Page 1 of 1

connected but no internet

Posted: Thu Sep 07, 2017 2:22 am
by sdvpn
Hi,

I setup openvpn server on my router running tomato firmware and I can connect to it but no internet. One special thing about my setup is that the openvpn server is on my second router (192.168.10.1). I do have my first router(192.168.10.2) port forwarding the vpn server port to my second router. The second router which has the vpn server has the first router as the default gateway and the DNS set to the DNS of my ISP.

Server:

Code: Select all

# Automatically generated configuration
daemon
server 10.8.0.0 255.255.255.0
proto udp
port 1194
dev tun21
cipher AES-256-CBC
keepalive 15 60
verb 3
client-config-dir ccd
client-to-client
push "redirect-gateway def1"
tls-auth static.key 0
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status

# Custom Configuration
push "dhcp-option DNS 167.206.10.178"
push "dhcp-option DNS 167.206.10.179"
client

Code: Select all

# Enables connection to GUI
management /data/user/0/de.blinkt.openvpn/cache/mgmtsocket unix
management-client
management-query-passwords
management-hold

setenv IV_GUI_VER "de.blinkt.openvpn 0.6.73"
setenv IV_PLAT_VER "25 7.1.2 arm64-v8a google bullhead Nexus 5X"
machine-readable-output
allow-recursive-routing
ifconfig-nowarn
client
verb 4
connect-retry 2 300
resolv-retry 60
dev tun
remote domainname.com 1194 udp
<ca>
-----BEGIN CERTIFICATE-----
edited out
-----END CERTIFICATE-----

</ca>
<key>
-----BEGIN PRIVATE KEY-----
edited out
-----END PRIVATE KEY-----

</key>
<cert>
-----BEGIN CERTIFICATE-----
edited out
-----END CERTIFICATE-----

</cert>
comp-lzo
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
edited out
-----END OpenVPN Static key V1-----

</tls-auth>
key-direction 1
cipher AES-256-CBC
route 0.0.0.0 0.0.0.0 vpn_gateway
persist-tun
# persist-tun also enables pre resolving to avoid DNS resolve problem
preresolve
# Use system proxy setting
management-query-proxy
server log on startup:

Code: Select all

Sep  6 21:58:54 sky daemon.err openvpn[3072]: event_wait : Interrupted system call (code=4)
Sep  6 21:58:54 sky daemon.notice openvpn[3072]: /sbin/route del -net 10.8.0.0 netmask 255.255.255.0
Sep  6 21:58:54 sky daemon.notice openvpn[3072]: Closing TUN/TAP interface
Sep  6 21:58:54 sky daemon.notice openvpn[3072]: /sbin/ifconfig tun21 0.0.0.0
Sep  6 21:58:54 sky daemon.notice openvpn[3072]: SIGTERM[hard,] received, process exiting
Sep  6 22:00:38 sky daemon.notice openvpn[5622]: OpenVPN 2.4.1 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [A
EAD] built on May  9 2017
Sep  6 22:00:38 sky daemon.notice openvpn[5622]: library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
Sep  6 22:00:38 sky daemon.notice openvpn[5625]: Diffie-Hellman initialized with 2048 bit key
Sep  6 22:00:38 sky daemon.notice openvpn[5625]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC aut
hentication
Sep  6 22:00:38 sky daemon.notice openvpn[5625]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC aut
hentication
Sep  6 22:00:38 sky daemon.notice openvpn[5625]: TUN/TAP device tun21 opened
Sep  6 22:00:38 sky daemon.notice openvpn[5625]: TUN/TAP TX queue length set to 100
Sep  6 22:00:38 sky daemon.notice openvpn[5625]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sep  6 22:00:38 sky daemon.notice openvpn[5625]: /sbin/ifconfig tun21 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sep  6 22:00:38 sky daemon.notice openvpn[5625]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sep  6 22:00:38 sky daemon.warn openvpn[5625]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Sep  6 22:00:38 sky daemon.notice openvpn[5625]: Socket Buffers: R=[120832->120832] S=[120832->120832]
Sep  6 22:00:38 sky daemon.notice openvpn[5625]: setsockopt(IPV6_V6ONLY=0)
Sep  6 22:00:38 sky daemon.notice openvpn[5625]: UDPv6 link local (bound): [AF_INET6][undef]:1194
Sep  6 22:00:38 sky daemon.notice openvpn[5625]: UDPv6 link remote: [AF_UNSPEC]
Sep  6 22:00:38 sky daemon.notice openvpn[5625]: MULTI: multi_init called, r=256 v=256
Sep  6 22:00:38 sky daemon.notice openvpn[5625]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sep  6 22:00:38 sky daemon.notice openvpn[5625]: Initialization Sequence Completed
Sep  6 22:00:42 sky daemon.err openvpn[5625]: event_wait : Interrupted system call (code=4)
Sep  6 22:00:42 sky daemon.notice openvpn[5625]: TITLE,OpenVPN 2.4.1 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTIN
FO] [AEAD] built on May  9 2017
Sep  6 22:00:42 sky daemon.notice openvpn[5625]: TIME,Wed Sep  6 22:00:42 2017,1504749642
Sep  6 22:00:42 sky daemon.notice openvpn[5625]: HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes 
Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID
Sep  6 22:00:42 sky daemon.notice openvpn[5625]: HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t
)
Sep  6 22:00:42 sky daemon.notice openvpn[5625]: GLOBAL_STATS,Max bcast/mcast queue length,0
Sep  6 22:00:42 sky daemon.notice openvpn[5625]: END
server log from client connecting:

Code: Select all

Sep  6 22:06:15 sky daemon.notice openvpn[5625]: 172.58.225.x TLS: Initial packet from [AF_INET6]::ffff:172.58.225.x:26816, sid=66a5
6dbb 1b56cfd2
Sep  6 22:06:15 sky daemon.notice openvpn[5625]: 172.58.225.x VERIFY OK: depth=1, C=US, ST=NY, L=New York, O=DomainName, OU=vpn, CN=DomainName CA, name=server, emailAddress=vpn@domainname.com
Sep  6 22:06:15 sky daemon.notice openvpn[5625]: 172.58.225.x VERIFY OK: depth=0, C=US, ST=NY, L=New York, O=DomainName, OU=vpn, CN=client1, name=server, emailAddress=vpn@domainname.com
Sep  6 22:06:15 sky daemon.notice openvpn[5625]: 172.58.225.x peer info: IV_VER=2.5_master
Sep  6 22:06:15 sky daemon.notice openvpn[5625]: 172.58.225.x peer info: IV_PLAT=android
Sep  6 22:06:15 sky daemon.notice openvpn[5625]: 172.58.225.x peer info: IV_PROTO=2
Sep  6 22:06:15 sky daemon.notice openvpn[5625]: 172.58.225.x peer info: IV_NCP=2
Sep  6 22:06:15 sky daemon.notice openvpn[5625]: 172.58.225.x peer info: IV_LZ4=1
Sep  6 22:06:15 sky daemon.notice openvpn[5625]: 172.58.225.x peer info: IV_LZ4v2=1
Sep  6 22:06:15 sky daemon.notice openvpn[5625]: 172.58.225.x peer info: IV_LZO=1
Sep  6 22:06:15 sky daemon.notice openvpn[5625]: 172.58.225.x peer info: IV_COMP_STUB=1
Sep  6 22:06:15 sky daemon.notice openvpn[5625]: 172.58.225.x peer info: IV_COMP_STUBv2=1
Sep  6 22:06:15 sky daemon.notice openvpn[5625]: 172.58.225.x peer info: IV_TCPNL=1
Sep  6 22:06:15 sky daemon.notice openvpn[5625]: 172.58.225.x peer info: IV_GUI_VER=de.blinkt.openvpn_0.6.73
Sep  6 22:06:15 sky daemon.notice openvpn[5625]: 172.58.225.x Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
, 2048 bit RSA
Sep  6 22:06:15 sky daemon.notice openvpn[5625]: 172.58.225.163 [client1] Peer Connection Initiated with [AF_INET6]::ffff:172.58.225.x
:26816
Sep  6 22:06:15 sky daemon.notice openvpn[5625]: client1/172.58.225.x MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Sep  6 22:06:15 sky daemon.notice openvpn[5625]: client1/172.58.225.x MULTI: Learn: 10.8.0.6 -> client1/172.58.225.x
Sep  6 22:06:15 sky daemon.notice openvpn[5625]: client1/172.58.225.x MULTI: primary virtual IP for client1/172.58.225.x: 10.8.0.6
Sep  6 22:06:17 sky daemon.notice openvpn[5625]: client1/172.58.225.x PUSH: Received control message: 'PUSH_REQUEST'
Sep  6 22:06:17 sky daemon.notice openvpn[5625]: client1/172.58.225.x SENT CONTROL [client1]: 'PUSH_REPLY,redirect-gateway def1,dhcp-o
ption DNS 167.206.10.x,dhcp-option DNS 167.206.10.x,route 10.8.0.0 255.255.255.0,topology net30,ping 15,ping-restart 60,ifconfig 10.
8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Sep  6 22:06:17 sky daemon.notice openvpn[5625]: client1/172.58.225.163 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 
bit key
Sep  6 22:06:17 sky daemon.notice openvpn[5625]: client1/172.58.225.163 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 
bit key
I did some research and I ended up adding the DNS push commands on the server and settign the cipher to AES-256-CBC on the client. NEither change made a difference and for some reason the cipher keeps getting picked as AES-256-GCM.

