Strange issue with 4.4.2

[wingman]

First of all, sorry for my bad english


I have strange issue with my android 4.4.2 phone

How to reproduce problem:

- I connect to server over my home wifi. All great.
- I am going out of the house (or disabling wifi). Openvpn reconnects to server over 3G. All great.
- I am going back home (or enabling wifi). And here is the problem: openvpn reconnects to server, but all traffic goes directly over wifi, not over the tunnel
Then I can turn on and off wifi, every time openvpn reconnects, but traffic goes directly over wifi or 3g

Logs are clean, i dont see any errors. How can i debug this issue? Can you help me please?

[Traffic]

Is this your own server or an internet VPN provider ?

[wingman]

Is this your own server or an internet VPN provider ?

It's my own server on vps

[Traffic]

Please post your server config and log.

[wingman]

Server config:
http://pastebin.com/m3GE1nRL

Client config:
http://pastebin.com/imGPywjr



1. Phone is just after reboot. Wifi connected.

Routing table:
http://i.imgur.com/t2CCY5H.png

My external ip is 109.206.154.31:
http://i.imgur.com/AeRlmhP.png


2. Connecting to openvpn server.
Connection successful.

Checking how my traffic goes:
http://i.imgur.com/tGLajZM.png

All good. 188.166.81.85 is my server ip; traffic goes trough tunnel with
iptables masquerading.

Server log:
http://pastebin.com/t7SVwraF

3. Disabling wifi.
Openvpn reconnects over mobile network.

Checking how my traffic goes:
http://i.imgur.com/3X4gwRc.png
It's still good. Web traffic goes trough tunnel.

Server log:
http://pastebin.com/3PSWehnw


4. Re-enabling wifi.
And that's it: traffic goes directly over wifi, not over tunnel:
http://i.imgur.com/JIOxD3T.png


After that i can enable/disable wifi and mobile network many times, restart openvpn, etc., etc., but vpn will not work until reboot

Server log: http://pastebin.com/vY8vBCY4


Openvpn status:

Code: Select all

/var/log/openvpn # cat status.log
OpenVPN CLIENT LIST
Updated,Sat Aug 29 01:01:50 2015
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
wing,109.206.154.31:54725,3681,7015,Sat Aug 29 01:01:14 2015
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.0.0.16,wing,109.206.154.31:54725,Sat Aug 29 01:01:41 2015
GLOBAL STATS
Max bcast/mcast queue length,0
END

Tcpdump of my traffic:

Code: Select all

 # tcpdump -n -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes


01:02:32.095216 IP 10.0.0.16.30831 > 8.8.8.8.53: 64129+ A? forum.nag.ru. (30)
01:02:32.178601 IP 8.8.8.8.53 > 10.0.0.16.30831: 64129 2/0/0 CNAME rtcomm.nag.ru., A 188.254.58.117 (67)
01:02:33.723385 IP 10.0.0.16.43031 > 8.8.8.8.53: 24177+ A? www.google-analytics.com. (42)
01:02:33.728380 IP 8.8.8.8.53 > 10.0.0.16.43031: 24177 7/0/0 CNAME www-google-analytics.l.google.com., A 173.194.65.100, A 173.194.65.101, A 173.194.65.139, A 173.194.65.102, A 173.194.65.113, A 173.194.65.138 (182)
01:02:33.820951 IP 10.0.0.16.24231 > 8.8.8.8.53: 63321+ A? u.eset.com. (28)
01:02:33.827024 IP 8.8.8.8.53 > 10.0.0.16.24231: 63321 2/0/0 CNAME u.cwip.eset.com., A 38.90.226.12 (65)



01:02:42.975017 IP 10.0.0.16.1162 > 8.8.8.8.53: 33198+ A? ts2.travian.ru. (32)
01:02:43.043156 IP 8.8.8.8.53 > 10.0.0.16.1162: 33198 2/0/0 CNAME lb.2.ru.t4.cgn.travian.info., A 146.0.14.130 (89)
01:02:43.384700 IP 10.0.0.16.22008 > 8.8.8.8.53: 8183+ A? gpack.travian.com. (35)
01:02:43.389671 IP 8.8.8.8.53 > 10.0.0.16.22008: 8183 2/0/0 CNAME lb.contentdelivery.misc.tools.cgn.travian.info., A 146.0.6.25 (111)
01:02:44.787468 IP 10.0.0.16.51013 > 8.8.8.8.53: 60263+ A? www.travian.ru. (32)
01:02:44.788012 IP 10.0.0.16.39862 > 8.8.8.8.53: 63670+ A? forum.travian.ru. (34)
01:02:44.792690 IP 8.8.8.8.53 > 10.0.0.16.51013: 60263 2/0/0 CNAME lb.start.ru.t4.cgn.travian.info., A 146.0.4.189 (93)
01:02:44.812329 IP 10.0.0.16.31583 > 8.8.8.8.53: 19461+ A? analytics.traviangames.com. (44)
01:02:44.845742 IP 8.8.8.8.53 > 10.0.0.16.31583: 19461 2/0/0 CNAME lb.cst-prod1.misc.tools.cgn.travian.info., A 146.0.10.21 (114)
01:02:44.902895 IP 8.8.8.8.53 > 10.0.0.16.39862: 63670 2/0/0 CNAME lb.travian2.forums.tools.cgn.travian.info., A 146.0.10.36 (105)
01:02:45.126344 IP 10.0.0.16.57888 > 8.8.8.8.53: 19809+ A? t4.answers.travian.ru. (39)
01:02:45.248379 IP 8.8.8.8.53 > 10.0.0.16.57888: 19809 3/0/0 CNAME t4.answers.travian.com., CNAME lb.cst-answers.misc.tools.cgn.travian.info., A 146.0.10.66 (147)

As you can see, only DNS requests are going over the tunnel


What else can i debug?

Thanks!

[Traffic]

Your server config:

Code: Select all

server 10.0.0.0 255.255.0.0

How many clients do you you expect to connect to your VPN ?

[wingman]

Your server config:

Code: Select all

server 10.0.0.0 255.255.0.0

How many clients do you you expect to connect to your VPN ?

I expect not so much clients, but i want to break some clients by subnets and allow/deny theyr traffic to each other over iptables

For example, office1: ips from 10.0.0.0/24, office2: 10.0.1.0/24, officeN: 10.0.N.0/24 etc.

And rule their traffic by iptables...

Sorry again for my english

update: modified config to 10.0.0.0 255.255.255.0, but nothing changed