Help...connects but no ping.

[timonoj]

Hi guys,

I'm having a Ubuntu home server with OpenVPN setup with the following options:

Code: Select all

proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
client-to-client
keepalive 10 120
tls-auth ta.key X # This file is secret
cipher XXXXXXXX
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 5

I also have iptables set to forwarding in order to be able to bridge both the vpn and the local networks.

Now this works perfectly on my laptop, it connects from outside to the local network and all traffic is redirected through the VPN, which is the intended behavior. I can ping or connect to home devices with no issues, and the internet IP shows as my home address. So it's all as intended.

However, in my phone the history is completely different.
I import the .ovpn client file, make sure it can read the file paths, and click no connect. I see it reaching the address, connecting, authenticating, downloading the routes and finally confirming a successful connection.
...But nothing works. zero traffic. I can't even ping the server at 10.8.0.1.
This is the client config.

Code: Select all

client
dev tun
proto tcp
remote xxxx.xxxx.xxx xxxx
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
tls-auth ta.key Y
cipher XXXXXXX
comp-lzo
verb 3

Can you see anything wrong in here?

Thanks a lot!

[timonoj]

Thanks for your help. Here goes...
Server:

Code: Select all

Sat Jun 28 20:05:44 2014 us=88340 MULTI: multi_create_instance called
Sat Jun 28 20:05:44 2014 us=88511 Re-using SSL/TLS context
Sat Jun 28 20:05:44 2014 us=88577 LZO compression initialized
Sat Jun 28 20:05:44 2014 us=88758 Control Channel MTU parms [ L:1560 D:168 EF:68 EB:0 ET:0 EL:0 ]
Sat Jun 28 20:05:44 2014 us=88814 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Jun 28 20:05:44 2014 us=88871 Local Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sat Jun 28 20:05:44 2014 us=88893 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Sat Jun 28 20:05:44 2014 us=88927 Local Options hash (VER=V4): '9915e4a2'
Sat Jun 28 20:05:44 2014 us=88953 Expected Remote Options hash (VER=V4): '2f2c6498'
Sat Jun 28 20:05:44 2014 us=89005 TCP connection established with [AF_INET]203.145.92.114:57073
Sat Jun 28 20:05:44 2014 us=89029 TCPv4_SERVER link local: [undef]
Sat Jun 28 20:05:44 2014 us=89051 TCPv4_SERVER link remote: [AF_INET]203.145.92.114:57073
RSat Jun 28 20:05:44 2014 us=92901 203.145.92.114:57073 TLS: Initial packet from [AF_INET]203.145.92.114:57073, sid=cc70e999 3dd12189
WRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRWRSat Jun 28 20:05:45 2014 us=436311 203.145.92.114:57073 VERIFY OK: depth=1, C=XX, ST=XX, L=XXXXX, O=MyHome, OU=XXX, CN=MyHome CA, name=XXXXX, emailAddress=me@myhost.mydomain
Sat Jun 28 20:05:45 2014 us=436542 203.145.92.114:57073 VERIFY OK: depth=0, C=XX, ST=XX, L=XXXXXX, O=XXXX, OU=XXXX, CN=XXXX, name=XXXXX, emailAddress=me@myhost.mydomain
WRWRSat Jun 28 20:05:45 2014 us=573999 203.145.92.114:57073 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Jun 28 20:05:45 2014 us=574048 203.145.92.114:57073 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jun 28 20:05:45 2014 us=574071 203.145.92.114:57073 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Jun 28 20:05:45 2014 us=574103 203.145.92.114:57073 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
WWWRRRSat Jun 28 20:05:45 2014 us=692832 203.145.92.114:57073 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sat Jun 28 20:05:45 2014 us=692931 203.145.92.114:57073 [jon2] Peer Connection Initiated with [AF_INET]203.145.92.114:57073
Sat Jun 28 20:05:45 2014 us=693191 jon2/203.145.92.114:57073 TCP/UDP: Closing socket
Sat Jun 28 20:05:45 2014 us=693254 MULTI: new connection by client 'jon2' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Sat Jun 28 20:05:45 2014 us=693310 MULTI_sva: pool returned IPv4=10.8.0.10, IPv6=(Not enabled)
Sat Jun 28 20:05:45 2014 us=693377 MULTI: Learn: 10.8.0.10 -> jon2/203.145.92.114:57073
Sat Jun 28 20:05:45 2014 us=693403 MULTI: primary virtual IP for jon2/203.145.92.114:57073: 10.8.0.10
RSat Jun 28 20:05:46 2014 us=677272 jon2/203.145.92.114:57073 PUSH: Received control message: 'PUSH_REQUEST'
Sat Jun 28 20:05:46 2014 us=677469 jon2/203.145.92.114:57073 send_push_reply(): safe_cap=940
Sat Jun 28 20:05:46 2014 us=677608 jon2/203.145.92.114:57073 SENT CONTROL [jon2]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9' (status=1)
WWWWRWWWWWWWWWW

You can notice all those WWWW with no R, just the phone sending data going nowhere. However this works fine on a laptop, so not sure. Let me see if I can find the phone log.


