I run an Openvpn server at home and have done for many years.
I have a certificate for each of my devices and it has always done what I've needed of it.
This morning, I updated my personal phone (Oneplus Nord 2) to Android 13 and since the update, I'm unable to connect to my server when I'm using mobile data.
The connection works fine when I'm connected to wifi.
My work phone (Samsung S22 Ultra) has been running Android 13 for some time and works ok.
I've cleared my wifi/bluetooth/network settings and reinstalled the Openvpn client. Following that, my vpn very briefly connected but soon returned to refusing to connect. It's also not showing any errors, it's just timing out.
Luckily I have my work phone. I swapped the sim cards and the issue stayed on my own phone. My own sim is able to connect OK when put in my work phone so I know it's either a phone issue (unlikely since wifi connections work ok) or a setting issue that is only raising its head due to the upgrade.
I installed the same profile on my S22 and Nord 2 and have the log from the successful connection via the S22 and the failed connection via the Nord 2
Code: Select all
S22 ultra
Share OpenVPN log file: [Sept 27, 2023, 15:55:43] ----- OpenVPN Start -----
[Sept 27, 2023, 15:55:43] EVENT: CORE_THREAD_ACTIVE
[Sept 27, 2023, 15:55:43] OpenVPN core 3.git::081bfebe:RelWithDebInfo android arm64 64-bit PT_PROXY
[Sept 27, 2023, 15:55:43] Frame=512/2048/512 mssfix-ctrl=1250
[Sept 27, 2023, 15:55:43] UNUSED OPTIONS
5 [resolv-retry] [infinite]
7 [nobind]
9 [verb] [3]
[Sept 27, 2023, 15:55:43] EVENT: RESOLVE
[Sept 27, 2023, 15:55:43] Contacting myip.address:8457 via UDP
[Sept 27, 2023, 15:55:43] EVENT: WAIT
[Sept 27, 2023, 15:55:43] Connecting to [tensoon. mydomain.co.uk]:8457 ( myip.address) via UDPv4
[Sept 27, 2023, 15:55:43] EVENT: CONNECTING
[Sept 27, 2023, 15:55:43] Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
[Sept 27, 2023, 15:55:43] Creds: UsernameEmpty/PasswordEmpty
[Sept 27, 2023, 15:55:43] Peer Info:
IV_VER=3.git::081bfebe:RelWithDebInfo
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.android_3.3.4-9290
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1
[Sept 27, 2023, 15:55:43] VERIFY OK: depth=1, /C=US/ST=CA/L=San Francisco/O=TurnKey Linux/OU=OpenVPN/CN=server/name=openvpn/emailAddress=me@myemail.com, signature: RSA-SHA256
[Sept 27, 2023, 15:55:43] VERIFY OK: depth=0, /C=US/ST=CA/L=San Francisco/O=TurnKey Linux/OU=OpenVPN/CN=server/name=openvpn/emailAddress=me@myemail.com, signature: RSA-SHA256
[Sept 27, 2023, 15:55:43] SSL Handshake: peer certificate: CN=server, 2048 bit RSA, cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
[Sept 27, 2023, 15:55:43] Session is ACTIVE
[Sept 27, 2023, 15:55:43] Sending PUSH_REQUEST to server...
[Sept 27, 2023, 15:55:43] EVENT: GET_CONFIG
[Sept 27, 2023, 15:55:43] OPTIONS:
0 [route] [10.10.10.0] [255.255.254.0]
1 [route] [10.10.25.0] [255.255.255.0]
2 [route] [10.10.40.0] [255.255.255.0]
3 [route] [ myip.address] [255.255.255.255]
4 [route] [10.10.50.0] [255.255.255.0]
5 [dhcp-option] [DNS] [10.10.10.99]
6 [dhcp-option] [DNS] [10.10.10.1]
7 [redirect-gateway] [def1] [bypass-dhcp]
8 [route] [10.8.0.1]
9 [topology] [net30]
10 [ping] [10]
11 [ping-restart] [120]
12 [ifconfig] [10.8.0.6] [10.8.0.5]
13 [peer-id] [1]
14 [cipher] [AES-256-GCM]
[Sept 27, 2023, 15:55:43] PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: NONE
key-derivation: OpenVPN PRF
compress: LZO_STUB
peer ID: 1
control channel: tls-auth enabled
[Sept 27, 2023, 15:55:43] EVENT: ASSIGN_IP
[Sept 27, 2023, 15:55:43] Connected via tun
[Sept 27, 2023, 15:55:43] LZO-ASYM init swap=0 asym=1
[Sept 27, 2023, 15:55:43] Comp-stub init swap=0
[Sept 27, 2023, 15:55:43] EVENT: CONNECTED info='tensoon. mydomain.co.uk:8457 ( myip.address) via /UDPv4 on tun/10.8.0.6/ gw=[10.8.0.5/]'
One plus nord 2
[Sept 27, 2023, 15:57:16] ----- OpenVPN Start -----
[Sept 27, 2023, 15:57:16] EVENT: CORE_THREAD_ACTIVE
[Sept 27, 2023, 15:57:16] OpenVPN core 3.git::081bfebe:RelWithDebInfo android arm64 64-bit PT_PROXY
[Sept 27, 2023, 15:57:16] Frame=512/2048/512 mssfix-ctrl=1250
[Sept 27, 2023, 15:57:16] UNUSED OPTIONS
5 [resolv-retry] [infinite]
7 [nobind]
9 [verb] [3]
[Sept 27, 2023, 15:57:16] EVENT: RESOLVE
[Sept 27, 2023, 15:57:16] Contacting myip.address:8457 via UDP
[Sept 27, 2023, 15:57:16] EVENT: WAIT
[Sept 27, 2023, 15:57:16] Connecting to [tensoon. mydomain.co.uk]:8457 ( myip.address) via UDPv4
[Sept 27, 2023, 15:57:16] EVENT: CONNECTING
[Sept 27, 2023, 15:57:16] Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
[Sept 27, 2023, 15:57:16] Creds: UsernameEmpty/PasswordEmpty
[Sept 27, 2023, 15:57:16] Peer Info:
IV_VER=3.git::081bfebe:RelWithDebInfo
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.android_3.3.4-9290
