Client-to-server can't talk to home network over LTE

[stringpark]

Hello,

Total newbie here and am looking for some help with my client-to-server configuration. I followed the instructions in this vid [url]https://www.youtube.com/watch?v=LTBE8YiPhkg[/url] to set up the OpenVPN server on my edgerouter. It works well with PC, iPhone, and Android clients that are connected to the server over external wifi, including an LTE Wifi hotspot. However, I am having trouble with the iPhone and Android clients when they are using LTE directly (not the LTE wifi hotspot). In that case, the OpenVPN app shows connected, but I can't talk to any devices on my home network (i.e. access web management pages). With the iPhone, I can't ping the devices either, though I can with Android, but I can't hit any management pages with either device.

I'm not sure, but I think that the problem may have something to do with IPv6. When connected over wifi, I'll get an IPv4 address when googling "my ip", but when connected directly over LTE, I get an IPv6 address. The OpenVPN app will sometimes show the "VPN PROTOCOL" as UDPv4 and other times it will show as UDPv6, but googling "my ip" always shows an IPv6 address when connected direct over LTE.

Any advice would be appreciated.

Thanks!

[TinCanTech]

This can best be explained by reading your logs at --verb 4

Please see:
viewtopic.php?f=30&t=22603#p68963

for details ..


(Android does not support --verb 4 but it does not make any difference, just post your logs please)

[stringpark]

Thanks @TinCanTech,

Here's what I've got:

View Originalserver

show interfaces openvpn vtun0
description OpenVPN
encryption aes256
hash sha256
mode server
openvpn-option "--comp-lzo no"
openvpn-option "--proto udp6"
openvpn-option "--verb 4"
server {
name-server x.x.x.x
push-route 192.168.1.0/24
subnet 172.16.0.0/24
}
tls {
ca-cert-file /config/auth/cacert.pem
cert-file /config/auth/SERVER.pem
dh-file /config/auth/DH.pem
key-file /config/auth/SERVER-NOPASS.key
}

