Cannot connect to apache on same server as vpn

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
admininator
OpenVpn Newbie
Posts: 11
Joined: Mon Jun 07, 2021 4:10 pm

Cannot connect to apache on same server as vpn

Post by admininator » Thu Jun 10, 2021 1:02 am

Hello. I installed OpenVPN on windows 10 and am using it with android OpenVPN client to route all traffic through the win 10 server vpn. Everything works (access to shared folders, internet routes through vpn, etc.) EXCEPT one important thing: I cannot access the websites I'm hosting on apache on the same win 10 machine as the OpenVPN server (from the android client). Of course, the websites work when the android client is not connected to the vpn.

I'm a noob with tcpip. I'm sure its something as simple as missing a route, but the problem is that I don't even know how to search for this information because I'm not knowledgeable enough on the terminology. My searches have come up with nothing but irrelevant topics. If anyone can point me in the right direction, I'd greatly appreciate it.

Environment: modem -> TP-Link router -> Win 10 box with OpenVPN + xampp

Static route on router: 10.8.8.1 > 255.255.255.0 > 192.168.99.2 (win 10 IP)

server.ovpn - OpenVPN 2.5.2 x86_64-w64-mingw32
server.ovpn

port 1194
proto udp4
dev tun
topology subnet
server 10.8.8.0 255.255.255.0
ifconfig-pool-persist "C:\\Program Files\\OpenVPN\\ipp.txt"
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status "C:\\Program Files\\OpenVPN\\log\\openvpn-status.log"
verb 4
explicit-exit-notify 1
dhcp-renew
auth-nocache
client-config-dir C:\\Users\\android\\OpenVPN\\ccd
ca "C:\\scripts\\easy-rsa\\pki\\ca.crt"
cert "C:\\scripts\\easy-rsa\\pki\\issued\\server.crt"
key "C:\\scripts\\easy-rsa\\pki\\private\\server.key"
dh "C:\\scripts\\easy-rsa\\pki\\dh.pem"


client_android.ovpn - OpenVPN Connect Android 3.2.4-5891
client_android.ovpn

client
dev tun
proto udp4
remote mydomain.tld 1194
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-256-CBC
verb 3
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
</key>


client_android (ccd)
client_android

push "redirect-gateway def1"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"


Commenting push "dhcp-option DNS..." did not work.

I'm also getting PID_ERR replay-window backtrack occurred errors. I don't know if that's related to my problem or not.