server status:

Code: Select all

TITLE,OpenVPN 2.4.1 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  9 2017
TIME,Wed Sep  6 22:12:57 2017,1504750377
HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Sin
CLIENT_LIST,client1,172.58.225.x,10.8.0.6,,133126,5162,Wed Sep  6 22:06:15 2017,1504749975,UNDEF,0,0
HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
ROUTING_TABLE,10.8.0.6,client1,172.58.225.x,Wed Sep  6 22:12:56 2017,1504750376
GLOBAL_STATS,Max bcast/mcast queue length,0
END
client log file

Code: Select all

2017-09-06 22:06:13 official build 0.6.73 running on google Nexus 5X (bullhead), Android 7.1.2 (N2G48C) API 25, ABI arm64-v8a, (google/bullhead/bullhead:7.1.2/N2G48C/4104010:user/release-keys)
2017-09-06 22:06:13 Building configuration…
2017-09-06 22:06:13 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
2017-09-06 22:06:13 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
2017-09-06 22:06:13 started Socket Thread
2017-09-06 22:06:13 Network Status: CONNECTED LTE to MOBILE 
2017-09-06 22:06:13 Debug state info: CONNECTED LTE to MOBILE , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2017-09-06 22:06:13 Debug state info: CONNECTED LTE to MOBILE, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2017-09-06 22:06:13 P:Initializing Google Breakpad!
2017-09-06 22:06:13 Current Parameter Settings:
2017-09-06 22:06:13   config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2017-09-06 22:06:13 Waiting 0s seconds between connection attempt
2017-09-06 22:06:13   mode = 0
2017-09-06 22:06:13   show_ciphers = DISABLED
2017-09-06 22:06:13   show_digests = DISABLED
2017-09-06 22:06:13   show_engines = DISABLED
2017-09-06 22:06:13   genkey = DISABLED
2017-09-06 22:06:13   key_pass_file = '[UNDEF]'
2017-09-06 22:06:13   show_tls_ciphers = DISABLED
2017-09-06 22:06:13   connect_retry_max = 0
2017-09-06 22:06:13 Connection profiles [0]:
2017-09-06 22:06:13   proto = udp
2017-09-06 22:06:13   local = '[UNDEF]'
2017-09-06 22:06:13   local_port = '1194'
2017-09-06 22:06:13   remote = 'myamazing.com'
2017-09-06 22:06:13   remote_port = '1194'
2017-09-06 22:06:13   remote_float = DISABLED
2017-09-06 22:06:13   bind_defined = DISABLED
2017-09-06 22:06:13   bind_local = ENABLED
2017-09-06 22:06:13   bind_ipv6_only = DISABLED
2017-09-06 22:06:13   connect_retry_seconds = 2
2017-09-06 22:06:13   connect_timeout = 120
2017-09-06 22:06:13   socks_proxy_server = '[UNDEF]'
2017-09-06 22:06:13   socks_proxy_port = '[UNDEF]'
2017-09-06 22:06:13   tun_mtu = 1500
2017-09-06 22:06:13   tun_mtu_defined = ENABLED
2017-09-06 22:06:13   link_mtu = 1500
2017-09-06 22:06:13   link_mtu_defined = DISABLED
2017-09-06 22:06:13   tun_mtu_extra = 0
2017-09-06 22:06:13   tun_mtu_extra_defined = DISABLED
2017-09-06 22:06:13   mtu_discover_type = -1
2017-09-06 22:06:13   fragment = 0
2017-09-06 22:06:13   mssfix = 1450
2017-09-06 22:06:13   explicit_exit_notification = 0
2017-09-06 22:06:13 Connection profiles END
2017-09-06 22:06:13   remote_random = DISABLED
2017-09-06 22:06:13   ipchange = '[UNDEF]'
2017-09-06 22:06:13   dev = 'tun'
