I have an Openvpn server that servers 10's of linux, PC & Macs successfully. Its not complicated, just a controlled access to some remote servers. It does work in a ( insecure ) split mode, where clients only route vpn traffic over the vpn.
I have previously had this working over android devices as well, using both OpenVPN for Android and the more official Openvpn Connect.
I now have 3 Android Devices, Two of which dont work, and one of which does, all with the same settings.
The symptoms occur regardless of the underlying bearer ( 3G/4G or wifi ), and occur regardless of the client being used ( Openvpn Connect or Openvpn for Android ). I have checked VPN client versions as well , all the same. All clients have the same client configs.
Symptoms : with no Openvpn, browsing connectivity is as expected.
Connect openvpn. Route is up, vpn network working, I can access all services via the vpn ( ie on the VPN network ).
For the failing devices, No external services are available. DNS, and Web access fails.
For the failing devices, I have configured a DNS on the VPN, and pushed the DNS to them ( which they pick up and use ), but they still are unable to connect to the external services.
It looks like all services are being routed over the vpn ( even though the option is correctly set in the client app ).
Galaxy Tab S 10" Version 4.4.2 : Fails
Galaxy S5 : Version 5.0 : Fails
Galaxy Tab 3 8.4 : 5.0.2 : Works/No Problems
Routes :
Both Working and failing devices have the same routes
Failing devices dont seem to get any default or pushed routes... ie they have a route to /30 network, but for a pushed route ( to the vpn subnet eg 192.168.x.0/24 doesnt get implemented - the log shows it coming down to the client, but not implemented ). Ive also try setting the route in the client ( which you can do with Openvpn for Andorid ) and this also doesnt get added to the local device ( or not visible through ip route show ).
dhcp DNS options are being sent and set...
This did use to work, so Im not sure if an upgrade somewhere has broken things.. Also it is strange that I dont have these issues on 5.0.2, but on 5.0 ( is there a particular older version I should be looking at ).
All help greatly appreciated...
Gary
Client Config :
Code: Select all
client
dev tun
proto udp
remote vpn-01.******** 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca **********.crt
cert ************.crt
key *******.key
ns-cert-type server
tls-auth *********.key 1Client Log ( From the S5 - Fails , although this is identical to the one that works )
Code: Select all
2016-01-04 08:47:57 official build 0.6.46 running on samsung SM-G900F (MSM8974), Android 5.0 (LRX21T) API 21, ABI armeabi-v7a, (samsung/kltexx/klte:5.0/LRX21T/G900FXXU1BOJ1:user/release-keys)
2016-01-04 08:47:59 Building configuration…
2016-01-04 08:48:01 started Socket Thread
2016-01-04 08:48:01 P:Initializing Google Breakpad!
2016-01-04 08:48:01 Current Parameter Settings:
2016-01-04 08:48:01 config = '/data/data/de.blinkt.openvpn/cache/android.conf'
2016-01-04 08:48:01 mode = 0
2016-01-04 08:48:01 show_ciphers = DISABLED
2016-01-04 08:48:01 show_digests = DISABLED
