Motorola G6 to Raspberry Pi (and Kindle HD works fine)

Post Reply
matwell
OpenVpn Newbie
Posts: 8
Joined: Thu Apr 25, 2019 8:52 pm

Motorola G6 to Raspberry Pi (and Kindle HD works fine)

Post by matwell » Thu Apr 25, 2019 9:04 pm

I have a Motorola G6 and a Kindle HD, both with OpenVPN client (very recently i.e. the last few days) installed.

I have a Raspberry Pi with the OpenVPN server configured and running on my home network and port-forwarded by my VDSL modem/router.

I have imported the same .ovpn configuration to both. The OpenVPN client configuration parameters are the same, or at least, I can see no differences.

I can connect the OpenVPN client on the Kindle to the OpenVPN server *via* the G6 acting as a hotspot (over the mobile network) and surf happily.

However, when I connect from the G6 using OpenVPN it appears to connect and it shows exactly the same details i.e. server address etc. This is also seems to be reflected in the logs of the OpenVPN server. However, surfing just doesn't happen. No response.

Disconnecting also appears to work fine.

Thoughts? Suggestions?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6153
Joined: Fri Jun 03, 2016 1:17 pm

Re: Motorola G6 to Raspberry Pi (and Kindle HD works fine)

Post by TinCanTech » Thu Apr 25, 2019 9:22 pm

matwell wrote:
Thu Apr 25, 2019 9:04 pm
Suggestions?
Please see:
viewtopic.php?f=30&t=22603#p68963

matwell
OpenVpn Newbie
Posts: 8
Joined: Thu Apr 25, 2019 8:52 pm

Re: Motorola G6 to Raspberry Pi (and Kindle HD works fine)

Post by matwell » Thu Apr 25, 2019 10:04 pm

The story so far...:

Changed the client and server config to 'verb 4' and restarted the server.

Client log looks no different, however the server is reporting 'bad source address' as per: https://openvpn.net/faq/multi-bad-sourc ... rt-failed/ (BTW, why does this need 'verb' (debug-level?) 4 to report this, this looks like a real problem to me?!)

Why is the OpenVPN server not 'just' responding down the socket that has connected to it/initiated data-transfer? Why does it (appear) to need routing information? Is it using UDP instead of TCP perhaps?

Similarly, it's still not clear to me why a client connected via the mobile's hotspot seems to not have this problem!

In the interim, still plugging away... (but it will now be tomorrow, before I can do more...! :( )

matwell
OpenVpn Newbie
Posts: 8
Joined: Thu Apr 25, 2019 8:52 pm

Re: Motorola G6 to Raspberry Pi (and Kindle HD works fine)

Post by matwell » Fri Apr 26, 2019 8:06 am

OpenVPN Server version:
OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 14 2018
library versions: OpenSSL 1.0.2r 26 Feb 2019, LZO 2.08

OS Version:
Raspberry Pi Raspbian Linux 4.14.98+ #1200

Client platform:
Motorola Moto G6 Dual Sim - though only one is enabled to use data.
Build number (presumably Android): PPS29.55-24
OpenVPN Client version: 3.0.5.(1816) - the same version as the one on my Kindle HD (Fire HD 8 (6th generation) running 5.3.6.4) that does work.

BBCODE Server Config generated by PiVPN.io

dev tun
proto tcp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/#####################.crt
key /etc/openvpn/easy-rsa/pki/private/##########################.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 199.233.237.18"
push "dhcp-option DNS 176.56.236.89"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
##verb 3
verb 4
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io


BBCODE Client Config practically as delivered

client
dev tun
proto tcp
remote ######## 1194
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
remote-cert-tls server
tls-version-min 1.2
verify-x509-name ########### name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 4

matwell
OpenVpn Newbie
Posts: 8
Joined: Thu Apr 25, 2019 8:52 pm

Re: Motorola G6 to Raspberry Pi (and Kindle HD works fine)

Post by matwell » Fri Apr 26, 2019 8:15 am

Client log appeared to be truncated so posting separately, though I actually now think it may be a problem with 'special characters' within the content so posting 'as-is' (sorry!)?:

08:53:04.890 -- ----- OpenVPN Start -----
08:53:04.891 -- EVENT: CORE_THREAD_ACTIVE
08:53:04.894 -- Frame=512/2048/512 mssfix-ctrl=1250
08:53:04.922 -- UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [persist-key]
7 [persist-tun]
11 [verify-x509-name] [server_DU7YUNtkmIjfsFmX] [name]
14 [auth-nocache]
15 [verb] [4]
08:53:04.923 -- EVENT: RESOLVE
08:53:04.927 -- Contacting ########.108:1194 via TCP
08:53:04.929 -- EVENT: WAIT
08:53:05.505 -- Connecting to [######.108]:1194 (######.108) via TCPv4
08:53:05.723 -- EVENT: CONNECTING
08:53:05.727 -- Tunnel Options:V4,dev-type tun,link-mtu 1571,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client
08:53:05.728 -- Creds: UsernameEmpty/PasswordEmpty
08:53:05.730 -- Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.2
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1
08:53:10.422 -- VERIFY OK : depth=1
cert. version : 3
serial number : ##############:4F
issuer name : CN=ChangeMe
subject name : CN=ChangeMe
issued on : 2019-04-15 15:28:38
expires on : 2029-04-12 15:28:38
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true
key usage : Key Cert Sign, CRL Sign
08:53:10.423 -- VERIFY OK : depth=0
cert. version : 3
serial number : ######################################:AD
issuer name : CN=ChangeMe
subject name : CN=server_#######################
issued on : 2019-04-15 15:28:45
expires on : 2022-03-30 15:28:45
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
subject alt name : server_#######################
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication
08:53:10.970 -- SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
08:53:10.972 -- Session is ACTIVE
08:53:10.975 -- EVENT: GET_CONFIG
08:53:10.982 -- Sending PUSH_REQUEST to server...
08:53:11.135 -- OPTIONS:
0 [dhcp-option] [DNS] [199.233.237.18]
1 [dhcp-option] [DNS] [176.56.236.89]
2 [block-outside-dns]
3 [redirect-gateway] [def1]
4 [route-gateway] [10.8.0.1]
5 [topology] [subnet]
6 [ping] [1800]
7 [ping-restart] [3600]
8 [ifconfig] [10.8.0.2] [255.255.255.0]
9 [peer-id] [0]
10 [cipher] [AES-256-GCM]
08:53:11.137 -- PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: SHA256
compress: NONE
peer ID: 0
08:53:11.138 -- EVENT: ASSIGN_IP
08:53:11.169 -- Connected via tun
08:53:11.179 -- EVENT: CONNECTED info='@########.108:1194 (#########.108) via /TCPv4 on tun/10.8.0.2/ gw=[10.8.0.1/]'
trans=TO_CONNECTED

matwell
OpenVpn Newbie
Posts: 8
Joined: Thu Apr 25, 2019 8:52 pm

Re: Motorola G6 to Raspberry Pi (and Kindle HD works fine)

Post by matwell » Fri Apr 26, 2019 9:01 am

Server log for the same interaction (some excess content on each line removed) and some detail redacted:

Apr 26 08:53:05: Re-using SSL/TLS context
Apr 26 08:53:05: Control Channel MTU parms [ L:1623 D:1170 EF:80 EB:0 ET:0 EL:3 ]
Apr 26 08:53:05: Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Apr 26 08:53:05: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1571,tun-mtu 1500,proto TCPv4_SERVER,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Apr 26 08:53:05: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1571,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Apr 26 08:53:05: TCP connection established with [AF_INET]<IP-Address>.158:31530
Apr 26 08:53:05: TCP_SERVER link local: (not bound)
Apr 26 08:53:05: TCP_SERVER link remote: [AF_INET]<IP-Address>.158:31530
Apr 26 08:53:05: <IP-Address>.158:31530 TLS: Initial packet from [AF_INET]<IP-Address>.158:31530, sid=####9f4b ####bc2b
Apr 26 08:53:10: <IP-Address>.158:31530 VERIFY OK: depth=1, CN=ChangeMe
Apr 26 08:53:10: <IP-Address>.158:31530 Validating certificate key usage
Apr 26 08:53:10: <IP-Address>.158:31530 ++ Certificate has key usage 0080, expects 0080
Apr 26 08:53:10: <IP-Address>.158:31530 VERIFY KU OK
Apr 26 08:53:10: <IP-Address>.158:31530 Validating certificate extended key usage
Apr 26 08:53:10: <IP-Address>.158:31530 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Apr 26 08:53:10: <IP-Address>.158:31530 VERIFY EKU OK
Apr 26 08:53:10: <IP-Address>.158:31530 VERIFY OK: depth=0, CN=<Username>
Apr 26 08:53:11: <IP-Address>.158:31530 peer info: IV_GUI_VER=OC30Android
Apr 26 08:53:11: <IP-Address>.158:31530 peer info: IV_VER=3.2
Apr 26 08:53:11: <IP-Address>.158:31530 peer info: IV_PLAT=android
Apr 26 08:53:11: <IP-Address>.158:31530 peer info: IV_NCP=2
Apr 26 08:53:11: <IP-Address>.158:31530 peer info: IV_TCPNL=1
Apr 26 08:53:11: <IP-Address>.158:31530 peer info: IV_PROTO=2
Apr 26 08:53:11: <IP-Address>.158:31530 peer info: IV_AUTO_SESS=1
Apr 26 08:53:11: <IP-Address>.158:31530 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Apr 26 08:53:11: <IP-Address>.158:31530 [<Username>] Peer Connection Initiated with [AF_INET]<IP-Address>.158:31530
Apr 26 08:53:11: <Username>/<IP-Address>.158:31530 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Apr 26 08:53:11: <Username>/<IP-Address>.158:31530 MULTI: Learn: 10.8.0.2 -> <Username>/<IP-Address>.158:31530
Apr 26 08:53:11: <Username>/<IP-Address>.158:31530 MULTI: primary virtual IP for <Username>/<IP-Address>.158:31530: 10.8.0.2
Apr 26 08:53:11: <Username>/<IP-Address>.158:31530 PUSH: Received control message: 'PUSH_REQUEST'
Apr 26 08:53:11: <Username>/<IP-Address>.158:31530 SENT CONTROL [<Username>]: 'PUSH_REPLY,dhcp-option DNS 199.233.237.18,dhcp-option DNS 176.56.236.89,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 1800,ping-restart 3600,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Apr 26 08:53:11: <Username>/<IP-Address>.158:31530 Data Channel MTU parms [ L:1551 D:1450 EF:51 EB:406 ET:0 EL:3 ]
Apr 26 08:53:11: <Username>/<IP-Address>.158:31530 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 26 08:53:11: <Username>/<IP-Address>.158:31530 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 26 08:53:11: <Username>/<IP-Address>.158:31530 MULTI: bad source address from client [10.160.85.152], packet dropped
Apr 26 08:55:48: <Username>/<IP-Address>.158:31530 Connection reset, restarting [0]
Apr 26 08:55:48: <Username>/<IP-Address>.158:31530 SIGUSR1[soft,connection-reset] received, client-instance restarting
Apr 26 08:55:48: TCP/UDP: Closing socket