2017-09-06 22:06:13   dev_type = '[UNDEF]'
2017-09-06 22:06:13   dev_node = '[UNDEF]'
2017-09-06 22:06:13   lladdr = '[UNDEF]'
2017-09-06 22:06:13   topology = 1
2017-09-06 22:06:13   ifconfig_local = '[UNDEF]'
2017-09-06 22:06:13   ifconfig_remote_netmask = '[UNDEF]'
2017-09-06 22:06:13   ifconfig_noexec = DISABLED
2017-09-06 22:06:13   ifconfig_nowarn = ENABLED
2017-09-06 22:06:13   ifconfig_ipv6_local = '[UNDEF]'
2017-09-06 22:06:13   ifconfig_ipv6_netbits = 0
2017-09-06 22:06:13   ifconfig_ipv6_remote = '[UNDEF]'
2017-09-06 22:06:14   shaper = 0
2017-09-06 22:06:14   mtu_test = 0
2017-09-06 22:06:14   mlock = DISABLED
2017-09-06 22:06:14   keepalive_ping = 0
2017-09-06 22:06:14   keepalive_timeout = 0
2017-09-06 22:06:14   inactivity_timeout = 0
2017-09-06 22:06:14   ping_send_timeout = 0
2017-09-06 22:06:14   ping_rec_timeout = 0
2017-09-06 22:06:14   ping_rec_timeout_action = 0
2017-09-06 22:06:14   ping_timer_remote = DISABLED
2017-09-06 22:06:14   remap_sigusr1 = 0
2017-09-06 22:06:14   persist_tun = ENABLED
2017-09-06 22:06:14   persist_local_ip = DISABLED
2017-09-06 22:06:14   persist_remote_ip = DISABLED
2017-09-06 22:06:14   persist_key = DISABLED
2017-09-06 22:06:14   passtos = DISABLED
2017-09-06 22:06:14   resolve_retry_seconds = 60
2017-09-06 22:06:14   resolve_in_advance = ENABLED
2017-09-06 22:06:14   username = '[UNDEF]'
2017-09-06 22:06:14   groupname = '[UNDEF]'
2017-09-06 22:06:14   chroot_dir = '[UNDEF]'
2017-09-06 22:06:14   cd_dir = '[UNDEF]'
2017-09-06 22:06:14   writepid = '[UNDEF]'
2017-09-06 22:06:14   up_script = '[UNDEF]'
2017-09-06 22:06:14   down_script = '[UNDEF]'
2017-09-06 22:06:14   down_pre = DISABLED
2017-09-06 22:06:14   up_restart = DISABLED
2017-09-06 22:06:14   up_delay = DISABLED
2017-09-06 22:06:14   daemon = DISABLED
2017-09-06 22:06:14   inetd = 0
2017-09-06 22:06:14   log = DISABLED
2017-09-06 22:06:14   suppress_timestamps = DISABLED
2017-09-06 22:06:14   machine_readable_output = ENABLED
2017-09-06 22:06:14   nice = 0
2017-09-06 22:06:14   verbosity = 4
2017-09-06 22:06:14   mute = 0
2017-09-06 22:06:14   gremlin = 0
2017-09-06 22:06:14   status_file = '[UNDEF]'
2017-09-06 22:06:14   status_file_version = 1
2017-09-06 22:06:14   status_file_update_freq = 60
2017-09-06 22:06:14   occ = ENABLED
2017-09-06 22:06:14   rcvbuf = 0
2017-09-06 22:06:14   sndbuf = 0
2017-09-06 22:06:14   sockflags = 0
2017-09-06 22:06:14   fast_io = DISABLED
2017-09-06 22:06:14   comp.alg = 0
2017-09-06 22:06:14   comp.flags = 0
2017-09-06 22:06:14   route_script = '[UNDEF]'
2017-09-06 22:06:14   route_default_gateway = '[UNDEF]'
2017-09-06 22:06:14   route_default_metric = 0
2017-09-06 22:06:14   route_noexec = DISABLED
2017-09-06 22:06:14   route_delay = 0
2017-09-06 22:06:14   route_delay_window = 30
2017-09-06 22:06:14   route_delay_defined = DISABLED
2017-09-06 22:06:14   route_nopull = DISABLED
2017-09-06 22:06:14   route_gateway_via_dhcp = DISABLED
2017-09-06 22:06:14   allow_pull_fqdn = DISABLED
2017-09-06 22:06:14   route 0.0.0.0/0.0.0.0/vpn_gateway/default (not set)
