unable to connect to device

[eelstrebor]

I'm running openvpn-connect 3.0.7 on a Galaxy S8. For the most part it works OK. But a browser running on the phone can't connect to a device using https when the tunnel is running (error: Forbidden 403.6 IP address rejected). If I turn off the tunnel a connection can be made. This seems to be a quirk with openvpn-connect since openvpn 2.4.4 clients running on desktops and laptops have no problem making the connection. Aside from some config file options being ignored and different client certs/keys, the config files are essentially the same on all devices. They all connect to the same openvpn server running on a router using dd-wrt. So, they're on the same subnet and this shouldn't be a problem. I won't post the config file unless requested but I will post the redacted openvpn-connect log below:

10:22:38.438 -- ----- OpenVPN Start -----

10:22:38.438 -- EVENT: CORE_THREAD_ACTIVE trans=TO_DISCONNECTED

10:22:38.440 -- OpenVPN core 3.git::728733ae:Release android arm64 64-bit PT_PROXY built on Aug 14 2019 14:13:26

10:22:38.442 -- Frame=512/2048/512 mssfix-ctrl=1250

10:22:38.445 -- UNUSED OPTIONS
6 [verify-x509-name] [$$$$] [name]
8 [user] [nobody]
9 [group] [nogroup]
10 [verb] [3]

10:22:38.445 -- EVENT: RESOLVE trans=TO_DISCONNECTED

10:22:38.485 -- Contacting 192.168.xxx.xxx via TCPv4

10:22:38.485 -- EVENT: WAIT trans=TO_DISCONNECTED

10:22:38.517 -- Connecting to [192.168.xxx.xxx] (192.168.xxx.xxx) via TCPv4

10:22:38.521 -- EVENT: CONNECTING trans=TO_DISCONNECTED

10:22:38.524 -- Tunnel Options:V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client

10:22:38.524 -- Creds: UsernameEmpty/PasswordEmpty

10:22:38.524 -- Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.git::728733ae:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_IPv6=0
IV_AUTO_SESS=1


10:22:38.917 -- VERIFY OK : depth=1
cert. version : 3
serial number : E1:FF:C0:ED:23:70:68:E2
issuer name : C=US, ST=$$$$, L=$$$$, O=$$$$, OU=$$$$, CN=$$$$ CA, ??=EasyRSA, emailAddress=$$$$@$$$$.tech
subject name : C=US, ST=$$$$, L=$$$$, O=$$$$, OU=$$$$, CN=$$$$ CA, ??=EasyRSA, emailAddress=$$$$@$$$$.tech
issued on : 2018-10-24 01:52:24
expires on : 2028-10-21 01:52:24
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true


10:22:38.921 -- VERIFY OK : depth=0
cert. version : 3
serial number : 03
issuer name : C=US, ST=$$$$, L=$$$$, O=$$$$, OU=$$$$, CN=$$$$ CA, ??=EasyRSA, emailAddress=$$$$@$$$$.tech
subject name : C=US, ST=$$$$, L=$$$$, O=$$$$, OU=$$$$, CN=$$$$, ??=EasyRSA, emailAddress=$$$$@$$$$.tech
issued on : 2018-10-24 02:38:03
expires on : 2028-10-21 02:38:03
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
subject alt name : $$$$
cert. type : SSL Server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication


10:22:39.958 -- SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

10:22:39.958 -- Session is ACTIVE

10:22:39.959 -- EVENT: GET_CONFIG trans=TO_DISCONNECTED

10:22:39.962 -- Sending PUSH_REQUEST to server...

10:22:39.965 -- OPTIONS:
0 [redirect-gateway] [def1]
1 [dhcp-option] [DNS] [1.1.1.1]
2 [dhcp-option] [DNS] [1.0.0.1]
3 [route-gateway] [192.168.###.###]
4 [topology] [subnet]
5 [ping] [10]
6 [ping-restart] [120]
7 [socket-flags] [TCP_NODELAY]
8 [ifconfig] [192.168.###.###] [255.255.255.0]
9 [peer-id] [0]
10 [cipher] [AES-256-GCM]
11 [block-ipv6]


10:22:39.965 -- PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: SHA1
compress: NONE
peer ID: 0

10:22:39.966 -- EVENT: ASSIGN_IP trans=TO_DISCONNECTED

10:22:40.083 -- TunPersist: saving tun context:
Session Name: 192.168.###.###
Layer: OSI_LAYER_3
Remote Address: 192.168.###.###
Tunnel Addresses:
192.168.###.###/24 -> 192.168.###.###
Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 IPv4 ]
Block IPv6: yes
Add Routes:
Exclude Routes:
DNS Servers:
1.1.1.1
1.0.0.1
Search Domains:


10:22:40.084 -- Connected via tun

10:22:40.121 -- EVENT: CONNECTED info='192.168.###.### (192.168.###.###) via /TCPv4 on tun/192.168.###.###/ gw=[192.168.###.###/]'

[eelstrebor]

Problem solved.