[olog]
2021-06-09 19:54:57 us=711032 MULTI: multi_create_instance called
2021-06-09 19:54:57 us=711032 173.59.201.193:59695 Re-using SSL/TLS context
2021-06-09 19:54:57 us=711032 173.59.201.193:59695 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2021-06-09 19:54:57 us=711032 173.59.201.193:59695 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2021-06-09 19:54:57 us=711032 173.59.201.193:59695 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
2021-06-09 19:54:57 us=711032 173.59.201.193:59695 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
2021-06-09 19:54:57 us=711032 173.59.201.193:59695 TLS: Initial packet from [AF_INET]173.59.201.193:59695, sid=1e4a6ba6 ddec6a46
2021-06-09 19:54:57 us=855995 173.59.201.193:59695 VERIFY OK: depth=1, CN=win10
2021-06-09 19:54:57 us=855995 173.59.201.193:59695 VERIFY OK: depth=0, CN=client_android
2021-06-09 19:54:57 us=855995 173.59.201.193:59695 peer info: IV_VER=3.git:released:662eae9a:Release
2021-06-09 19:54:57 us=855995 173.59.201.193:59695 peer info: IV_PLAT=android
2021-06-09 19:54:57 us=855995 173.59.201.193:59695 peer info: IV_NCP=2
2021-06-09 19:54:57 us=855995 173.59.201.193:59695 peer info: IV_TCPNL=1
2021-06-09 19:54:57 us=855995 173.59.201.193:59695 peer info: IV_PROTO=2
2021-06-09 19:54:57 us=855995 173.59.201.193:59695 peer info: IV_IPv6=0
2021-06-09 19:54:57 us=855995 173.59.201.193:59695 peer info: IV_AUTO_SESS=1
2021-06-09 19:54:57 us=855995 173.59.201.193:59695 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.4-5891
2021-06-09 19:54:57 us=855995 173.59.201.193:59695 peer info: IV_SSO=openurl
2021-06-09 19:54:57 us=918784 173.59.201.193:59695 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2021-06-09 19:54:57 us=918784 173.59.201.193:59695 [client_android] Peer Connection Initiated with [AF_INET]173.59.201.193:59695
2021-06-09 19:54:57 us=918784 client_android/173.59.201.193:59695 MULTI_sva: pool returned IPv4=10.8.8.2, IPv6=(Not enabled)
2021-06-09 19:54:57 us=918784 client_android/173.59.201.193:59695 OPTIONS IMPORT: reading client specific options from: C:\Users\android\OpenVPN\ccd\client_android
2021-06-09 19:54:57 us=918784 client_android/173.59.201.193:59695 MULTI: Learn: 10.8.8.2 -> client_android/173.59.201.193:59695
2021-06-09 19:54:57 us=918784 client_android/173.59.201.193:59695 MULTI: primary virtual IP for client_android/173.59.201.193:59695: 10.8.8.2
2021-06-09 19:54:57 us=918784 client_android/173.59.201.193:59695 Data Channel: using negotiated cipher 'AES-256-GCM'
2021-06-09 19:54:57 us=918784 client_android/173.59.201.193:59695 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
2021-06-09 19:54:57 us=918784 client_android/173.59.201.193:59695 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-06-09 19:54:57 us=918784 client_android/173.59.201.193:59695 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-06-09 19:54:57 us=918784 client_android/173.59.201.193:59695 PUSH: Received control message: 'PUSH_REQUEST'
2021-06-09 19:54:57 us=918784 client_android/173.59.201.193:59695 SENT CONTROL [client_android]: 'PUSH_REPLY,route-gateway 10.8.8.1,topology subnet,ping 10,ping-restart 120,redirect-gateway def1,dhcp-option DNS 208.67.220.220,dhcp-option DNS 208.67.222.222,ifconfig 10.8.8.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
2021-06-09 19:55:12 us=402788 client_android/173.59.201.193:59695 PID_ERR replay-window backtrack occurred [3] [SSL-0] [000_000000000000000000000000000000000000000000000000000000000000] 0:569 0:566 t=1623282912[0] r=[-4,64,15,3,1] sl=[7,64,64,528]
2021-06-09 19:55:12 us=528053 client_android/173.59.201.193:59695 PID_ERR replay-window backtrack occurred [4] [SSL-0] [0000_00000000000000000000000000000000000000000000000000000000000] 0:597 0:593 t=1623282912[0] r=[-4,64,15,4,1] sl=[43,64,64,528]
2021-06-09 20:16:10 us=108203 client_android/173.59.201.193:59695 PID_ERR replay-window backtrack occurred [5] [SSL-0] [0_____00001111111111111111111111111111111111111111111111111116>E] 0:2095 0:2090 t=1623284170[0] r=[-1,64,15,5,1] sl=[17,64,64,528]
2021-06-09 20:53:21 us=59323 client_android/173.59.201.193:59695 TLS: soft reset sec=3504/3504 bytes=4505563/-1 pkts=9151/0
2021-06-09 20:53:21 us=419141 client_android/173.59.201.193:59695 VERIFY OK: depth=1, CN=win10
2021-06-09 20:53:21 us=419141 client_android/173.59.201.193:59695 VERIFY OK: depth=0, CN=client_android
2021-06-09 20:53:21 us=419141 client_android/173.59.201.193:59695 peer info: IV_VER=3.git:released:662eae9a:Release
2021-06-09 20:53:21 us=419141 client_android/173.59.201.193:59695 peer info: IV_PLAT=android
2021-06-09 20:53:21 us=419141 client_android/173.59.201.193:59695 peer info: IV_NCP=2
2021-06-09 20:53:21 us=419141 client_android/173.59.201.193:59695 peer info: IV_TCPNL=1
2021-06-09 20:53:21 us=419141 client_android/173.59.201.193:59695 peer info: IV_PROTO=2
2021-06-09 20:53:21 us=419141 client_android/173.59.201.193:59695 peer info: IV_IPv6=0
2021-06-09 20:53:21 us=419141 client_android/173.59.201.193:59695 peer info: IV_AUTO_SESS=1
2021-06-09 20:53:21 us=419141 client_android/173.59.201.193:59695 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.4-5891
2021-06-09 20:53:21 us=419141 client_android/173.59.201.193:59695 peer info: IV_SSO=openurl
2021-06-09 20:53:21 us=419141 client_android/173.59.201.193:59695 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-06-09 20:53:21 us=419141 client_android/173.59.201.193:59695 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-06-09 20:53:21 us=496529 client_android/173.59.201.193:59695 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2021-06-09 20:59:09 us=434082 client_android/173.59.201.193:59695 PID_ERR replay-window backtrack occurred [2] [SSL-1] [0__4444444444444455555556666>EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE] 0:114 0:112 t=1623286749[0] r=[0,64,15,2,1] sl=[14,64,64,528]
2021-06-09 21:07:09 us=358117 client_android/173.59.201.193:59695 PID_ERR replay-window backtrack occurred [3] [SSL-1] [0___000000000000011111>EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE] 0:698 0:695 t=1623287229[0] r=[-1,64,15,3,1] sl=[6,64,64,528]
[/olog]

