Can not access local resources / IOS 11.4 - Asus RT N66U

[bedo02]

Hello,

since some time I can not access local ip addresses, only external, when connected via openvpn.

It works if I am connected via WIFI (external, for ex at mc donalds), but not if I am on 3G / LTE
It works for my Win10 laptop.

a Ping on the local IP from IOs works.

Any Idea what might be wrong?

Router Config:
https://photos.app.goo.gl/aPP7sVDV4QMPmCfH8

Code: Select all

client
dev tun
proto udp
remote my.remote.server.org 1194
float
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>
resolv-retry infinite
nobind

[TinCanTech]

See your log files.

[bedo02]

Sorry for the late reply I was abroad.

Log from the Mobile:

Code: Select all

2018-09-13 15:18:12 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Sep 4 2018 09:41:09

2018-09-13 15:18:12 Frame=512/2048/512 mssfix-ctrl=1250

2018-09-13 15:18:12 UNUSED OPTIONS
12 [resolv-retry] [infinite] 
13 [nobind] 

2018-09-13 15:18:12 EVENT: RESOLVE

2018-09-13 15:18:12 Contacting [178.113.107.76]:1194/UDP via UDP

2018-09-13 15:18:12 EVENT: WAIT

2018-09-13 15:18:12 Connecting to [atlantia.zapto.org]:1194 (178.113.107.76) via UDPv4

2018-09-13 15:18:13 EVENT: CONNECTING

2018-09-13 15:18:13 Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client

2018-09-13 15:18:13 Creds: Username/Password

2018-09-13 15:18:13 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.0.1-770
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1
IV_BS64DL=1


2018-09-13 15:18:15 VERIFY OK : depth=0
cert. version : 3
serial number : 01
issuer name : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-N66U, 
subject name : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-N66U, 
issued on : 2015-06-27 13:49:38
expires on : 2025-06-24 13:49:38
signed using : RSA with SHA1
RSA key size : 1024 bits
basic constraints : CA=false
cert. type : SSL Server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication


2018-09-13 15:18:19 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

2018-09-13 15:18:19 Session is ACTIVE

2018-09-13 15:18:19 EVENT: GET_CONFIG

2018-09-13 15:18:19 Sending PUSH_REQUEST to server...

2018-09-13 15:18:20 OPTIONS:
0 [route] [192.168.8.0] [255.255.255.0] [vpn_gateway] [500] 
1 [dhcp-option] [DNS] [192.168.8.1] 
2 [route] [192.168.6.1] 
3 [topology] [net30] 
4 [ping] [15] 
5 [ping-restart] [60] 
6 [ifconfig] [192.168.6.6] [192.168.6.5] 


2018-09-13 15:18:20 PROTOCOL OPTIONS:
cipher: BF-CBC
digest: SHA1
compress: LZO
peer ID: -1

2018-09-13 15:18:20 EVENT: ASSIGN_IP

2018-09-13 15:18:20 NIP: preparing TUN network settings

2018-09-13 15:18:20 NIP: init TUN network settings with endpoint: 178.113.107.76

2018-09-13 15:18:20 NIP: adding IPv4 address to network settings 192.168.6.6/255.255.255.252

2018-09-13 15:18:20 NIP: adding (included) IPv4 route 192.168.6.4/30

2018-09-13 15:18:20 NIP: adding (included) IPv4 route 192.168.8.0/24

2018-09-13 15:18:20 NIP: adding (included) IPv4 route 192.168.6.1/32

2018-09-13 15:18:20 NIP: adding DNS 192.168.8.1

2018-09-13 15:18:20 NIP: adding match domain ALL

2018-09-13 15:18:20 NIP: adding DNS specific routes:

2018-09-13 15:18:20 NIP: adding (included) IPv4 route 192.168.8.1/32

2018-09-13 15:18:20 Connected via NetworkExtensionTUN

2018-09-13 15:18:20 Per-Key Data Limit: 48000000/48000000

2018-09-13 15:18:20 LZO-ASYM init swap=0 asym=0

2018-09-13 15:18:20 EVENT: CONNECTED atlantia.zapto.org:1194 (178.113.107.76) via /UDPv4 on NetworkExtensionTUN/192.168.6.6/ gw=[/

and from the Router:

Code: Select all

Sep 13 15:18:13 openvpn[28792]: 89.144.208.221:19292 TLS: Initial packet from [AF_INET]89.144.208.221:19292 (via [AF_INET]192.168.10.2%eth0), sid=b846f650 2472b1b4
Sep 13 15:18:17 openvpn[28792]: 89.144.208.221:19292 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-N66U, 
Sep 13 15:18:17 openvpn[28792]: 89.144.208.221:19292 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, 
Sep 13 15:18:19 openvpn[28792]: 89.144.208.221:19292 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Sep 13 15:18:19 openvpn[28792]: 89.144.208.221:19292 TLS: Username/Password authentication succeeded for username 'xxx' 
Sep 13 15:18:19 openvpn[28792]: 89.144.208.221:19292 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sep 13 15:18:19 openvpn[28792]: 89.144.208.221:19292 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 13 15:18:19 openvpn[28792]: 89.144.208.221:19292 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sep 13 15:18:19 openvpn[28792]: 89.144.208.221:19292 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 13 15:18:19 openvpn[28792]: 89.144.208.221:19292 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
Sep 13 15:18:19 openvpn[28792]: 89.144.208.221:19292 [client] Peer Connection Initiated with [AF_INET]89.144.208.221:19292 (via [AF_INET]192.168.10.2%eth0)
Sep 13 15:18:19 openvpn[28792]: client/89.144.208.221:19292 MULTI_sva: pool returned IPv4=192.168.6.6, IPv6=(Not enabled)
Sep 13 15:18:19 openvpn[28792]: client/89.144.208.221:19292 MULTI: Learn: 192.168.6.6 -> client/89.144.208.221:19292
Sep 13 15:18:19 openvpn[28792]: client/89.144.208.221:19292 MULTI: primary virtual IP for client/89.144.208.221:19292: 192.168.6.6
Sep 13 15:18:19 openvpn[28792]: client/89.144.208.221:19292 PUSH: Received control message: 'PUSH_REQUEST'
Sep 13 15:18:19 openvpn[28792]: client/89.144.208.221:19292 send_push_reply(): safe_cap=940
Sep 13 15:18:19 openvpn[28792]: client/89.144.208.221:19292 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.8.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.8.1,route 192.168.6.1,topology net30,ping 15,ping-restart 60,ifconfig 192.168.6.6 192.168.6.5' (status=1)

What shall I look for? If I type any 192.168.8.xxx address (for ex, NAS) This routing does not shows up in these log files.
I am getting authorized but can not access local IPs.

Thank you.

[TinCanTech]

Your server log may also be of some use.

But your client log suggests everything is ok. What IP can you not ping ?

As for this:

It works if I am connected via WIFI (external, for ex at mc donalds), but not if I am on 3G / LTE

I do not know ..

[bedo02]

and from the Router:

Code: Select all

Sep 13 15:18:13 openvpn[28792]: 89.144.208.221:19292 TLS: Initial packet from [AF_INET]89.144.208.221:19292 (via [AF_INET]192.168.10.2%eth0), sid=b846f650 2472b1b4
Sep 13 15:18:17 openvpn[28792]: 89.144.208.221:19292 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-N66U, 
Sep 13 15:18:17 openvpn[28792]: 89.144.208.221:19292 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, 
Sep 13 15:18:19 openvpn[28792]: 89.144.208.221:19292 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Sep 13 15:18:19 openvpn[28792]: 89.144.208.221:19292 TLS: Username/Password authentication succeeded for username 'xxx' 
Sep 13 15:18:19 openvpn[28792]: 89.144.208.221:19292 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sep 13 15:18:19 openvpn[28792]: 89.144.208.221:19292 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 13 15:18:19 openvpn[28792]: 89.144.208.221:19292 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sep 13 15:18:19 openvpn[28792]: 89.144.208.221:19292 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 13 15:18:19 openvpn[28792]: 89.144.208.221:19292 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
Sep 13 15:18:19 openvpn[28792]: 89.144.208.221:19292 [client] Peer Connection Initiated with [AF_INET]89.144.208.221:19292 (via [AF_INET]192.168.10.2%eth0)
Sep 13 15:18:19 openvpn[28792]: client/89.144.208.221:19292 MULTI_sva: pool returned IPv4=192.168.6.6, IPv6=(Not enabled)
Sep 13 15:18:19 openvpn[28792]: client/89.144.208.221:19292 MULTI: Learn: 192.168.6.6 -> client/89.144.208.221:19292
Sep 13 15:18:19 openvpn[28792]: client/89.144.208.221:19292 MULTI: primary virtual IP for client/89.144.208.221:19292: 192.168.6.6
Sep 13 15:18:19 openvpn[28792]: client/89.144.208.221:19292 PUSH: Received control message: 'PUSH_REQUEST'
Sep 13 15:18:19 openvpn[28792]: client/89.144.208.221:19292 send_push_reply(): safe_cap=940
Sep 13 15:18:19 openvpn[28792]: client/89.144.208.221:19292 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.8.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.8.1,route 192.168.6.1,topology net30,ping 15,ping-restart 60,ifconfig 192.168.6.6 192.168.6.5' (status=1)

What shall I look for? If I type any 192.168.8.xxx address (for ex, NAS) This routing does not shows up in these log files.
I am getting authorized but can not access local IPs.

Thank you.

[bedo02]

Yes sorry, I have posted 2 post, because I had some troubles with posting it in 1 posting, but it was not posted ? But I have posted now the router log in the post

I can ping any internal address. This is the strange part. I do not get the html sites. I have on the IP level my devices like : Smart Home Server, NAS, Network Printer, IP Cams, which I can not access via Browser. But Pinging them works.

[bedo02]

I just notice. My Client got the address:

2018-09-13 15:18:20 NIP: adding IPv4 address to network settings 192.168.6.6/255.255.255.252

Which by router settings are :
IP : 192.168.6.xxx - so OK
Netmask: 255.255.255.0 !!! and not 255.255.255.252 -> might this be the issue? And if, how to fix it?

[TinCanTech]

What IP addresses does the server have configured ?

[bedo02]

Local network 192.168.8.1
and all the resources 192.168.8.xxx

VPN - 192.168.6.xxx

[TinCanTech]

Then the IP address 192.168.6.6 255.255.255.252 is correct.

See --topology in The Manual v24x

[bedo02]

any idea what might be wrong?


Sent from my iPhone using Tapatalk

[TinCanTech]

I can ping any internal address. This is the strange part. I do not get the html sites. I have on the IP level my devices like : Smart Home Server, NAS, Network Printer, IP Cams, which I can not access via Browser. But Pinging them works.

If you can ping them then your VPN is working.

If you mean "browser" as in http then make sure your devices support http.

If you mean "browser" as in "network browser" (Windows networking) then that does not work over a tunnel because a tunnel does not support broadcast packets.

See:
https://community.openvpn.net/openvpn/w ... wsBrowsing

[bedo02]

This devices have an integrated http sever so, yes the can be accessed via internet browser (like chrome)

I can ping those devices on 3g and connected via vpn, but this devices are not accessible via internet browser (like chrome)

if i am connected via WIFI in a foreign network outside my house and I connect via vpn, then this devices respond also via web browser - mean i can call the each individual http web interface, by calling the IP like 193.168.8.111

and also i have no problems when i am at home - so in the “intranet”

the difference is in the 3g / wifi connection.




Sent from my iPhone using Tapatalk

[TinCanTech]

the difference is in the 3g / wifi connection

As for this:

It works if I am connected via WIFI (external, for ex at mc donalds), but not if I am on 3G / LTE

I do not know ..

You can contact me privately if you want to [ tincanteksup <at> gmail ] .. maybe we can work together.