The server is running openvpn 2.4.7.
Here is server configuration file:
Server Config
local <openvpn-local-ip>
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/<openvpn-hostname>.crt
key /etc/openvpn/easy-rsa/pki/private/<openvpn-hostname>.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
tls-server
client-config-dir /etc/openvpn/clients
push "redirect-gateway def1"
push "dhcp-option DNS <local-dns-ip-addr>"
push "dhcp-option DOMAIN <local-domain-name>"
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-CBC
auth SHA256
compress lz4
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 6
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/<openvpn-hostname>.crt
key /etc/openvpn/easy-rsa/pki/private/<openvpn-hostname>.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
tls-server
client-config-dir /etc/openvpn/clients
push "redirect-gateway def1"
push "dhcp-option DNS <local-dns-ip-addr>"
push "dhcp-option DOMAIN <local-domain-name>"
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-CBC
auth SHA256
compress lz4
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 6
In the /etc/openvpn/clients there is a client configuration with the following line based on the hostname of the client:
Server Config Client Specific
ifconfig-push 10.8.0.<x> 255.255.255.0
For the client ovpn template:
Client OVPN
client
dev tun
proto udp
remote <remote-host> <port>
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
remote-cert-tls server
tls-client
key-direction 1
cipher AES-256-CBC
auth SHA256
auth-nocache
compress lz4
verb 4
mute 20
<for ubuntu, there are up/down resolvconf options set here that are not present when importing on android>
<ca>
<CERT>
</ca>
<cert>
<CERT>
</cert>
<key>
<KEY>
</key>
<tls-auth>
<KEY>
</tls-auth>
dev tun
proto udp
remote <remote-host> <port>
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
remote-cert-tls server
tls-client
key-direction 1
cipher AES-256-CBC
auth SHA256
auth-nocache
compress lz4
verb 4
mute 20
<for ubuntu, there are up/down resolvconf options set here that are not present when importing on android>
<ca>
<CERT>
</ca>
<cert>
<CERT>
</cert>
<key>
<KEY>
</key>
<tls-auth>
<KEY>
</tls-auth>
The android client is running openvpn connect version 3.2.2 (5027)
Here is a snippet from the logs when connecting:
openvpn log
Thu Aug 20 17:56:56 2020 us=908327 MULTI: multi_create_instance called
Thu Aug 20 17:56:56 2020 us=909047 <cell-phone-carrier-assigned-ip-address>:56929 Re-using SSL/TLS context
Thu Aug 20 17:56:56 2020 us=909427 <cell-phone-carrier-assigned-ip-address>:56929 LZ4 compression initializing
Thu Aug 20 17:56:56 2020 us=910793 <cell-phone-carrier-assigned-ip-address>:56929 Control Channel MTU parms [ L:1622 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Thu Aug 20 17:56:56 2020 us=911147 <cell-phone-carrier-assigned-ip-address>:56929 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Thu Aug 20 17:56:56 2020 us=911923 <cell-phone-carrier-assigned-ip-address>:56929 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Thu Aug 20 17:56:56 2020 us=912200 <cell-phone-carrier-assigned-ip-address>:56929 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Thu Aug 20 17:56:56 2020 us=912667 <cell-phone-carrier-assigned-ip-address>:56929 TLS: Initial packet from [AF_INET]<cell-phone-carrier-assigned-ip-address>:56929, sid=5f913f34 58d658b9
Thu Aug 20 17:56:57 2020 us=236223 <cell-phone-carrier-assigned-ip-address>:56929 VERIFY OK: depth=1, CN=<openvpn-server>
Thu Aug 20 17:56:57 2020 us=241949 <cell-phone-carrier-assigned-ip-address>:56929 VERIFY OK: depth=0, CN=<openvpn-client>
Thu Aug 20 17:56:57 2020 us=251104 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_VER=3.git:released:3e56f9a6:Release
Thu Aug 20 17:56:57 2020 us=252961 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_PLAT=android
Thu Aug 20 17:56:57 2020 us=254998 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_NCP=2
Thu Aug 20 17:56:57 2020 us=256808 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_TCPNL=1
Thu Aug 20 17:56:57 2020 us=258596 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_PROTO=2
Thu Aug 20 17:56:57 2020 us=260402 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_LZO_STUB=1
Thu Aug 20 17:56:57 2020 us=262239 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_COMP_STUB=1
Thu Aug 20 17:56:57 2020 us=264009 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_COMP_STUBv2=1
Thu Aug 20 17:56:57 2020 us=265865 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_IPv6=0
Thu Aug 20 17:56:57 2020 us=267669 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_AUTO_SESS=1
Thu Aug 20 17:56:57 2020 us=269468 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.2-5027
Thu Aug 20 17:56:57 2020 us=271363 <cell-phone-carrier-assigned-ip-address>:56929 peer info: IV_SSO=openurl
Thu Aug 20 17:56:57 2020 us=342827 <cell-phone-carrier-assigned-ip-address>:56929 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Thu Aug 20 17:56:57 2020 us=344907 <cell-phone-carrier-assigned-ip-address>:56929 [<openvpn-client>] Peer Connection Initiated with [AF_INET]<cell-phone-carrier-assigned-ip-address>:56929
Thu Aug 20 17:56:57 2020 us=347134 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/clients/<openvpn-client>
Thu Aug 20 17:56:57 2020 us=350182 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 MULTI: Learn: 10.8.0.4 -> <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929
Thu Aug 20 17:56:57 2020 us=352057 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 MULTI: primary virtual IP for <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929: 10.8.0.4
Thu Aug 20 17:56:57 2020 us=354645 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 PUSH: Received control message: 'PUSH_REQUEST'
Thu Aug 20 17:56:57 2020 us=356956 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 SENT CONTROL [<openvpn-client>]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS <local-dns-server>,dhcp-option,dhcp-option DOMAIN <local-domain>,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.4 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Thu Aug 20 17:56:57 2020 us=358938 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Aug 20 17:56:57 2020 us=360882 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 Data Channel MTU parms [ L:1550 D:1450 EF:50 EB:406 ET:0 EL:3 ]
Thu Aug 20 17:56:57 2020 us=364098 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Aug 20 17:56:57 2020 us=366213 <openvpn-client>/<cell-phone-carrier-assigned-ip-address>:56929 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
When attempting a dns query from android, I see the following in the query log:
Local DNS Query Log
20-Aug-2020 18:03:02.549 client <openvpn-server-ip-address>#32434: query: <hostname-query-fqdn> IN A + (<dns-ip-address>)
If I run tcpdump on the tun interface, the output shows:
tcpdump output
18:04:56.872248 IP <openvpn-tun-ip-address>.10921 > <local-dns-fqdn>.domain: 31155+ A? <hostname-query-fqdn>. (43)
18:04:56.875049 IP <local-dns-fqdn>.domain > <openvpn-tun-ip-address>.10921: 31155* 1/1/1 A <found-ip-address-query> (102)
I have tried different iptables commands such as:
Attempt #1
Code: Select all
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source <openvpn-server-ip-address>
Attempt #2
Code: Select all
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source <openvpn-server-ip-address>
Attempt #3
Code: Select all
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Attempt #4
Code: Select all
iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
None of which worked.
Let me know if you need more information. Thanks.