View Originalcode

Dec 31 02:00:45 ubnt openvpn[3114]: MULTI: multi_create_instance called
Dec 31 02:00:45 ubnt openvpn[3114]: ::ffff:x.x.x.x Re-using SSL/TLS context
Dec 31 02:00:45 ubnt openvpn[3114]: ::ffff:x.x.x.x LZO compression initialized
Dec 31 02:00:45 ubnt openvpn[3114]: ::ffff:x.x.x.x Control Channel MTU parms [ L:1570 D:138 EF:38 EB:0 ET:0 EL:0 ]
Dec 31 02:00:45 ubnt openvpn[3114]: ::ffff:x.x.x.x Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:135 ET:0 EL:0 AF:3/1 ]
Dec 31 02:00:45 ubnt openvpn[3114]: ::ffff:x.x.x.x Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Dec 31 02:00:45 ubnt openvpn[3114]: ::ffff:x.x.x.x Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Dec 31 02:00:45 ubnt openvpn[3114]: ::ffff:x.x.x.x Local Options hash (VER=V4): 'xxxxxxxx'
Dec 31 02:00:45 ubnt openvpn[3114]: ::ffff:x.x.x.x Expected Remote Options hash (VER=V4): 'xxxxxxxx'
Dec 31 02:00:45 ubnt openvpn[3114]: ::ffff:x.x.x.x TLS: Initial packet from [AF_INET6]::ffff:x.x.x.x:48866, sid=xxxxxxxx xxxxxxxx
Dec 31 02:00:46 ubnt openvpn[3114]: ::ffff:x.x.x.x VERIFY OK: depth=1, C=US, ST=QUICKCONFIGS, O=QUICKCONFIGS, OU=QUICKCONFIGS, CN=ROOT
Dec 31 02:00:46 ubnt openvpn[3114]: ::ffff:x.x.x.x VERIFY OK: depth=0, C=US, ST=QUICKCONFIGS, L=QUICKCONFIGS, O=QUICKCONFIGS, OU=QUICKCONFIGS, CN=CLIENT
Dec 31 02:00:46 ubnt openvpn[3114]: ::ffff:x.x.x.x Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 31 02:00:46 ubnt openvpn[3114]: ::ffff:x.x.x.x Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Dec 31 02:00:46 ubnt openvpn[3114]: ::ffff:x.x.x.x Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 31 02:00:46 ubnt openvpn[3114]: ::ffff:x.x.x.x Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Dec 31 02:00:46 ubnt openvpn[3114]: ::ffff:x.x.x.x Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 2048 bit RSA
Dec 31 02:00:46 ubnt openvpn[3114]: ::ffff:x.x.x.x [CLIENT] Peer Connection Initiated with [AF_INET6]::ffff:x.x.x.x:48866
Dec 31 02:00:46 ubnt openvpn[3114]: CLIENT/::ffff:x.x.x.x MULTI_sva: pool returned IPv4=172.16.0.2, IPv6=(Not enabled)
Dec 31 02:00:46 ubnt openvpn[3114]: CLIENT/::ffff:x.x.x.x MULTI: Learn: 172.16.0.2 -> CLIENT/::ffff:x.x.x.x
Dec 31 02:00:46 ubnt openvpn[3114]: CLIENT/::ffff:x.x.x.x MULTI: primary virtual IP for CLIENT/::ffff:x.x.x.x: 172.16.0.2
Dec 31 02:00:46 ubnt openvpn[3114]: CLIENT/::ffff:x.x.x.x PUSH: Received control message: 'PUSH_REQUEST'
Dec 31 02:00:46 ubnt openvpn[3114]: CLIENT/::ffff:x.x.x.x send_push_reply(): safe_cap=940
Dec 31 02:00:46 ubnt openvpn[3114]: CLIENT/::ffff:x.x.x.x SENT CONTROL [CLIENT]: 'PUSH_REPLY,dhcp-option DNS x.x.x.x,route 192.168.1.0 255.255.255.0,route-gateway 172.16.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 172.16.0.2 255.255.255.0' (status=1)

View Originalclient

client
dev tun
proto udp6
remote xxxx.xxxx.com 1194
float
comp-lzo yes
push "comp-lzo yes"
resolv-retry infinite
nobind
persist-key
persist-tun
verb 4
auth SHA256
cipher AES-256-CBC
ca cacert.pem
cert CLIENT.pem
key CLIENT-NOPASS.key

View Originalcode

2019-12-30 21:00:45 ----- OpenVPN Start -----
OpenVPN core 3.git::xxxxxxxx ios arm64 64-bit PT_PROXY built on Dec 2 2019 14:44:28

2019-12-30 21:00:45 OpenVPN core 3.git::xxxxxxxx ios arm64 64-bit PT_PROXY built on Dec 2 2019 14:44:28

2019-12-30 21:00:45 Frame=512/2048/512 mssfix-ctrl=1250

2019-12-30 21:00:45 UNUSED OPTIONS
6 [push] [comp-lzo yes]
7 [resolv-retry] [infinite]
8 [nobind]
9 [persist-key]
10 [persist-tun]
11 [verb] [4]

2019-12-30 21:00:45 EVENT: RESOLVE

2019-12-30 21:00:45 Contacting [xxx]:1194/UDP via UDP

2019-12-30 21:00:45 EVENT: WAIT

2019-12-30 21:00:45 Connecting to [xxxx.xxxx.com]:1194 (xxx) via UDPv6

2019-12-30 21:00:45 EVENT: CONNECTING

2019-12-30 21:00:45 Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client

2019-12-30 21:00:45 Creds: UsernameEmpty/PasswordEmpty

2019-12-30 21:00:45 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.1.1-2819
IV_VER=3.git::xxxxxxxx
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1


