Route all traffic through the tunnel (again)

[Shtush]

Hi!

I read all the manual of OpenVPN, then tons and tons of guides, how-to's, troubleshootings and forum posts in two languages. Google will ban me soon. I am trying to make it work already two weeks. And I almost ready to give up.

Environment:
Server with fresh installed Debian Wheezy and OpenVPN.
Server is behind a router.
Server has IP 192.168.2.2 in LAN 192.168.2.0/255.255.255.0.
Router has WAN with real "white" IP and a domain name.
Router has internal LAN IP 192.168.2.1 and works as a Gateway and NAT for all LAN.
Router works as a DHCP server for internal LAN as well.
All computers in the LAN are connected through this router one way or another.
Port 5000 on the router is open outside and all requests are translated to the Server 162.168.2.2:1149

Goals:
1. To have access to the LAN resources from outside.
2. To have protected access to the Internet via encrypted tunnel from public (potentially unsafe) places.
Anyway, if a tunnel is up, all traffic must go through it.
First I wanted to make a bridge configuration, but Android devices do not suppot TAP.

Clients:
1. Android.
2. Linux.
3. Windows.

Server configuration:

Code: Select all

server 10.20.30.0 255.255.255.0
proto udp
dev tun
port 1194

tls-auth /etc/openvpn/keys/ta.key 0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/dh1024.pem

#push "redirect-gateway local def1"
push "redirect-gateway def1"
#push "redirect-gateway"
#push "route-gateway 10.20.30.1"
#push "route 10.20.30.0 255.255.255.0"
#push "route 0.0.0.0 0.0.0.0"
#push "route 192.168.2.0 255.255.255.0"

duplicate-cn
verb 3
user nobody
group nogroup
persist-key
persist-tun
comp-lzo
keepalive 10 120
ping-timer-rem
status /var/log/openvpn-status.log

I do not remove some commented lines to show I already tried these options.

Client configuration:

Code: Select all

float
client
#tls-client
#pull
remote my.host.com
port 5000
nobind
dev tun
proto udp
#redirect-gateway def1
resolv-retry infinite
persist-key
persist-tun
user nobody
group nogroup
comp-lzo
ns-cert-type server

ca /sdcard/openvpn/ca.crt
cert /sdcard/openvpn/user.crt
key /sdcard/openvpn/user.key
tls-auth /sdcard/openvpn/ta.key 1

Firewall on server:

Code: Select all

iptables -t nat -F 
iptables -t filter -F 
iptables -t mangle -F
iptables -I INPUT -j ACCEPT
iptables -I FORWARD -j ACCEPT
iptables -I OUTPUT -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I INPUT -i tun+ -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -s 10.20.30.0/24 -j MASQUERADE

Code: Select all

# cat /proc/sys/net/ipv4/ip_forward
1

I tried "OpenVPN Connect" and "OpenVPN for Android" applications with similar results.
Connection is established and a client gets IP 10.20.30.6. Everything fine.
But:
1. If I disable two options:

Code: Select all

#push "redirect-gateway def1" (with flag 'local' or without - does not make any change)
#push "route 192.168.2.0 255.255.255.0"

I've got following results

Code: Select all

ping 10.20.30.1 - OK
ping 192.168.2.1 - FAIL
ping 192.168.2.2 - FAIL
ping google.com - OK
whatismyip.com - IP of Client's provider - means FAIL (traffic goes outside of the tunnel)

2. If I enable option 'route'

Code: Select all

#push "redirect-gateway def1"
push "route 192.168.2.0 255.255.255.0"

results:

Code: Select all

ping 10.20.30.1 - OK
ping 192.168.2.1 - OK
ping 192.168.2.2 - OK
ping google.com - OK
whatismyip.com - IP of Client's provider - means FAIL

So I have access to the LAN, but other traffic still goes outside of the tunnel.

3. If I make it vice versa

Code: Select all

push "redirect-gateway def1"
#push "route 192.168.2.0 255.255.255.0"

results:

Code: Select all

ping 10.20.30.1 - FAIL
ping 192.168.2.1 - FAIL
ping 192.168.2.2 - FAIL
ping google.com - FAIL
whatismyip.com - FAIL (no connection at all)

Looks like I do not understand how this feature works.