2017-09-06 22:06:14   management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2017-09-06 22:06:14   management_port = 'unix'
2017-09-06 22:06:14   management_user_pass = '[UNDEF]'
2017-09-06 22:06:14   management_log_history_cache = 250
2017-09-06 22:06:14   management_echo_buffer_size = 100
2017-09-06 22:06:14   management_write_peer_info_file = '[UNDEF]'
2017-09-06 22:06:14   management_client_user = '[UNDEF]'
2017-09-06 22:06:14   management_client_group = '[UNDEF]'
2017-09-06 22:06:14   management_flags = 4390
2017-09-06 22:06:14   shared_secret_file = '[UNDEF]'
2017-09-06 22:06:14   key_direction = 1
2017-09-06 22:06:14   ciphername = 'AES-256-CBC'
2017-09-06 22:06:14   ncp_enabled = ENABLED
2017-09-06 22:06:14   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2017-09-06 22:06:14   authname = 'SHA1'
2017-09-06 22:06:14   prng_hash = 'SHA1'
2017-09-06 22:06:14   prng_nonce_secret_len = 16
2017-09-06 22:06:14   keysize = 0
2017-09-06 22:06:14   engine = DISABLED
2017-09-06 22:06:14   replay = ENABLED
2017-09-06 22:06:14   mute_replay_warnings = DISABLED
2017-09-06 22:06:14   replay_window = 64
2017-09-06 22:06:14   replay_time = 15
2017-09-06 22:06:14   packet_id_file = '[UNDEF]'
2017-09-06 22:06:14   test_crypto = DISABLED
2017-09-06 22:06:14   tls_server = DISABLED
2017-09-06 22:06:14   tls_client = ENABLED
2017-09-06 22:06:14   key_method = 2
2017-09-06 22:06:14   ca_file = '[[INLINE]]'
2017-09-06 22:06:14   ca_path = '[UNDEF]'
2017-09-06 22:06:14   dh_file = '[UNDEF]'
2017-09-06 22:06:14   cert_file = '[[INLINE]]'
2017-09-06 22:06:14   extra_certs_file = '[UNDEF]'
2017-09-06 22:06:14   priv_key_file = '[[INLINE]]'
2017-09-06 22:06:14   pkcs12_file = '[UNDEF]'
2017-09-06 22:06:14   cipher_list = '[UNDEF]'
2017-09-06 22:06:14   tls_verify = '[UNDEF]'
2017-09-06 22:06:14   tls_export_cert = '[UNDEF]'
2017-09-06 22:06:14   verify_x509_type = 0
2017-09-06 22:06:14   verify_x509_name = '[UNDEF]'
2017-09-06 22:06:14   crl_file = '[UNDEF]'
2017-09-06 22:06:14   ns_cert_type = 0
2017-09-06 22:06:14   remote_cert_ku[i] = 0
2017-09-06 22:06:14   remote_cert_ku[i] = 0
2017-09-06 22:06:14   remote_cert_ku[i] = 0
2017-09-06 22:06:14   remote_cert_ku[i] = 0
2017-09-06 22:06:14   remote_cert_ku[i] = 0
2017-09-06 22:06:14   remote_cert_ku[i] = 0
2017-09-06 22:06:14   remote_cert_ku[i] = 0
2017-09-06 22:06:14   remote_cert_ku[i] = 0
2017-09-06 22:06:14   remote_cert_ku[i] = 0
2017-09-06 22:06:14   remote_cert_ku[i] = 0
2017-09-06 22:06:14   remote_cert_ku[i] = 0
2017-09-06 22:06:14   remote_cert_ku[i] = 0
2017-09-06 22:06:14   remote_cert_ku[i] = 0
2017-09-06 22:06:14   remote_cert_ku[i] = 0
2017-09-06 22:06:14   remote_cert_ku[i] = 0
2017-09-06 22:06:14   remote_cert_ku[i] = 0
2017-09-06 22:06:14   remote_cert_eku = '[UNDEF]'
2017-09-06 22:06:14   ssl_flags = 0
2017-09-06 22:06:14   tls_timeout = 2
2017-09-06 22:06:14   renegotiate_bytes = -1
2017-09-06 22:06:14   renegotiate_packets = 0
2017-09-06 22:06:14   renegotiate_seconds = 3600
2017-09-06 22:06:14   handshake_window = 60
2017-09-06 22:06:14   transition_window = 3600
2017-09-06 22:06:14   single_session = DISABLED