admininator
OpenVpn Newbie
Posts: 11
Joined: Mon Jun 07, 2021 4:10 pm

Re: Cannot connect to apache on same server as vpn

Post by admininator » Thu Jun 10, 2021 2:02 pm

I think I'm onto something after more searching, but I still cannot resolve my domain properly.

I modified ccd client_android as follows:

client_android

push "redirect-gateway def1"
push "dhcp-option DNS 192.168.99.1"
push "dhcp-option DOMAIN mydomain.tld"
push "block-outside-dns"


Now on android, the website does not resolve (times out) and when I ping mydomain.tld from android termux, it resolves to my WAN IP without timeouts.

Then I modified it again as follows:

client_android

push "redirect-gateway def1"
push "dhcp-option DNS 10.8.8.1"
push "dhcp-option DOMAIN mydomain.tld"
push "block-outside-dns"


Now on android, the website does not try to resolve at all (rather - it resolves to 127.0.0.1 and immediately stops with "can't find website blah blah") and when I ping mydomain.tld from android termux, it resolves to 127.0.0.1 without timeouts.

What I believe is happening is that the android client is operating correctly, as my windows hosts file has an entry for:
127.0.0.1 mydomain.tld

I confirmed this by changing the hosts entry to the LAN IP:
192.168.99.2 mydomain.tld

Now, when I ping from android termux, it resolves to 192.168.99.2 _but_ it times out (100% packet loss).

That makes me believe the android client is trying to connect to 127.0.0.1 or 192.168.99.2 LOCALLY and not from the vpn server. Therefore, I believe I'm simply missing a fundamental route to put this all in working order.

User avatar
TinCanTech
Forum Team
Posts: 9239
Joined: Fri Jun 03, 2016 1:17 pm

Re: Cannot connect to apache on same server as vpn

Post by TinCanTech » Thu Jun 10, 2021 2:25 pm

admininator wrote:
Thu Jun 10, 2021 1:02 am
I cannot access the websites I'm hosting on apache on the same win 10 machine as the OpenVPN server
Can you access them by the server VPN IP (10.8.8.1) ?

admininator
OpenVpn Newbie
Posts: 11
Joined: Mon Jun 07, 2021 4:10 pm

Re: Cannot connect to apache on same server as vpn

Post by admininator » Thu Jun 10, 2021 4:13 pm

TinCanTech wrote:
Thu Jun 10, 2021 2:25 pm
admininator wrote:
Thu Jun 10, 2021 1:02 am
I cannot access the websites I'm hosting on apache on the same win 10 machine as the OpenVPN server
Can you access them by the server VPN IP (10.8.8.1) ?
Yes, I can, but its a poor option for me because I have several sites on virtual hosts. Some will break without proper name resolution.

User avatar
TinCanTech
Forum Team
Posts: 9239
Joined: Fri Jun 03, 2016 1:17 pm

Re: Cannot connect to apache on same server as vpn

Post by TinCanTech » Thu Jun 10, 2021 4:34 pm

Then you need a different solution, like https.

If you need professional support then I am available for hire.

admininator
OpenVpn Newbie
Posts: 11
Joined: Mon Jun 07, 2021 4:10 pm

Re: Cannot connect to apache on same server as vpn

Post by admininator » Thu Jun 10, 2021 4:56 pm

TinCanTech wrote:
Thu Jun 10, 2021 4:34 pm
Then you need a different solution, like https.

If you need professional support then I am available for hire.
Can you expand on this a little? I feel like I'm right at the cusp, but can't quite get over the edge.

And thank you for the offer, but this is just for my personal use.

300000
OpenVPN Expert
Posts: 533
Joined: Tue May 01, 2012 9:30 pm

Re: Cannot connect to apache on same server as vpn

Post by 300000 » Thu Jun 10, 2021 6:10 pm

You need to run dns server at windows so client can find it name resolution. At the moment there is no push dns server . There are many dns server for window you can try .

push "dhcp-option DNS 10.8.8.1"

In order to find the name windows must run a dns server .

admininator
OpenVpn Newbie
Posts: 11
Joined: Mon Jun 07, 2021 4:10 pm

Re: Cannot connect to apache on same server as vpn

Post by admininator » Thu Jun 10, 2021 6:40 pm

300000 wrote:
Thu Jun 10, 2021 6:10 pm
You need to run dns server at windows so client can find it name resolution. At the moment there is no push dns server . There are many dns server for window you can try .

push "dhcp-option DNS 10.8.8.1"

In order to find the name windows must run a dns server .
Thanks. I'll give it a try. I could use that for other things as well. Its been on the to do list for a long time.