4. Enable both

Code: Select all

push "redirect-gateway def1"
push "route 192.168.2.0 255.255.255.0"

predictable results:

Code: Select all

ping 10.20.30.1 - FAIL
ping 192.168.2.1 - FAIL
ping 192.168.2.2 - FAIL
ping google.com - FAIL
whatismyip.com - FAIL (no connection at all)

Can anybody suggest what should I do to route all traffic to the tunnel?

Thanks in advance!

[Shtush]

First I need access from Android. So I started with it and all decribed above related to Android.
If there is no way make it work at least from Android, OpenVPN useless for me now.

[Shtush]

All configs as described above.
Mentioned options:

Code: Select all

push "redirect-gateway def1"
#push "route 192.168.2.0 255.255.255.0"

Logs verb 3
Connect ang trying to ping google.com
Ping failed.
Disconnect manually.

Server log:

Code: Select all

Tue Jan  7 21:01:36 2014 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 19 2013
Tue Jan  7 21:01:36 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Jan  7 21:01:36 2014 Diffie-Hellman initialized with 1024 bit key
Tue Jan  7 21:01:36 2014 Control Channel Authentication: using '/etc/openvpn/keys/ta.key' as a OpenVPN static key file
Tue Jan  7 21:01:36 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan  7 21:01:36 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan  7 21:01:36 2014 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Jan  7 21:01:36 2014 Socket Buffers: R=[163840->131072] S=[163840->131072]
Tue Jan  7 21:01:36 2014 ROUTE default_gateway=192.168.2.1
Tue Jan  7 21:01:36 2014 TUN/TAP device tun0 opened
Tue Jan  7 21:01:36 2014 TUN/TAP TX queue length set to 100
Tue Jan  7 21:01:36 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Jan  7 21:01:36 2014 /sbin/ifconfig tun0 10.20.30.1 pointopoint 10.20.30.2 mtu 1500
Tue Jan  7 21:01:36 2014 /sbin/route add -net 10.20.30.0 netmask 255.255.255.0 gw 10.20.30.2
Tue Jan  7 21:01:36 2014 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jan  7 21:01:36 2014 GID set to nogroup
Tue Jan  7 21:01:36 2014 UID set to nobody
Tue Jan  7 21:01:36 2014 UDPv4 link local (bound): [undef]
Tue Jan  7 21:01:36 2014 UDPv4 link remote: [undef]
Tue Jan  7 21:01:36 2014 MULTI: multi_init called, r=256 v=256
Tue Jan  7 21:01:36 2014 IFCONFIG POOL: base=10.20.30.4 size=62, ipv6=0
Tue Jan  7 21:01:36 2014 Initialization Sequence Completed
Tue Jan  7 21:02:34 2014 MULTI: multi_create_instance called
Tue Jan  7 21:02:34 2014 <client's provider IP>:53601 Re-using SSL/TLS context
Tue Jan  7 21:02:34 2014 <client's provider IP>:53601 LZO compression initialized
Tue Jan  7 21:02:34 2014 <client's provider IP>:53601 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Jan  7 21:02:34 2014 <client's provider IP>:53601 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jan  7 21:02:34 2014 <client's provider IP>:53601 Local Options hash (VER=V4): '14168603'
Tue Jan  7 21:02:34 2014 <client's provider IP>:53601 Expected Remote Options hash (VER=V4): '504e774e'
Tue Jan  7 21:02:34 2014 <client's provider IP>:53601 TLS: Initial packet from [AF_INET]<client's provider IP>:53601, sid=1ad20782 deaa2f7e
Tue Jan  7 21:02:35 2014 <client's provider IP>:53601 Replay-window backtrack occurred [1]
Tue Jan  7 21:02:35 2014 <client's provider IP>:53601 VERIFY OK: depth=1, <certificate credentials>
Tue Jan  7 21:02:35 2014 <client's provider IP>:53601 VERIFY OK: depth=0, <certificate credentials>@rambler.ru
Tue Jan  7 21:02:35 2014 <client's provider IP>:53601 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jan  7 21:02:35 2014 <client's provider IP>:53601 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan  7 21:02:35 2014 <client's provider IP>:53601 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jan  7 21:02:35 2014 <client's provider IP>:53601 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan  7 21:02:35 2014 <client's provider IP>:53601 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Jan  7 21:02:35 2014 <client's provider IP>:53601 [user] Peer Connection Initiated with [AF_INET]<client's provider IP>:53601
Tue Jan  7 21:02:35 2014 user/<client's provider IP>:53601 MULTI_sva: pool returned IPv4=10.20.30.6, IPv6=<ipv6 address>
Tue Jan  7 21:02:35 2014 user/<client's provider IP>:53601 MULTI: Learn: 10.20.30.6 -> user/<client's provider IP>:53601
Tue Jan  7 21:02:35 2014 user/<client's provider IP>:53601 MULTI: primary virtual IP for user/<client's provider IP>:53601: 10.20.30.6
Tue Jan  7 21:02:36 2014 user/<client's provider IP>:53601 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jan  7 21:02:36 2014 user/<client's provider IP>:53601 send_push_reply(): safe_cap=960
Tue Jan  7 21:02:36 2014 user/<client's provider IP>:53601 SENT CONTROL [user]: 'PUSH_REPLY,redirect-gateway def1,route 10.20.30.1,topology net30,ping 10,ping-restart 120,ifconfig 10.20.30.6 10.20.30.5' (status=1)
Tue Jan  7 21:03:05 2014 user/<client's provider IP>:53601 SIGTERM[soft,remote-exit] received, client-instance exiting