2017-09-06 22:06:14   push_peer_info = DISABLED
2017-09-06 22:06:14   tls_exit = DISABLED
2017-09-06 22:06:14   tls_auth_file = '[[INLINE]]'
2017-09-06 22:06:14   tls_crypt_file = '[UNDEF]'
2017-09-06 22:06:14   client = ENABLED
2017-09-06 22:06:14   pull = ENABLED
2017-09-06 22:06:14   auth_user_pass_file = '[UNDEF]'
2017-09-06 22:06:14 OpenVPN 2.5-icsopenvpn [git:icsopenvpn-d51333c645c12713+] android-21-arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 26 2017
2017-09-06 22:06:14 library versions: OpenSSL 1.1.0f  25 May 2017, LZO 2.10
2017-09-06 22:06:14 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2017-09-06 22:06:14 MANAGEMENT: CMD 'hold release'
2017-09-06 22:06:14 MANAGEMENT: CMD 'bytecount 2'
2017-09-06 22:06:14 MANAGEMENT: CMD 'proxy NONE'
2017-09-06 22:06:14 MANAGEMENT: CMD 'state on'
2017-09-06 22:06:15 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2017-09-06 22:06:15 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-09-06 22:06:15 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2017-09-06 22:06:15 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2017-09-06 22:06:15 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2017-09-06 22:06:15 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
2017-09-06 22:06:15 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
2017-09-06 22:06:15 TCP/UDP: Preserving recently used remote address: [AF_INET]69.116.x.x:1194
2017-09-06 22:06:15 Socket Buffers: R=[212992->212992] S=[212992->212992]
2017-09-06 22:06:15 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2017-09-06 22:06:15 UDP link local (bound): [AF_INET][undef]:1194
2017-09-06 22:06:15 UDP link remote: [AF_INET]69.116.x.x:1194
2017-09-06 22:06:15 MANAGEMENT: >STATE:1504749975,WAIT,,,,,,
2017-09-06 22:06:15 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-09-06 22:06:15 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET): ,,,,,
2017-09-06 22:06:15 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-09-06 22:06:15 New OpenVPN Status (AUTH->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-09-06 22:06:15 MANAGEMENT: >STATE:1504749975,AUTH,,,,,,
2017-09-06 22:06:15 TLS: Initial packet from [AF_INET]69.116.x.x:1194, sid=8aec5d4d ebfce4d7
2017-09-06 22:06:15 VERIFY OK: depth=1, C=US, ST=NY, L=New York, O=DomainName, OU=vpn, CN=DomainName CA, name=server, emailAddress=vpn@domainname.com
2017-09-06 22:06:15 VERIFY OK: depth=0, C=US, ST=NY, L=New York, O=DomainName, OU=vpn, CN=server, name=server, emailAddress=vpn@domainname.com
2017-09-06 22:06:15 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2017-09-06 22:06:15 [server] Peer Connection Initiated with [AF_INET]69.116.x.x:1194
2017-09-06 22:06:17 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-09-06 22:06:17 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-09-06 22:06:17 MANAGEMENT: >STATE:1504749977,GET_CONFIG,,,,,,
2017-09-06 22:06:17 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2017-09-06 22:06:17 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 167.206.10.x,dhcp-option DNS 167.206.10.x,route 10.8.0.0 255.255.255.0,topology net30,ping 15,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
