'PUSH_REPLY,route 10.33.0.0 255.255.0.0,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.1.9.1,topology net30,ping 10,ping-restart 120,ifconfig 10.1.9.14 10.1.9.13,peer-id 2,cipher AES-256-GCM' (status=1)
Sep 29 02:31:29 ip-10-33-90-199 openvpn[7267]: client/xx.xx.xx.xxx:40477 Data Channel: using negotiated cipher 'AES-256-GCM'
Sep 29 02:31:29 ip-10-33-90-199 openvpn[7267]: client/xx.xx.xx.xxx:40477 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 29 02:31:29 ip-10-33-90-199 openvpn[7267]: client/xx.xx.xx.xxx:40477 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

How can I debug what the difference is in the connection between Android and OSX? they are using the exact same .opvn config.

Re: dropped responses from AWS on Android, but PC connection is just fine

Posted: Sun Sep 29, 2019 11:15 am
by vpnconnectPro
And also, what's the difference between connecting to https://serverfault.com and https://google.com ? I can access both when connected to VPN on my Mac, but I can't access serverfault on Android OpenVPN ... just times out.

Take this for instance, tried a host without SSL and a DNS just to remove a few variables from the equation.
http://151.101.65.69/

Should respond with "Fastly error: unknown domain: 151.101.65.69. Please check that this domain has been added to a service.Details: cache-sea1042-SEA" and does respond while connect to VPN on my Mac, but there is absolutely no response when connect to VPN on Android .. just hangs.

Re: dropped responses on Android, but PC VPN connection is just fine

Posted: Mon Sep 30, 2019 4:08 am
by vpnconnectPro
SOLUTION: Should anyone else read this. Issue had to do with compression. We were using lz4, which doesn't seem supported on Android or iOS. Disabled compression and everything works fine on Android/iOS/andMacOSX.

definetly a hard bug to solve, cause there's no error message, and accessing some websites work while others don't. If this helps you, please let me know!

Re: dropped responses on Android, but PC VPN connection is just fine

Posted: Tue Oct 08, 2019 9:38 pm
by shakrat
Hello

Can you tell me how you disable the compression.

I tried leaving the parameter empty on the client, but nothing, the log seems to be using anyway.

This is the client config on the android and apple device

client
keepalive 10 60
remote-cert-tls server
compress
dev tun
proto udp
port 1194
cipher AES-128-CBC

This is part of the log from the openvpn

16:15:04.325 -- Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client

Says comp-lzo

I tried some others configs but I don't know how to check if the compression is present.

Thanks

Re: dropped responses on Android, but PC VPN connection is just fine

Posted: Fri Oct 25, 2019 11:37 pm
by vpnconnectPro
Just comment out the compression options on both the server and the client configs.