I have added options

Code: Select all

log-append /sdcard/openvpn/openvpn.log
verb 3

to the Android client's config, but log is not created.
I don't know how to save Android log.
But connection is esatblished, tunnel IP received etc.

Thank you.

[Shtush]

Managed to get logs from another Android application 'OpenVPN for Android"

Code: Select all

 2014-01-07 21:43:00 started Socket Thread
 2014-01-07 21:43:00 Статус сети: CONNECTED HSDPA to mobile internet
 2014-01-07 21:43:00 P:Initializing Google Breakpad!
 2014-01-07 21:43:00 Warning: Error redirecting stdout/stderr to --log file: /sdcard/openvpn/openvpn.log: Permission denied (errno=13)
 2014-01-07 21:43:00 Current Parameter Settings:
 2014-01-07 21:43:00   config = '/data/data/de.blinkt.openvpn/cache/android.conf'
 2014-01-07 21:43:00   mode = 0
 2014-01-07 21:43:00   show_ciphers = DISABLED
 2014-01-07 21:43:00   show_digests = DISABLED
 2014-01-07 21:43:00   show_engines = DISABLED
 2014-01-07 21:43:00   genkey = DISABLED
 2014-01-07 21:43:00   key_pass_file = '[UNDEF]'
 2014-01-07 21:43:00   show_tls_ciphers = DISABLED
 2014-01-07 21:43:00   connect_retry_max = 5
 2014-01-07 21:43:00 Connection profiles [default]:
 2014-01-07 21:43:00   proto = udp
 2014-01-07 21:43:00   local = '[UNDEF]'
 2014-01-07 21:43:00   local_port = '1194'
 2014-01-07 21:43:00   remote = '[UNDEF]'
 2014-01-07 21:43:00   remote_port = '1194'
 2014-01-07 21:43:00   remote_float = ENABLED
 2014-01-07 21:43:00   bind_defined = DISABLED
 2014-01-07 21:43:00   bind_local = DISABLED
 2014-01-07 21:43:00   bind_ipv6_only = DISABLED
 2014-01-07 21:43:00   connect_retry_seconds = 5
 2014-01-07 21:43:00   connect_timeout = 10
 2014-01-07 21:43:00   socks_proxy_server = '[UNDEF]'
 2014-01-07 21:43:00   socks_proxy_port = '[UNDEF]'
 2014-01-07 21:43:01   socks_proxy_retry = DISABLED
 2014-01-07 21:43:01   tun_mtu = 1500
 2014-01-07 21:43:01   tun_mtu_defined = DISABLED
 2014-01-07 21:43:01   link_mtu = 1500
 2014-01-07 21:43:01   link_mtu_defined = DISABLED
 2014-01-07 21:43:01   tun_mtu_extra = 0
 2014-01-07 21:43:01   tun_mtu_extra_defined = DISABLED
 2014-01-07 21:43:01   mtu_discover_type = -1
 2014-01-07 21:43:01   fragment = 0
 2014-01-07 21:43:01   mssfix = 1450
 2014-01-07 21:43:01   explicit_exit_notification = 0
 2014-01-07 21:43:01 Connection profiles [0]:
 2014-01-07 21:43:01   proto = udp
 2014-01-07 21:43:01   local = '[UNDEF]'
 2014-01-07 21:43:01   local_port = '[UNDEF]'
 2014-01-07 21:43:01   remote = 'my.domain.com'
 2014-01-07 21:43:01   remote_port = '5000'
 2014-01-07 21:43:01   remote_float = ENABLED
 2014-01-07 21:43:01   bind_defined = DISABLED
 2014-01-07 21:43:01   bind_local = DISABLED
 2014-01-07 21:43:01   bind_ipv6_only = DISABLED
 2014-01-07 21:43:01   connect_retry_seconds = 5