2017-09-06 22:06:17 OPTIONS IMPORT: timers and/or timeouts modified
2017-09-06 22:06:17 OPTIONS IMPORT: --ifconfig/up options modified
2017-09-06 22:06:17 OPTIONS IMPORT: route options modified
2017-09-06 22:06:17 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2017-09-06 22:06:17 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED): ,10.8.0.6,,,,
2017-09-06 22:06:17 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED): ,10.8.0.6,,,,
2017-09-06 22:06:17 OPTIONS IMPORT: peer-id set
2017-09-06 22:06:17 OPTIONS IMPORT: adjusting link_mtu to 1624
2017-09-06 22:06:17 OPTIONS IMPORT: data channel crypto options modified
2017-09-06 22:06:17 Data Channel: using negotiated cipher 'AES-256-GCM'
2017-09-06 22:06:17 Data Channel MTU parms [ L:1552 D:1450 EF:52 EB:406 ET:0 EL:3 ]
2017-09-06 22:06:17 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
2017-09-06 22:06:17 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
2017-09-06 22:06:17 GDG: SIOCGIFHWADDR(lo) failed
2017-09-06 22:06:17 ROUTE_GATEWAY 127.100.103.119/255.0.0.0 IFACE=lo
2017-09-06 22:06:17 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2017-09-06 22:06:17 MANAGEMENT: >STATE:1504749977,ASSIGN_IP,,10.8.0.6,,,,
2017-09-06 22:06:17 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2017-09-06 22:06:17 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2017-09-06 22:06:17 MANAGEMENT: >STATE:1504749977,ADD_ROUTES,,,,,,
2017-09-06 22:06:17 New OpenVPN Status (ADD_ROUTES->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-09-06 22:06:17 New OpenVPN Status (ADD_ROUTES->LEVEL_CONNECTING_SERVER_REPLIED): ,,,,,
2017-09-06 22:06:17 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2017-09-06 22:06:17 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2017-09-06 22:06:17 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2017-09-06 22:06:17 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2017-09-06 22:06:17 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
2017-09-06 22:06:17 Opening tun interface:
2017-09-06 22:06:17 Local IPv4: 10.8.0.6/30 IPv6: null MTU: 1500
2017-09-06 22:06:17 DNS Server: 167.206.10.x, 167.206.10.x, Domain: null
2017-09-06 22:06:17 Routes: 0.0.0.0/0, 10.8.0.0/24, 10.8.0.4/30
2017-09-06 22:06:17 Routes excluded: 
2017-09-06 22:06:17 VpnService routes installed: 0.0.0.0/0
2017-09-06 22:06:17 Disallowed VPN apps:
2017-09-06 22:06:17 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2017-09-06 22:06:17 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2017-09-06 22:06:17 Initialization Sequence Completed
2017-09-06 22:06:17 MANAGEMENT: >STATE:1504749977,CONNECTED,SUCCESS,10.8.0.6,69.116.x.x,1194,,
2017-09-06 22:06:17 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,10.8.0.6,69.116.x.x,1194,,
2017-09-06 22:06:17 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): SUCCESS,10.8.0.6,69.116.x.x,1194,,
2017-09-06 22:06:17 Debug state info: CONNECTED LTE to MOBILE , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
client disconnecting log