2016-01-04 08:48:01 show_engines = DISABLED
2016-01-04 08:48:01 genkey = DISABLED
2016-01-04 08:48:01 key_pass_file = '[UNDEF]'
2016-01-04 08:48:01 Network Status: CONNECTED to WIFI "idistech2"
2016-01-04 08:48:01 show_tls_ciphers = DISABLED
2016-01-04 08:48:01 connect_retry_max = 5
2016-01-04 08:48:01 Connection profiles [0]:
2016-01-04 08:48:01 proto = udp
2016-01-04 08:48:01 local = '[UNDEF]'
2016-01-04 08:48:01 local_port = '[UNDEF]'
2016-01-04 08:48:01 remote = 'vpn-01.*************'
2016-01-04 08:48:01 remote_port = '1194'
2016-01-04 08:48:01 remote_float = DISABLED
2016-01-04 08:48:01 bind_defined = DISABLED
2016-01-04 08:48:01 bind_local = DISABLED
2016-01-04 08:48:01 bind_ipv6_only = DISABLED
2016-01-04 08:48:01 connect_retry_seconds = 5
2016-01-04 08:48:01 connect_timeout = 120
2016-01-04 08:48:01 socks_proxy_server = '[UNDEF]'
2016-01-04 08:48:01 socks_proxy_port = '[UNDEF]'
2016-01-04 08:48:01 socks_proxy_retry = DISABLED
2016-01-04 08:48:01 tun_mtu = 1500
2016-01-04 08:48:01 tun_mtu_defined = ENABLED
2016-01-04 08:48:01 link_mtu = 1500
2016-01-04 08:48:01 link_mtu_defined = DISABLED
2016-01-04 08:48:01 tun_mtu_extra = 0
2016-01-04 08:48:01 tun_mtu_extra_defined = DISABLED
2016-01-04 08:48:01 mtu_discover_type = -1
2016-01-04 08:48:01 fragment = 0
2016-01-04 08:48:01 mssfix = 1450
2016-01-04 08:48:01 explicit_exit_notification = 0
2016-01-04 08:48:01 Connection profiles END
2016-01-04 08:48:01 remote_random = DISABLED
2016-01-04 08:48:01 ipchange = '[UNDEF]'
2016-01-04 08:48:01 dev = 'tun'
2016-01-04 08:48:01 dev_type = '[UNDEF]'
2016-01-04 08:48:01 dev_node = '[UNDEF]'
2016-01-04 08:48:01 lladdr = '[UNDEF]'
2016-01-04 08:48:01 topology = 1
2016-01-04 08:48:01 tun_ipv6 = DISABLED
2016-01-04 08:48:01 ifconfig_local = '[UNDEF]'
2016-01-04 08:48:01 ifconfig_remote_netmask = '[UNDEF]'
2016-01-04 08:48:01 ifconfig_noexec = DISABLED
2016-01-04 08:48:01 ifconfig_nowarn = ENABLED
2016-01-04 08:48:01 ifconfig_ipv6_local = '[UNDEF]'
2016-01-04 08:48:01 ifconfig_ipv6_netbits = 0
2016-01-04 08:48:01 ifconfig_ipv6_remote = '[UNDEF]'
2016-01-04 08:48:01 shaper = 0
2016-01-04 08:48:01 mtu_test = 0
2016-01-04 08:48:01 mlock = DISABLED
2016-01-04 08:48:01 keepalive_ping = 0
2016-01-04 08:48:01 keepalive_timeout = 0
2016-01-04 08:48:01 inactivity_timeout = 0
2016-01-04 08:48:01 ping_send_timeout = 0
2016-01-04 08:48:01 ping_rec_timeout = 0
2016-01-04 08:48:01 ping_rec_timeout_action = 0
2016-01-04 08:48:01 ping_timer_remote = DISABLED
2016-01-04 08:48:01 remap_sigusr1 = 0
2016-01-04 08:48:01 persist_tun = ENABLED
2016-01-04 08:48:01 persist_local_ip = DISABLED
2016-01-04 08:48:01 persist_remote_ip = DISABLED
2016-01-04 08:48:01 persist_key = DISABLED
2016-01-04 08:48:01 passtos = DISABLED
2016-01-04 08:48:01 resolve_retry_seconds = 1000000000
2016-01-04 08:48:01 resolve_in_advance = ENABLED
2016-01-04 08:48:01 username = '[UNDEF]'
2016-01-04 08:48:01 groupname = '[UNDEF]'
2016-01-04 08:48:01 chroot_dir = '[UNDEF]'
2016-01-04 08:48:01 cd_dir = '[UNDEF]'
2016-01-04 08:48:01 writepid = '[UNDEF]'
2016-01-04 08:48:01 up_script = '[UNDEF]'
2016-01-04 08:48:01 down_script = '[UNDEF]'
2016-01-04 08:48:01 down_pre = DISABLED