 2014-01-07 21:43:01   connect_timeout = 10
 2014-01-07 21:43:01   socks_proxy_server = '[UNDEF]'
 2014-01-07 21:43:01   socks_proxy_port = '[UNDEF]'
 2014-01-07 21:43:01   socks_proxy_retry = DISABLED
 2014-01-07 21:43:01   tun_mtu = 1500
 2014-01-07 21:43:01   tun_mtu_defined = ENABLED
 2014-01-07 21:43:01   link_mtu = 1500
 2014-01-07 21:43:01   link_mtu_defined = DISABLED
 2014-01-07 21:43:01   tun_mtu_extra = 0
 2014-01-07 21:43:01   tun_mtu_extra_defined = DISABLED
 2014-01-07 21:43:01   mtu_discover_type = -1
 2014-01-07 21:43:01   fragment = 0
 2014-01-07 21:43:01   mssfix = 1450
 2014-01-07 21:43:01   explicit_exit_notification = 0
 2014-01-07 21:43:01 Connection profiles END
 2014-01-07 21:43:01   remote_random = DISABLED
 2014-01-07 21:43:01   ipchange = '[UNDEF]'
 2014-01-07 21:43:01   dev = 'tun'
 2014-01-07 21:43:01   dev_type = '[UNDEF]'
 2014-01-07 21:43:01   dev_node = '[UNDEF]'
 2014-01-07 21:43:01   lladdr = '[UNDEF]'
 2014-01-07 21:43:01   topology = 1
 2014-01-07 21:43:01   tun_ipv6 = DISABLED
 2014-01-07 21:43:01   ifconfig_local = '[UNDEF]'
 2014-01-07 21:43:01   ifconfig_remote_netmask = '[UNDEF]'
 2014-01-07 21:43:01   ifconfig_noexec = DISABLED
 2014-01-07 21:43:01   ifconfig_nowarn = DISABLED
 2014-01-07 21:43:01   ifconfig_ipv6_local = '[UNDEF]'
 2014-01-07 21:43:01   ifconfig_ipv6_netbits = 0
 2014-01-07 21:43:01   ifconfig_ipv6_remote = '[UNDEF]'
 2014-01-07 21:43:01   shaper = 0
 2014-01-07 21:43:01   mtu_test = 0
 2014-01-07 21:43:01   mlock = DISABLED
 2014-01-07 21:43:01   keepalive_ping = 0
 2014-01-07 21:43:01   keepalive_timeout = 0
 2014-01-07 21:43:01   inactivity_timeout = 0
 2014-01-07 21:43:01   ping_send_timeout = 0
 2014-01-07 21:43:01   ping_rec_timeout = 0
 2014-01-07 21:43:01   ping_rec_timeout_action = 0
 2014-01-07 21:43:01   ping_timer_remote = DISABLED
 2014-01-07 21:43:01   remap_sigusr1 = 0
 2014-01-07 21:43:01   persist_tun = ENABLED
 2014-01-07 21:43:01   persist_local_ip = DISABLED
 2014-01-07 21:43:01   persist_remote_ip = DISABLED
 2014-01-07 21:43:01   persist_key = DISABLED
 2014-01-07 21:43:01   passtos = DISABLED
 2014-01-07 21:43:01   resolve_retry_seconds = 1000000000
 2014-01-07 21:43:01   resolve_in_advance = ENABLED
 2014-01-07 21:43:01   username = '[UNDEF]'
 2014-01-07 21:43:01   groupname = '[UNDEF]'
 2014-01-07 21:43:01   chroot_dir = '[UNDEF]'
 2014-01-07 21:43:01   cd_dir = '[UNDEF]'
 2014-01-07 21:43:01   writepid = '[UNDEF]'
 2014-01-07 21:43:01   up_script = '[UNDEF]'
 2014-01-07 21:43:01   down_script = '[UNDEF]'
 2014-01-07 21:43:01   down_pre = DISABLED
 2014-01-07 21:43:01   up_restart = DISABLED
 2014-01-07 21:43:01   up_delay = DISABLED
 2014-01-07 21:43:01   daemon = DISABLED
 2014-01-07 21:43:01   inetd = 0
