Routing through VPN: Linux clients OK, Android not

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
Havin_it
OpenVpn Newbie
Posts: 4
Joined: Sun Jul 28, 2013 4:52 pm

Routing through VPN: Linux clients OK, Android not

Post by Havin_it » Thu Aug 01, 2013 3:32 pm

Hi,

I've set up an OpenVPN server on my home server (Gentoo Linux) and client on my laptop (ditto) in a TUN-based configuration that routes all client traffic through the VPN. I wanted to do the same on my phone (Galaxy SIII, updated to android 4.1.2) now that Connect exists.

I used the openvpn-confgen scripts from these forums to generate an .OVPN profile with embedded certs and private key (even though I'd already created those using easy-rsa) because I couldn't find documentation on how to embed these items manually in a config file.

The config did get me connected successfully, but it's not routing the traffic over the VPN - in fact it b0rks routing entirely on the phone so I can't reach the WAN at all. I also can't ping any server-side LAN (192.168.2.*) IPs from the phone.

Notes on network setup: the OVPN server is the DNS (and DHCP) server for its LAN, but it is not the default gateway (this is a consumer modem/router at 192.168.2.1, which is also secondary DNS server) so I push those IPs to clients (though they could have them hard-coded if necessary, no problem).

server.conf:

Code: Select all

# Server config

dev tun
comp-lzo

port 1222
proto udp

ca /etc/openvpn/ssl/ca.crt
cert /etc/openvpn/ssl/server.crt
key /etc/openvpn/ssl/server.key

dh /etc/openvpn/ssl/dh1024.pem

server 10.0.0.0 255.255.255.0

push "route 192.168.2.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.2.7"
push "dhcp-option DNS 192.168.2.1"

keepalive 10 120

user openvpn
group openvpn

persist-key
persist-tun

status /tmp/openvpn.status

verb 3
mute 10
Client config was done in NetworkManager on the Linux client, so I don't have a native config file there, but here's what is in the NetworkManager config for this connection:

Code: Select all

[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
connection-type=tls
remote=my.dyndns.hostname
comp-lzo=yes
cert-pass-flags=4
tap-dev=no
proto-tcp=no
port=1222
mssfix=no
ca=ca.crt
cert=happy.crt
key=happy.key
Apart from cert-pass-flags and mssfix, the other directives seem pretty self-explanatory (or mappable to the native ovpn directives, anyhow). So this works.

Here's the (current; I've tried a few tweaks already) phone.ovpn config:

Code: Select all

client
connect-retry-max 5
connect-retry 5
resolv-retry infinite
dev tun
nobind
remote my.dyndns.hostname 1222 udp
#remote-cert-tls server
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
</ca>
<cert>

-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
<snip>
-----END RSA PRIVATE KEY-----
</key>
If there's anything else you want me to post, just let me know. Thanks in advance!

Wheelz
OpenVPN User
Posts: 22
Joined: Mon Jun 24, 2013 9:21 pm

Re: Routing through VPN: Linux clients OK, Android not

Post by Wheelz » Fri Aug 02, 2013 5:22 am

Can you post your iptables configuration? Also do you have IP forwarding enabled?

Havin_it
OpenVpn Newbie
Posts: 4
Joined: Sun Jul 28, 2013 4:52 pm

Re: Routing through VPN: Linux clients OK, Android not

Post by Havin_it » Fri Aug 02, 2013 8:54 am

Hi Wheelz, thanks for the reply.

iptables -L

Code: Select all

[...]
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  10.0.0.0/24          anywhere             ctstate NEW
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.0.0.0/24          anywhere             ctstate NEW
[...]
IP forwarding is enabled. I should just restate that the server config is fine and does what I want with the Linux client, problems are only on the Android client.

One other thing I forgot to add is that I added a static route on the server LAN's default gateway (the router at 192.168.2.1) to enable return traffic to find its way back to the VPN endpoint.