2016-01-04 08:48:01 up_restart = DISABLED
2016-01-04 08:48:01 up_delay = DISABLED
2016-01-04 08:48:01 daemon = DISABLED
2016-01-04 08:48:01 inetd = 0
2016-01-04 08:48:01 log = DISABLED
2016-01-04 08:48:01 suppress_timestamps = DISABLED
2016-01-04 08:48:01 machine_readable_output = ENABLED
2016-01-04 08:48:02 nice = 0
2016-01-04 08:48:02 verbosity = 4
2016-01-04 08:48:02 mute = 0
2016-01-04 08:48:02 gremlin = 0
2016-01-04 08:48:02 status_file = '[UNDEF]'
2016-01-04 08:48:02 status_file_version = 1
2016-01-04 08:48:02 status_file_update_freq = 60
2016-01-04 08:48:02 occ = ENABLED
2016-01-04 08:48:02 rcvbuf = 0
2016-01-04 08:48:02 sndbuf = 0
2016-01-04 08:48:02 sockflags = 0
2016-01-04 08:48:02 fast_io = DISABLED
2016-01-04 08:48:02 comp.alg = 0
2016-01-04 08:48:02 comp.flags = 0
2016-01-04 08:48:02 route_script = '[UNDEF]'
2016-01-04 08:48:02 route_default_gateway = '[UNDEF]'
2016-01-04 08:48:02 route_default_metric = 0
2016-01-04 08:48:02 route_noexec = DISABLED
2016-01-04 08:48:02 route_delay = 0
2016-01-04 08:48:02 route_delay_window = 30
2016-01-04 08:48:02 route_delay_defined = DISABLED
2016-01-04 08:48:02 route_nopull = DISABLED
2016-01-04 08:48:02 route_gateway_via_dhcp = DISABLED
2016-01-04 08:48:02 allow_pull_fqdn = DISABLED
2016-01-04 08:48:02 route 192.168.13.0/255.255.255.0/vpn_gateway/nil
2016-01-04 08:48:02 management_addr = '/data/data/de.blinkt.openvpn/cache/mgmtsocket'
2016-01-04 08:48:02 management_port = 'unix'
2016-01-04 08:48:02 management_user_pass = '[UNDEF]'
2016-01-04 08:48:02 management_log_history_cache = 250
2016-01-04 08:48:02 management_echo_buffer_size = 100
2016-01-04 08:48:02 management_write_peer_info_file = '[UNDEF]'
2016-01-04 08:48:02 management_client_user = '[UNDEF]'
2016-01-04 08:48:02 management_client_group = '[UNDEF]'
2016-01-04 08:48:02 management_flags = 4390
2016-01-04 08:48:02 shared_secret_file = '[UNDEF]'
2016-01-04 08:48:02 key_direction = 2
2016-01-04 08:48:02 ciphername_defined = ENABLED
2016-01-04 08:48:02 ciphername = 'BF-CBC'
2016-01-04 08:48:02 authname_defined = ENABLED
2016-01-04 08:48:02 authname = 'SHA1'
2016-01-04 08:48:02 prng_hash = 'SHA1'
2016-01-04 08:48:02 prng_nonce_secret_len = 16
2016-01-04 08:48:02 keysize = 0
2016-01-04 08:48:02 engine = DISABLED
2016-01-04 08:48:02 replay = ENABLED
2016-01-04 08:48:02 mute_replay_warnings = DISABLED
2016-01-04 08:48:02 replay_window = 64
2016-01-04 08:48:02 replay_time = 15
2016-01-04 08:48:02 packet_id_file = '[UNDEF]'
2016-01-04 08:48:02 use_iv = ENABLED
2016-01-04 08:48:02 test_crypto = DISABLED
2016-01-04 08:48:02 tls_server = DISABLED
2016-01-04 08:48:02 tls_client = ENABLED
2016-01-04 08:48:02 key_method = 2
2016-01-04 08:48:02 ca_file = '[[INLINE]]'
2016-01-04 08:48:02 ca_path = '[UNDEF]'
2016-01-04 08:48:02 dh_file = '[UNDEF]'
2016-01-04 08:48:02 cert_file = '[[INLINE]]'
2016-01-04 08:48:02 extra_certs_file = '[UNDEF]'
2016-01-04 08:48:02 priv_key_file = '[[INLINE]]'
2016-01-04 08:48:02 pkcs12_file = '[UNDEF]'
2016-01-04 08:48:02 cipher_list = '[UNDEF]'
2016-01-04 08:48:02 tls_verify = '[UNDEF]'
2016-01-04 08:48:02 tls_export_cert = '[UNDEF]'
2016-01-04 08:48:02 verify_x509_type = 0