UPDATE: Didn't manage to filter the logcat very nicely, but here goes the phone:

Code: Select all

I/OpenVPNService( 4463): LOG: Connecting to XXXXXXXX:XXXX (XXX.XXX.XXX.XXXX) via TCPv4
I/OpenVPNService( 4463): EVENT: CONNECTING
I/OpenVPNService( 4463): LOG: Tunnel Options:V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
I/OpenVPNService( 4463): LOG: Peer Info:
I/OpenVPNService( 4463): IV_GUI_VER=net.openvpn.connect.android 1.1.14-56
I/OpenVPNService( 4463): IV_VER=3.0
I/OpenVPNService( 4463): IV_PLAT=android
I/OpenVPNService( 4463): IV_NCP=1
I/OpenVPNService( 4463): IV_LZO=1
I/OpenVPNService( 4463): 
E/MP-Decision( 1254): num online cores: 2 reqd : 1 available : 4 rq_depth:2.000000 hotplug_avg_load_dw: 19
E/MP-Decision( 1254): DOWN cpu:1 core_idx:1 Ns:1.100000 Ts:190 total_time_down:0.000000
I/OpenVPNService( 4463): LOG: VERIFY OK: depth=1
I/OpenVPNService( 4463): cert. version     : 3
I/OpenVPNService( 4463): serial number     : CD:BA:6E:A2:19:AB:75:93
I/OpenVPNService( 4463): issuer name       : C=XX ST=XX, L=XXXX, O=XXXXXX, OU=XXXX, CN=XXXX CA, ??=XXXXX, emailAddress=me@myhost.mydomain
I/OpenVPNService( 4463): subject name      : C=XX ST=XX, L=XXXX, O=XXXXXX, OU=XXXX, CN=XXXX CA, ??=XXXXX, emailAddress=me@myhost.mydomain
I/OpenVPNService( 4463): issued  on        : 2014-05-22 02:53:08
I/OpenVPNService( 4463): expires on        : 2024-05-19 02:53:08
I/OpenVPNService( 4463): signed using      : RSA with SHA-256
I/OpenVPNService( 4463): RSA key size      : 2048 bits
I/OpenVPNService( 4463): basic constraints : CA=true
I/OpenVPNService( 4463): 
I/OpenVPNService( 4463): LOG: VERIFY OK: depth=0
I/OpenVPNService( 4463): error rendering cert
E/MP-Decision( 1254): num online cores: 1 reqd : 2 available : 4 rq_depth:1.700000 hotplug_avg_load_dw: 49
E/MP-Decision( 1254): UP cpu:1 core_idx:1 Nw:1.900000 Tw:140 total_time_up:0.000000
E/MP-Decision( 1254): num online cores: 2 reqd : 1 available : 4 rq_depth:2.200000 hotplug_avg_load_dw: 14
E/MP-Decision( 1254): DOWN cpu:1 core_idx:1 Ns:1.100000 Ts:190 total_time_down:0.000000
I/OpenVPNService( 4463): LOG: SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-AES-256-CBC-SHA
I/OpenVPNService( 4463): LOG: Session is ACTIVE
I/OpenVPNService( 4463): EVENT: GET_CONFIG
I/OpenVPNService( 4463): LOG: Sending PUSH_REQUEST to server...
I/OpenVPNService( 4463): LOG: OPTIONS:
I/OpenVPNService( 4463): 0 [redirect-gateway] [def1] [bypass-dhcp] 
I/OpenVPNService( 4463): 1 [dhcp-option] [DNS] [8.8.8.8] 
I/OpenVPNService( 4463): 2 [route] [10.8.0.1] 
I/OpenVPNService( 4463): 3 [topology] [net30] 
I/OpenVPNService( 4463): 4 [ping] [10] 
I/OpenVPNService( 4463): 5 [ping-restart] [120] 
I/OpenVPNService( 4463): 6 [ifconfig] [10.8.0.10] [10.8.0.9] 
I/OpenVPNService( 4463): 
I/OpenVPNService( 4463): LOG: LZO-ASYM init swap=0 asym=0
I/OpenVPNService( 4463): EVENT: ASSIGN_IP
D/OpenVPNService( 4463): BUILDER: add_address 10.8.0.10/30 10.8.0.9 ipv6=false net30=true
D/OpenVPNService( 4463): BUILDER: reroute_gw ipv4=true ipv6=false flags=307
D/OpenVPNService( 4463): BUILDER: add_dns_server 8.8.8.8 ipv6=false
D/OpenVPNService( 4463): BUILDER: set_remote_address 222.166.252.181 ipv6=false
D/OpenVPNService( 4463): BUILDER: set_session_name x.xxxdns.org
D/OpenVPNService( 4463): BUILDER: establish
D/Vpn     (  954): setting state=CONNECTING, reason=establish
D/VpnJni  (  954): Address added on tun0: 10.8.0.10/30
D/VpnJni  (  954): Route added on tun0: 0.0.0.0/0
I/ip6tables(  785): ip6tables v1.4.11.1: can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
I/ip6tables(  785): Perhaps ip6tables or your kernel needs to be upgraded.
I/ip6tables(  785): ip6tables terminated by exit(3)
E/Netd    (  785): exec() res=0, status=768 for /system/bin/ip6tables -t nat -A st_nat_POSTROUTING -o tun0 -m mark --mark 60 -j MASQUERADE 
E/MP-Decision( 1254): num online cores: 1 reqd : 2 available : 4 rq_depth:1.800000 hotplug_avg_load_dw: 60
E/MP-Decision( 1254): UP cpu:1 core_idx:1 Nw:1.900000 Tw:140 total_time_up:0.000000
I/Vpn     (  954): Established by net.openvpn.openvpn on tun0
D/Vpn     (  954): setting state=AUTHENTICATING, reason=establish
I/OpenVPNService( 4463): LOG: Connected via tun
I/OpenVPNService( 4463): EVENT: CONNECTED info='@xxxxxx.xxx.xxxx:XXXX (XXX.XXX.XXX.XXX) via /TCPv4 on tun/10.8.0.10/' trans=TO_CONNECTED
D/PrefUtil( 4463): get_boolean: expand_stats=false

[timonoj]

Anyone has any idea of why this doesn't work? I also tested with Arne Schwabe's client, and I get the same result. However two ubuntu laptops just work perfectly.