User avatar
samuli
OpenVPN Inc.
Posts: 49
Joined: Fri Aug 13, 2010 9:05 pm

Re: Routing through VPN: Linux clients OK, Android not

Post by samuli » Mon Aug 05, 2013 10:50 am

Havin_it wrote:Hi,

I've set up an OpenVPN server on my home server (Gentoo Linux) and client on my laptop (ditto) in a TUN-based configuration that routes all client traffic through the VPN. I wanted to do the same on my phone (Galaxy SIII, updated to android 4.1.2) now that Connect exists.
You could also try ics-openvpn from the Play store. It's a community project maintained by plaisthos[1] and I've used it successfully in the past. If it works, but OpenVPN Connect does not, I suspect the problem might be in OpenVPN Connect core, which is different from what ics-openvpn uses.

[1] He's plaisthos on #openvpn-devel@irc.freenode.net
--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Havin_it
OpenVpn Newbie
Posts: 4
Joined: Sun Jul 28, 2013 4:52 pm

Re: Routing through VPN: Linux clients OK, Android not

Post by Havin_it » Mon Aug 05, 2013 8:40 pm

Hi Samuli (suominen??)

I'm game to look at alternatives certainly, though I do sorta feel a first question should be "How does OVPN Connect core differ from the desktop client core?", which seems to be the root of my issue. I want to give the official client (and these forums) a fair crack of the whip, y'know ...

svenfried
OpenVpn Newbie
Posts: 6
Joined: Wed Aug 21, 2013 9:56 pm

Re: Routing through VPN: Linux clients OK, Android not

Post by svenfried » Thu Aug 22, 2013 4:05 pm

The problem seems to be that "route" cannot be used together with "redirect-gateway def1" on OpenVPN Connect.

- If you only use "route" (or "push route" on the server), OpenVPN Connect will set that route. That's what is intended and OpenVPN GPL behaves the same way.
- If you only use "redirect-gateway def1" (or "push redirect-gateway def1" on the server), OpenVPN Connect will add two routes to override the default gateway. That's what is intended and OpenVPN GPL behaves the same way.
- If you use "route" (or "push route" on the server) AND "redirect-gateway def1" (or "push redirect-gateway def1" on the server) AT THE SAME TIME, then you will get different results:
* On OpenVPN Connect, the "route" command will be ignored, you will only get the "redirect-gateway def1" behaviour. That's NOT what is intended.
* On OpenVPN GPL, both "route" and "redirect-gateway def1" commands will work as expected.

I think this is a bug in OpenVPN Connect. It can be reproduced with the Android app as well as with the iOS App (tested it on both platforms today). Unfortunately, I didn't find a way to report a bug in OpenVPN connect.

Kudos to JoshC for pointing me to the fact that OpenVPN Connect has a different codebase than OpenVPN GPL.

Havin_it
OpenVpn Newbie
Posts: 4
Joined: Sun Jul 28, 2013 4:52 pm

Re: Routing through VPN: Linux clients OK, Android not

Post by Havin_it » Thu Oct 24, 2013 10:14 am

Thanks everyone, and apologies for leaving this unresolved for so long. Life got in the way...

After trying a few alternate configs with Connect, I gave up and hunted down samuli's mentioned ics-openvpn; readers visiting this thread might wish to know it's (now?) called "OpenVPN for Android", author Arne Schwabe. There are actually two advantages to this app:

1. The logo makes the droid mascot look like a Canadian in South Park ;)

2. It WORKS! Not instantly, but thanks to the step-by-step guide provided, I was able to modify my config (all of which can be done in GUI so there's another plus) to get the routing I required.

Great to be in business at last. Thanks again :D

kaufhold
OpenVpn Newbie
Posts: 1
Joined: Tue Jun 09, 2020 1:01 pm

Re: Routing through VPN: Linux clients OK, Android not

Post by kaufhold » Tue Jun 09, 2020 1:07 pm

I had similar issues when using OpenVPN Connect on my phone. For me the problem was solved by adding the cipher and auth configuration in the client configuration file matching my server config.

Post Reply