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6153
Joined: Fri Jun 03, 2016 1:17 pm

Re: Motorola G6 to Raspberry Pi (and Kindle HD works fine)

Post by TinCanTech » Fri Apr 26, 2019 1:05 pm

The logs you have posted indicate that openvpn is working as expected.
matwell wrote:
Thu Apr 25, 2019 10:04 pm
server is reporting 'bad source address'
This is usually not a problem, the message means the server is receiving packets from a source address which it does not recognise and drops the packet.
matwell wrote:
Fri Apr 26, 2019 9:01 am
MULTI: bad source address from client [10.160.85.152],
10.160.85.152 is the client LAN address .. but openvpn does not need to know this.
matwell wrote:
Thu Apr 25, 2019 9:04 pm
when I connect from the G6 using OpenVPN it appears to connect and it shows exactly the same details i.e. server address etc. This is also seems to be reflected in the logs of the OpenVPN server. However, surfing just doesn't happen. No response.
Can you ping the server on 10.8.0.1 and the server's gateway IP ?

matwell
OpenVpn Newbie
Posts: 8
Joined: Thu Apr 25, 2019 8:52 pm

Re: Motorola G6 to Raspberry Pi (and Kindle HD works fine)

Post by matwell » Sat Apr 27, 2019 8:18 am

From my 'phone, over OpenVPN client via the mobile network & to my home office OpenVPN server running on a Raspberry Pi, I can ping (using 'Fing') 10.8.0.1, my (separate) wireless access point (192.168.1.1) and my gateway (192.168.1.253). Not sure that it's material, but no packet-loss and all ~70ms averages.

However, I seen unable to ping any public web-sites e.g. news.bbc.co.uk by name, *however* when I pinged both of its IP addresses (from nslookup on my PC): 212.58.249.145 and 212.58.244.57 it *did* work!!! Which suggests that it may be a name-lookup problem? However, trying to browse from Chrome on the 'phone using either IP addresses above, didn't work. At least one failed with DNS_PROBE_FINISHED_BAD_CONFIG. And back to Fing again, I *could* ping the IP Addresses but not the names!!!

As a reminder: And yet, all of the above works from my Kindle HD using my 'phone as a hotspot and the same version of the OpenVPN client! So I'm guessing that the IP name to address resolution still occurs in the client IP stack (above/before the OpenVPN client) and for some reason that it is not working on the 'phone, but is on the Kindle HD (both Android)?

N.B. I can access (tested using curl, wget and ping) this and other sites e.g. linkedin.com from the Pi hosting the OpenVPN server by name (and IP address, obviously).

Also, the 'built-in' PPTP (pah!) of the 'phone to the regular VPN server on my Pi does work.

Hope this helps?! :D

matwell
OpenVpn Newbie
Posts: 8
Joined: Thu Apr 25, 2019 8:52 pm

Re: Motorola G6 to Raspberry Pi (and Kindle HD works fine)

Post by matwell » Tue Apr 30, 2019 3:41 pm

<Bump!>

Has anyone got any thoughts or insights? Anything else I can try or provide?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6153
Joined: Fri Jun 03, 2016 1:17 pm

Re: Motorola G6 to Raspberry Pi (and Kindle HD works fine)

Post by TinCanTech » Tue Apr 30, 2019 8:27 pm

The problem is clearly due to some DNS related issue .. but I do not know what.

If all else fails you can contact me privately: tincanteksup <at> gmail

matwell
OpenVpn Newbie
Posts: 8
Joined: Thu Apr 25, 2019 8:52 pm

Re: Motorola G6 to Raspberry Pi (and Kindle HD works fine)

Post by matwell » Sun May 05, 2019 8:38 am

On TinCanTech's suggestion (PM) I tried ICS OpenVPN and it seems to exhibit exactly the same problem - though at least there's more low-level logging, it didn't help.

So I've logged a bug with Motorola UK Support.

Post Reply