Code: Select all

2017-09-06 22:14:36 MANAGEMENT: CMD 'signal SIGINT'
2017-09-06 22:14:36 TCP/UDP: Closing socket
2017-09-06 22:14:36 Sorry, deleting routes on Android is not possible. The VpnService API allows routes to be set on connect only.
2017-09-06 22:14:36 Sorry, deleting routes on Android is not possible. The VpnService API allows routes to be set on connect only.
2017-09-06 22:14:36 Closing TUN/TAP interface
2017-09-06 22:14:36 SIGINT[hard,] received, process exiting
2017-09-06 22:14:36 MANAGEMENT: >STATE:1504750476,EXITING,SIGINT,,,,,
2017-09-06 22:14:36 MANAGEMENT: TCP send error: Broken pipe
2017-09-06 22:14:36 MANAGEMENT: Client disconnected
2017-09-06 22:14:36 MANAGEMENT: Triggering management exit
2017-09-06 22:14:36 New OpenVPN Status (NOPROCESS->LEVEL_NOTCONNECTED): No process running.
2017-09-06 22:14:36 New OpenVPN Status (NOPROCESS->LEVEL_NOTCONNECTED): No process running.

Re: connected but no internet

Posted: Fri Sep 08, 2017 1:44 am
by sdvpn
after reading a bit I think there is something wrong with my firewall rules. But I am too sure if the issue is on the router with vpn server (internal) or the router it connects to (External)

iptables on vpn server router:

Code: Select all

/tmp/home/root# iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1194
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
shlimit    tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
           all  --  anywhere             anywhere            account: network/netmask: 192.168.10.0/255.255.255.0 name: lan 
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
wanin      all  --  anywhere             anywhere            
wanout     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain shlimit (1 references)
target     prot opt source               destination         
           all  --  anywhere             anywhere             recent: SET name: shlimit side: source
DROP       all  --  anywhere             anywhere             recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source

Chain wanin (1 references)
target     prot opt source               destination         

Chain wanout (1 references)
target     prot opt source               destination
routes on the external router:

Code: Select all

iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
shlimit    tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
           all  --  anywhere             anywhere            account: network/netmask: 192.168.10.0/255.255.255.0 name: lan 
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
wanin      all  --  anywhere             anywhere            
wanout     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain shlimit (1 references)
target     prot opt source               destination         
           all  --  anywhere             anywhere            recent: SET name: shlimit side: source 
DROP       all  --  anywhere             anywhere            recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source 

Chain wanin (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             xxx.xxx.com tcp dpt:8301 
ACCEPT     udp  --  anywhere             xxx.xxx.com udp dpt:8301 
ACCEPT     tcp  --  anywhere             xxx.xxx.com  tcp dpt:51413 
ACCEPT     udp  --  anywhere             xxx.xxx.com  udp dpt:51413 
ACCEPT     tcp  --  anywhere             192.168.10.1        tcp dpt:1194 
ACCEPT     udp  --  anywhere             192.168.10.1        udp dpt:1194 

Chain wanout (1 references)
target     prot opt source               destination
some of the stuff I ran into suggested adding :

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
but I dont know what that means and whether I should do it on the external or internal router..

I also found the sticky here with the chart on how to find my issue. I found that I could not ping 8.8.8.8 and it says to enable ip forwarding. But I don't know how to do that

Re: connected but no internet

Posted: Fri Sep 08, 2017 2:10 am
by sdvpn
okay I think I got it to work with:

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
thanks to viewtopic.php?t=12708

I thought I had done that already but I think I did it to the wrong router. I had to do it to do router with vpn server.

vpn server router:

Code: Select all

iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1194

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere            
SNAT       all  --  192.168.10.0/24      192.168.10.0/24      to:192.168.10.1

Chain WANPREROUTING (0 references)
target     prot opt source               destination         
root@sky:/tmp/home/root# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
root@sky:/tmp/home/root# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1194

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere            
SNAT       all  --  192.168.10.0/24      192.168.10.0/24      to:192.168.10.1
MASQUERADE  all  --  10.8.0.0/24          anywhere            

Chain WANPREROUTING (0 references)
target     prot opt source               destination
server config currently looks like:

Code: Select all

 Automatically generated configuration
daemon
server 10.8.0.0 255.255.255.0
proto udp
port 1194
dev tun21
cipher AES-256-CBC
keepalive 15 60
verb 3
push "route 192.168.10.0 255.255.255.0"
push "redirect-gateway def1"
tls-auth static.key 0
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status

# Custom Configuration
push "route 10.8.8.0 255.255.0.0"
dont know if any of the new stuff I added is also needed, but they didn't work without the iptables command above