2016-01-04 08:48:02 verify_x509_name = '[UNDEF]'
2016-01-04 08:48:02 crl_file = '[UNDEF]'
2016-01-04 08:48:02 ns_cert_type = 1
2016-01-04 08:48:02 remote_cert_ku[i] = 0
2016-01-04 08:48:02 remote_cert_ku[i] = 0
2016-01-04 08:48:02 remote_cert_ku[i] = 0
2016-01-04 08:48:02 remote_cert_ku[i] = 0
2016-01-04 08:48:02 remote_cert_ku[i] = 0
2016-01-04 08:48:02 remote_cert_ku[i] = 0
2016-01-04 08:48:02 remote_cert_ku[i] = 0
2016-01-04 08:48:02 remote_cert_ku[i] = 0
2016-01-04 08:48:02 remote_cert_ku[i] = 0
2016-01-04 08:48:02 remote_cert_ku[i] = 0
2016-01-04 08:48:02 remote_cert_ku[i] = 0
2016-01-04 08:48:02 remote_cert_ku[i] = 0
2016-01-04 08:48:02 remote_cert_ku[i] = 0
2016-01-04 08:48:02 remote_cert_ku[i] = 0
2016-01-04 08:48:02 remote_cert_ku[i] = 0
2016-01-04 08:48:02 remote_cert_ku[i] = 0
2016-01-04 08:48:02 remote_cert_eku = '[UNDEF]'
2016-01-04 08:48:02 ssl_flags = 0
2016-01-04 08:48:02 tls_timeout = 2
2016-01-04 08:48:02 renegotiate_bytes = 0
2016-01-04 08:48:02 renegotiate_packets = 0
2016-01-04 08:48:02 renegotiate_seconds = 3600
2016-01-04 08:48:02 handshake_window = 60
2016-01-04 08:48:02 transition_window = 3600
2016-01-04 08:48:02 single_session = DISABLED
2016-01-04 08:48:02 push_peer_info = DISABLED
2016-01-04 08:48:02 tls_exit = DISABLED
2016-01-04 08:48:02 tls_auth_file = '[[INLINE]]'
2016-01-04 08:48:02 client = ENABLED
2016-01-04 08:48:02 pull = ENABLED
2016-01-04 08:48:02 auth_user_pass_file = '[UNDEF]'
2016-01-04 08:48:02 OpenVPN 2.4-icsopenvpn [git:icsopenvpn_645-e6b5e62e37c02d5b] android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH] [IPv6] built on Dec 8 2015
2016-01-04 08:48:02 library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.09
2016-01-04 08:48:02 MANAGEMENT: Connected to management server at /data/data/de.blinkt.openvpn/cache/mgmtsocket
2016-01-04 08:48:02 MANAGEMENT: CMD 'hold release'
2016-01-04 08:48:02 MANAGEMENT: CMD 'bytecount 2'
2016-01-04 08:48:02 MANAGEMENT: CMD 'state on'
2016-01-04 08:48:02 MANAGEMENT: CMD 'proxy NONE'
2016-01-04 08:48:03 Control Channel Authentication: tls-auth using INLINE static key file
2016-01-04 08:48:03 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2016-01-04 08:48:03 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2016-01-04 08:48:03 Control Channel MTU parms [ L:1541 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2016-01-04 08:48:03 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:392 ET:0 EL:3 ]
2016-01-04 08:48:03 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2016-01-04 08:48:03 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2016-01-04 08:48:03 TCP/UDP: Preserving recently used remote address: [AF_INET]AA.BB.CC.DD:1194
2016-01-04 08:48:03 Socket Buffers: R=[163840->163840] S=[163840->163840]
2016-01-04 08:48:03 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2016-01-04 08:48:03 UDP link local: (not bound)
2016-01-04 08:48:03 UDP link remote: [AF_INET]AA.BB.CC.DD:1194
2016-01-04 08:48:03 MANAGEMENT: >STATE:1451897283,WAIT,,,,,,
2016-01-04 08:48:03 MANAGEMENT: >STATE:1451897283,AUTH,,,,,,
2016-01-04 08:48:03 TLS: Initial packet from [AF_INET]AA.BB.CC.DD:1194, sid=084d53dc ba99e1bb
