Browsers won't access local net, but everything else does

[afremont]

Hello all, idiot here. After much struggling, I have OpenVPN Connect (Android) connecting to my openvpn server at my home. I used the "push" command in the server config to make the local network visible. I also used the route command on the local machines that I wish to access. I added a route to the 10.8.0.0/24 network.

I can access the local machines with ssh and even kore (kodi remote control) by using the 192.168.2.x addresses from my Android phone. That all seems to work well, but browses such as Chrome and Opera refuse to find the 192.168.2.x addresses for some reason. Am I doing something stupid here?

Here is the server.conf file on the server (Ubuntu 14.04.3 server):
http://paste.ubuntu.com/12311457/
Here is the client1.ovpn on the Android 4.4.4 Moto G phone:
http://paste.ubuntu.com/12311458/
Here is a copy of a log file (verb 4) from the server:
http://paste.ubuntu.com/12311507/

I'm using the OpenVPN Connect application from the Play Store. The apache2 web server shows no indication of receiving any traffic from Chrome nor Opera (using http://192.168.2.116 as the URL). Non web browser applications on the phone seem to work okay when communicating with the local subnet. Using the browsers to access things in the rest of the world works okay. I assume it is not using the tunnel, and that's how I want it to work so I don't want to use the "redirect-gateway" option in the server config.

What I'm trying to do here is allow my phone to use the regular services (cell data network or wifi hotspot) to access everything that isn't on my home network. I don't really want all phone data traffic routed through the tunnel, just the traffic heading to 192.168.2.x addresses. I've tried kodi, several MythTV applications, ssh and Kore (kodi remote control application) and all work as expected. Outside of a couple of applications that refuse to do anything because they don't see a wifi connection, everything works but the web browsers. Any ideas?

[Traffic]

Is 192.168.2.116 your VPN server local IP and can you ping it ?

[afremont]

192.168.2.116 is the machine on my home network that I wish to contact with a web browser. 192.168.2.24 is the machine running openvpn server. From my phone (10.8.0.6), I can ping both machines fine. I can also ssh into the 116 machine without issue. In fact, I can use any application other than a browser to reach any machine on my home network (that I have added a route table entry to for the 10.8.0.x network).

Last night, I was at a location that had free wifi. When using the wifi hotspot, I could access the desired web server at 192.168.2.116 thru the VPN tunnel without issue. But when I build my VPN over the cell network (wifi disabled), the web browser times out. ssh and other applications accessing the other machines on the home network seem to work just fine. I ran tcpdump (tcpdump -i tun0 -n port 80) on the vpn server (192.168.2.24) and I can clearly see that no HTTP packets make it to the interface, but all other traffic destined to my home network does when monitoring their port numbers (eg. 22 for ssh)

I can live with what's happening as I will only be doing this when I have access to free wifi, but it sure does confuse me as to why everything but web browsing works.

Another strange thing that confuses me is that when using adb to shell into my phone (stock, not rooted), I can issue a "cat /proc/net/route" command and I can see the tun0 VPN tunnel interface entry, but I don't see any entry for the pushed route for the whole network.

Code: Select all

shell@titan_umts:/ $cat /proc/net/route
Iface   Destination     Gateway         Flags   RefCnt  Use     Metric  Mask         MTU     Window  IRTT
rmnet0  00000000        71FBC40A        0003    0       0       0       00000000        0       0       0
tun0    0400080A        00000000        0001    0       0       0       FCFFFFFF        0       0       0
rmnet0  60FBC40A        00000000        0001    0       0       0       E0FFFFFF        0       0       0
rmnet0  71FBC40A        00000000        0005    0       0       0       FFFFFFFF        0       0       0
rmnet0  B38014AC        71FBC40A        0007    0       0       0       FFFFFFFF        0       0       0
rmnet0  B48014AC        71FBC40A        0007    0       0       0       FFFFFFFF        0       0       0

Shouldn't there be an entry for the home network with a little less restrictive netmask? It's routing traffic (outside of port 80) to the home network, I'm just expecting to see the pushed route for it in the table. Forgive me if I'm being dense here. I was expecting to see something like this in the routing table of the phone:

Code: Select all

tun0    0002A8C0        00000000        0001    0       0       0       00FFFFFF        0       0       0

[Traffic]

Shot in the dark .. do your browsers have a proxy configured ?

[afremont]

Thanks for your response, I appreciate it. No proxys that I know of, but the behavior is definitely as I described. All other traffic from applications seems to do what I expect, but the browsers seem to have their own way of doing things. I did some more experimenting with it and the browser will only connect when the wifi is enabled and the tunnel is constructed through it. The browser won't even connect to 10.8.0.1 unless the VPN is over the wifi link. Everything else is fine, go figure.

Can anyone tell me how many posts until I get to post without moderation, or does it not work that way? That's making this a very slow process when I post on Wednesday and it isn't approved until Monday. Don't get me wrong, I appreciate everything.

[Traffic]

Sorry for the delay in moderating posts .. it's a constant battle for the mods.

As for your issue with your browser, I don't know enough about Android but it sounds like it is selecting your cell data given the choice.