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1
[Sept 27, 2023, 15:57:16] VERIFY OK: depth=1, /C=US/ST=CA/L=San Francisco/O=TurnKey Linux/OU=OpenVPN/CN=server/name=openvpn/emailAddress=me@myemail.com, signature: RSA-SHA256
[Sept 27, 2023, 15:57:16] VERIFY OK: depth=0, /C=US/ST=CA/L=San Francisco/O=TurnKey Linux/OU=OpenVPN/CN=server/name=openvpn/emailAddress=me@myemail.com, signature: RSA-SHA256
[Sept 27, 2023, 15:58:16] EVENT: CONNECTION_TIMEOUT info=' BYTES_IN : 3888
BYTES_OUT : 157487
PACKETS_IN : 8
PACKETS_OUT : 127
CONNECTION_TIMEOUT : 1
'
[Sept 27, 2023, 15:58:16] EVENT: DISCONNECTED
[Sept 27, 2023, 15:58:16] Tunnel bytes per CPU second: 0
[Sept 27, 2023, 15:58:16] ----- OpenVPN Stop -----
[Sept 27, 2023, 15:58:16] EVENT: CORE_THREAD_DONE
Code: Select all
#PUBLIC_ADDRESS: tensoon.mydomain.co.uk (used by openvpn-addclient)
port 1194
proto udp
dev tun
comp-lzo
keepalive 10 120
persist-key
#persist-tun
user nobody
group nogroup
chroot /etc/openvpn/easy-rsa/keys/crl.jail
crl-verify crl.pem
ca /etc/openvpn/easy-rsa/keys/ca.crt
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
key /etc/openvpn/easy-rsa/keys/server.key
cert /etc/openvpn/easy-rsa/keys/server.crt
ifconfig-pool-persist /var/lib/openvpn/server.ipp
client-config-dir /etc/openvpn/server.ccd
status /var/log/openvpn/server.log
verb 4
# virtual subnet unique for openvpn to draw client addresses from
# the server will be configured with x.x.x.1
# important: must not be used on your network
server 10.8.0.0 255.255.255.0
# push routes to clients to allow them to reach private subnets
#push "route 10.10.20.0 255.255.255.0"
push "route 10.10.10.0 255.255.254.0"
push "route 10.10.25.0 255.255.255.0"
push "route 10.10.40.0 255.255.255.0"
push "route myip.address 255.255.255.255"
push "route 10.10.50.0 255.255.255.0"
push "dhcp-option DNS 10.10.10.99"
push "dhcp-option DNS 10.10.10.1"
#push "route 172.16.69.0 255.255.255.0"
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"
I'm also connected to the same VPN right now on my laptop as I type this but I'm really not getting many clues as to what's wrong given the lack of errors when I try to connect, the only thing I can guess is that the ssl handshake is timing out for some reason.
Here's the client config in case it helps.
Code: Select all
remote tensoon.mydomain.co.uk 8457
proto udp
remote-cert-tls server
client
dev tun
resolv-retry infinite
keepalive 10 120
nobind
comp-lzo
verb 3
;user nobody
;group nogroup
<ca>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xxx
-----END OpenVPN Static key V1-----
</tls-auth>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=CA, L=San Francisco, O=TurnKey Linux, OU=OpenVPN, CN=server/name=openvpn/emailAddress=my@email.com
Validity
Not Before: Oct 18 16:49:18 2020 GMT
Not After : Oct 16 16:49:18 2030 GMT
Subject: C=US, ST=CA, L=San Francisco, O=TurnKey Linux, OU=OpenVPN, CN=pixel2tensoon/name=openvpn/emailAddress=email@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
xxx
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
xxx
X509v3 Authority Key Identifier:
xxx
DirName:/C=US/ST=CA/L=San Francisco/O=TurnKey Linux/OU=OpenVPN/CN=server/name=openvpn/emailAddress=my@email.com
xxx
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:pixel2tensoon
Signature Algorithm: sha256WithRSAEncryption
xxx
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
xxx
-----END ENCRYPTED PRIVATE KEY-----
</key>
A couple of places I work in have wifi networks that block anything not on standard ports and use a dns that doesn't recognise my domain name, so I also have another profile that connects via the IP to port 443 but I usually have 443 blocked on my router. I've opened port 443 this evening and even connecting directly via the IP doesn't work either.
I use connectbot to ssh into my servers, and have a Nextcloud client app on my phone that doesn't need the VPN. Both connect using the domain name and both have been working all day too so it doesn't seem to be any sort of DNS issue.
EDIT
Well, I think I may be on to the problem, though the solution will need to wait for another day.
I did some digging and it seems the MTU on my phone when on mobile data is now 1280, meaning i need an mssfix of 1212 (judging by the guide that told me to drop 40 off the ping MTU, which is 28 below the actual MTU thanks to the headers etc).
However, mssfix in my client.ovpn doesn't seem to be doing very much, nor is it working in the server.conf. Changing the protocol to tcp provides somewhat of a fix but my phone is constantly connected to the vpn so the overhead of a tcp connection isn't a long term solution. The MTU of my work phone is 1500 so this is the only difference I can see at the moment. Connecting to wifi on my own phone leaves me with an MTU of 1500.