OpenVPN Support Forum

Hi,

I've set up an OpenVPN server on my home server (Gentoo Linux) and client on my laptop (ditto) in a TUN-based configuration that routes all client traffic through the VPN. I wanted to do the same on my phone (Galaxy SIII, updated to android 4.1.2) now that Connect exists.

I used the openvpn-confgen scripts from these forums to generate an .OVPN profile with embedded certs and private key (even though I'd already created those using easy-rsa) because I couldn't find documentation on how to embed these items manually in a config file.

The config did get me connected successfully, but it's not routing the traffic over the VPN - in fact it b0rks routing entirely on the phone so I can't reach the WAN at all. I also can't ping any server-side LAN (192.168.2.*) IPs from the phone.

Notes on network setup: the OVPN server is the DNS (and DHCP) server for its LAN, but it is not the default gateway (this is a consumer modem/router at 192.168.2.1, which is also secondary DNS server) so I push those IPs to clients (though they could have them hard-coded if necessary, no problem).

server.conf: Client config was done in NetworkManager on the Linux client, so I don't have a native config file there, but here's what is in the NetworkManager config for this connection:
Apart from cert-pass-flags and mssfix, the other directives seem pretty self-explanatory (or mappable to the native ovpn directives, anyhow). So this works.

Here's the (current; I've tried a few tweaks already) phone.ovpn config:
If there's anything else you want me to post, just let me know. Thanks in advance!

Can you post your iptables configuration? Also do you have IP forwarding enabled?

Hi Wheelz, thanks for the reply.

iptables -L IP forwarding is enabled. I should just restate that the server config is fine and does what I want with the Linux client, problems are only on the Android client.

One other thing I forgot to add is that I added a static route on the server LAN's default gateway (the router at 192.168.2.1) to enable return traffic to find its way back to the VPN endpoint.

Havin_it wrote:Hi,

I've set up an OpenVPN server on my home server (Gentoo Linux) and client on my laptop (ditto) in a TUN-based configuration that routes all client traffic through the VPN. I wanted to do the same on my phone (Galaxy SIII, updated to android 4.1.2) now that Connect exists.

You could also try ics-openvpn from the Play store. It's a community project maintained by plaisthos[1] and I've used it successfully in the past. If it works, but OpenVPN Connect does not, I suspect the problem might be in OpenVPN Connect core, which is different from what ics-openvpn uses.

[1] He's plaisthos on #openvpn-devel@irc.freenode.net

Hi Samuli (suominen??)

I'm game to look at alternatives certainly, though I do sorta feel a first question should be "How does OVPN Connect core differ from the desktop client core?", which seems to be the root of my issue. I want to give the official client (and these forums) a fair crack of the whip, y'know ...

The problem seems to be that "route" cannot be used together with "redirect-gateway def1" on OpenVPN Connect.

- If you only use "route" (or "push route" on the server), OpenVPN Connect will set that route. That's what is intended and OpenVPN GPL behaves the same way.
- If you only use "redirect-gateway def1" (or "push redirect-gateway def1" on the server), OpenVPN Connect will add two routes to override the default gateway. That's what is intended and OpenVPN GPL behaves the same way.
- If you use "route" (or "push route" on the server) AND "redirect-gateway def1" (or "push redirect-gateway def1" on the server) AT THE SAME TIME, then you will get different results:
* On OpenVPN Connect, the "route" command will be ignored, you will only get the "redirect-gateway def1" behaviour. That's NOT what is intended.
* On OpenVPN GPL, both "route" and "redirect-gateway def1" commands will work as expected.

I think this is a bug in OpenVPN Connect. It can be reproduced with the Android app as well as with the iOS App (tested it on both platforms today). Unfortunately, I didn't find a way to report a bug in OpenVPN connect.

Kudos to JoshC for pointing me to the fact that OpenVPN Connect has a different codebase than OpenVPN GPL.

Thanks everyone, and apologies for leaving this unresolved for so long. Life got in the way...

After trying a few alternate configs with Connect, I gave up and hunted down samuli's mentioned ics-openvpn; readers visiting this thread might wish to know it's (now?) called "OpenVPN for Android", author Arne Schwabe. There are actually two advantages to this app:

1. The logo makes the droid mascot look like a Canadian in South Park

2. It WORKS! Not instantly, but thanks to the step-by-step guide provided, I was able to modify my config (all of which can be done in GUI so there's another plus) to get the routing I required.

Great to be in business at last. Thanks again

I had similar issues when using OpenVPN Connect on my phone. For me the problem was solved by adding the cipher and auth configuration in the client configuration file matching my server config.