User avatar
TinCanTech
Forum Team
Posts: 9239
Joined: Fri Jun 03, 2016 1:17 pm

Re: Cannot connect to apache on same server as vpn

Post by TinCanTech » Fri Jun 11, 2021 1:54 am

And when that does not work, feel free to email me: tincantech at protonmail dot com

Time is money ..

admininator
OpenVpn Newbie
Posts: 11
Joined: Mon Jun 07, 2021 4:10 pm

Re: Cannot connect to apache on same server as vpn

Post by admininator » Fri Jun 11, 2021 3:18 am

A hint in the right direction would be great.

300000
OpenVPN Expert
Posts: 533
Joined: Tue May 01, 2012 9:30 pm

Re: Cannot connect to apache on same server as vpn

Post by 300000 » Fri Jun 11, 2021 7:11 am

It is very simple task then you could do full working openvpn on windows you can do it easy. If it doesn't work I can help you until it work as you like just post in here.

admininator
OpenVpn Newbie
Posts: 11
Joined: Mon Jun 07, 2021 4:10 pm

Re: Cannot connect to apache on same server as vpn

Post by admininator » Fri Jun 11, 2021 5:42 pm

I still think this could be achieved using routes. I don't know if scripting is available for windows like it is linux, but if it is, then changing the windows route tables is trivial. I just don't know what routes to use to achieve what I want.

300000
OpenVPN Expert
Posts: 533
Joined: Tue May 01, 2012 9:30 pm

Re: Cannot connect to apache on same server as vpn

Post by 300000 » Fri Jun 11, 2021 6:52 pm

when I ping mydomain.tld

Nothing to do with route. This is dns server job and when you finish dns server . Client can ping your owe domain.

admininator
OpenVpn Newbie
Posts: 11
Joined: Mon Jun 07, 2021 4:10 pm

Re: Cannot connect to apache on same server as vpn

Post by admininator » Fri Jun 11, 2021 6:59 pm

300000 wrote:
Fri Jun 11, 2021 6:52 pm
when I ping mydomain.tld

Nothing to do with route. This is dns server job and when you finish dns server . Client can ping your owe domain.
OK thanks. I'll give it a try.

admininator
OpenVpn Newbie
Posts: 11
Joined: Mon Jun 07, 2021 4:10 pm

Re: Cannot connect to apache on same server as vpn

Post by admininator » Fri Jun 11, 2021 9:08 pm

I found a workaround that doesn't require a dns server - just exclude my server WAN IP from the client connection.

client_android (ccd):

client_android

push "redirect-gateway def1"
push "route <WAN IP> 255.255.255.255 net_gateway"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"


I tested using php $_SERVER['REMOTE_ADDR'] on a page served from my apache and it returned my mobile IP. Other "what is my ip" websites show the vpn WAN IP.

My websites are all https so I'm ok with this workaround. Its not perfect, but obviously the alternative requires a lot more effort.

User avatar
TinCanTech
Forum Team
Posts: 9239
Joined: Fri Jun 03, 2016 1:17 pm

Re: Cannot connect to apache on same server as vpn

Post by TinCanTech » Fri Jun 11, 2021 9:13 pm

LOL .. that breaks iOS application rules ... but if it ain't broke no more what the hell !

iOS does some funky background manipulation of --redirect-gateway def1

It may not work as you expect or even for very long.

admininator
OpenVpn Newbie
Posts: 11
Joined: Mon Jun 07, 2021 4:10 pm

Re: Cannot connect to apache on same server as vpn

Post by admininator » Fri Jun 11, 2021 9:54 pm

TinCanTech wrote:
Fri Jun 11, 2021 9:13 pm
It may not work as you expect or even for very long.
You'll have to pay me to find out.

User avatar
TinCanTech
Forum Team
Posts: 9239
Joined: Fri Jun 03, 2016 1:17 pm

Re: Cannot connect to apache on same server as vpn

Post by TinCanTech » Fri Jun 11, 2021 10:03 pm

To be honest, I am surprised that works .. but that is only the tip of the iceberg for you.

Post Reply