2019-12-30 21:00:46 VERIFY OK : depth=1
cert. version : 3
serial number : xx:xx:xx:xx:xx:xx:xx:xx
issuer name : C=US, ST=QUICKCONFIGS, O=QUICKCONFIGS, OU=QUICKCONFIGS, CN=ROOT
subject name : C=US, ST=QUICKCONFIGS, O=QUICKCONFIGS, OU=QUICKCONFIGS, CN=ROOT
issued on : 2019-12-19 00:37:42
expires on : 2022-12-18 00:37:42
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true


2019-12-30 21:00:46 VERIFY OK : depth=0
cert. version : 3
serial number : xx:xx:xx:xx:xx:xx:xx:xx
issuer name : C=US, ST=QUICKCONFIGS, O=QUICKCONFIGS, OU=QUICKCONFIGS, CN=ROOT
subject name : C=US, ST=QUICKCONFIGS, L=QUICKCONFIGS, O=QUICKCONFIGS, OU=QUICKCONFIGS, CN=SERVER
issued on : 2019-12-19 00:46:41
expires on : 2020-12-18 00:46:41
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false


2019-12-30 21:00:46 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

2019-12-30 21:00:46 Session is ACTIVE

2019-12-30 21:00:46 EVENT: GET_CONFIG

2019-12-30 21:00:46 Sending PUSH_REQUEST to server...

2019-12-30 21:00:46 OPTIONS:
0 [dhcp-option] [DNS] [xxxx.xxxx.com]
1 [route] [192.168.1.0] [255.255.255.0]
2 [route-gateway] [172.16.0.1]
3 [topology] [subnet]
4 [ping] [10]
5 [ping-restart] [60]
6 [ifconfig] [172.16.0.2] [255.255.255.0]


2019-12-30 21:00:46 PROTOCOL OPTIONS:
cipher: AES-256-CBC
digest: SHA256
compress: LZO_STUB
peer ID: -1

2019-12-30 21:00:46 EVENT: ASSIGN_IP

2019-12-30 21:00:46 NIP: preparing TUN network settings

2019-12-30 21:00:46 NIP: init TUN network settings with endpoint: xxx

2019-12-30 21:00:46 NIP: adding IPv4 address to network settings 172.16.0.2/255.255.255.0

2019-12-30 21:00:46 NIP: adding (included) IPv4 route 172.16.0.0/24

2019-12-30 21:00:46 NIP: adding (included) IPv4 route 192.168.1.0/24

2019-12-30 21:00:46 NIP: adding DNS xxxx.xxxx.com

2019-12-30 21:00:46 NIP: adding match domain ALL

2019-12-30 21:00:46 NIP: adding DNS specific routes:

2019-12-30 21:00:46 NIP: adding (included) IPv4 route xxxx.xxxx.com/32

2019-12-30 21:00:46 Connected via NetworkExtensionTUN

2019-12-30 21:00:46 LZO-ASYM init swap=0 asym=1

2019-12-30 21:00:46 Comp-stub init swap=0

2019-12-30 21:00:46 EVENT: CONNECTED xxxx.xxxx.com:1194 (xxx) via /UDPv6 on NetworkExtensionTUN/172.16.0.2/ gw=[/]

Thinking the issue had something to do with IPv6, I added "proto udp6" to the client and server config, but didn't seem to help.

Thanks for taking a look at this!

[TinCanTech]

Learn this, from the configs you posted, the use of '{ }'; Openvpn does not support this syntax.

Sorry, we do not support your edge router.

Also, this is for the FYI,
https://community.openvpn.net/openvpn/w ... gConflicts

[stringpark]

Ok, thanks anyway for having a look at this. I have an always-on ubuntu machine that sits behind the edgerouter, so I might try installing OpenVPN server on that instead.

[TinCanTech]

I have an always-on ubuntu machine that sits behind the edgerouter, so I might try installing OpenVPN server on that instead.

Good idea

You may also need IPv6:
https://community.openvpn.net/openvpn/wiki/IPv6