2016-01-04 08:48:03 PID_ERR replay-window backtrack occurred [1] [TLS_AUTH-0] [0_00000] 1451897434:7 1451897434:6 t=1451897283[0] r=[0,64,15,1,1] sl=[57,7,64,272]
2016-01-04 08:48:03 VERIFY OK: depth=1, C=GB, ST=London, L=London, O=Organisation Consulting Limited, OU=admin, CN=vpn.*************, name=Organisation-VPN-Key, emailAddress=postmaster@*************
2016-01-04 08:48:03 VERIFY OK: nsCertType=SERVER
2016-01-04 08:48:03 VERIFY OK: depth=0, C=GB, ST=London, L=London, O=Organisation Consulting Limited, OU=admin, CN=vpn.*************, name=Organisation-VPN-Key, emailAddress=postmaster@*************
2016-01-04 08:48:03 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2016-01-04 08:48:03 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2016-01-04 08:48:03 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2016-01-04 08:48:03 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2016-01-04 08:48:03 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
2016-01-04 08:48:03 [vpn.*************] Peer Connection Initiated with [AF_INET]AA.BB.CC.DD:1194
2016-01-04 08:48:04 MANAGEMENT: >STATE:1451897284,GET_CONFIG,,,,,,
2016-01-04 08:48:04 SENT CONTROL [vpn.*************]: 'PUSH_REQUEST' (status=1)
2016-01-04 08:48:04 PUSH: Received control message: 'PUSH_REPLY,route 192.168.13.0 255.255.255.0,topology net30,ping 10,ping-restart 120,route 192.168.13.0 255.255.255.0,dhcp-option DNS 192.168.13.1,ifconfig 192.168.13.105 192.168.13.106'
2016-01-04 08:48:04 OPTIONS IMPORT: timers and/or timeouts modified
2016-01-04 08:48:04 OPTIONS IMPORT: --ifconfig/up options modified
2016-01-04 08:48:04 OPTIONS IMPORT: route options modified
2016-01-04 08:48:04 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2016-01-04 08:48:04 ROUTE_GATEWAY 127.100.103.119/255.0.0.0 IFACE=lo HWADDR=00:00:00:00:00:00
2016-01-04 08:48:04 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2016-01-04 08:48:04 MANAGEMENT: >STATE:1451897284,ASSIGN_IP,,192.168.13.105,,,,
2016-01-04 08:48:04 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2016-01-04 08:48:04 MANAGEMENT: >STATE:1451897284,ADD_ROUTES,,,,,,
2016-01-04 08:48:04 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2016-01-04 08:48:04 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2016-01-04 08:48:04 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2016-01-04 08:48:04 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2016-01-04 08:48:04 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
2016-01-04 08:48:04 Opening tun interface:
2016-01-04 08:48:04 Local IPv4: 192.168.13.105/30 IPv6: null MTU: 1500
2016-01-04 08:48:04 DNS Server: 192.168.13.1, Domain: null
2016-01-04 08:48:04 Routes: 192.168.13.0/24, 192.168.13.104/30
2016-01-04 08:48:04 Routes excluded: 192.168.0.167/24
2016-01-04 08:48:04 VpnService routes installed: 192.168.13.0/24
2016-01-04 08:48:04 Disallowed VPN apps:
2016-01-04 08:48:04 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2016-01-04 08:48:04 Initialization Sequence Completed
2016-01-04 08:48:04 MANAGEMENT: >STATE:1451897284,CONNECTED,SUCCESS,192.168.13.105,AA.BB.CC.DD,1194,,
Image hosted for free at CtrlV.in