 2014-01-07 21:43:01   log = ENABLED
 2014-01-07 21:43:01   suppress_timestamps = DISABLED
 2014-01-07 21:43:01   machine_readable_output = ENABLED
 2014-01-07 21:43:01   nice = 0
 2014-01-07 21:43:01   verbosity = 4
 2014-01-07 21:43:01   mute = 0
 2014-01-07 21:43:01   gremlin = 0
 2014-01-07 21:43:01   status_file = '[UNDEF]'
 2014-01-07 21:43:01   status_file_version = 1
 2014-01-07 21:43:01   status_file_update_freq = 60
 2014-01-07 21:43:01   occ = ENABLED
 2014-01-07 21:43:01   rcvbuf = 65536
 2014-01-07 21:43:01   sndbuf = 65536
 2014-01-07 21:43:01   sockflags = 0
 2014-01-07 21:43:01   fast_io = DISABLED
 2014-01-07 21:43:01   comp.alg = 2
 2014-01-07 21:43:01   comp.flags = 1
 2014-01-07 21:43:01   route_script = '[UNDEF]'
 2014-01-07 21:43:01   route_default_gateway = '[UNDEF]'
 2014-01-07 21:43:01   route_default_metric = 0
 2014-01-07 21:43:01   route_noexec = DISABLED
 2014-01-07 21:43:01   route_delay = 0
 2014-01-07 21:43:01   route_delay_window = 30
 2014-01-07 21:43:01   route_delay_defined = DISABLED
 2014-01-07 21:43:01   route_nopull = DISABLED
 2014-01-07 21:43:01   route_gateway_via_dhcp = DISABLED
 2014-01-07 21:43:01   max_routes = 100
 2014-01-07 21:43:01   allow_pull_fqdn = DISABLED
 2014-01-07 21:43:01   management_addr = '/data/data/de.blinkt.openvpn/cache/mgmtsocket'
 2014-01-07 21:43:01   management_port = 'unix'
 2014-01-07 21:43:01   management_user_pass = '[UNDEF]'
 2014-01-07 21:43:01   management_log_history_cache = 250
 2014-01-07 21:43:01   management_echo_buffer_size = 100
 2014-01-07 21:43:01   management_write_peer_info_file = '[UNDEF]'
 2014-01-07 21:43:01   management_client_user = '[UNDEF]'
 2014-01-07 21:43:01   management_client_group = '[UNDEF]'
 2014-01-07 21:43:01   management_flags = 4390
 2014-01-07 21:43:01   shared_secret_file = '[UNDEF]'
 2014-01-07 21:43:01   key_direction = 2
 2014-01-07 21:43:01   ciphername_defined = ENABLED
 2014-01-07 21:43:01   ciphername = 'BF-CBC'
 2014-01-07 21:43:01   authname_defined = ENABLED
 2014-01-07 21:43:01   authname = 'SHA1'
 2014-01-07 21:43:01   prng_hash = 'SHA1'
 2014-01-07 21:43:01   prng_nonce_secret_len = 16
 2014-01-07 21:43:01   keysize = 0
 2014-01-07 21:43:01   engine = DISABLED
 2014-01-07 21:43:01   replay = ENABLED
 2014-01-07 21:43:01   mute_replay_warnings = DISABLED
 2014-01-07 21:43:01   replay_window = 64
 2014-01-07 21:43:01   replay_time = 15
 2014-01-07 21:43:01   packet_id_file = '[UNDEF]'
 2014-01-07 21:43:01   use_iv = ENABLED
 2014-01-07 21:43:01   test_crypto = DISABLED
 2014-01-07 21:43:01   tls_server = DISABLED
 2014-01-07 21:43:01   tls_client = ENABLED
 2014-01-07 21:43:01   key_method = 2
 2014-01-07 21:43:01   ca_file = '[[INLINE]]'
 2014-01-07 21:43:01   ca_path = '[UNDEF]'
 2014-01-07 21:43:01   dh_file = '[UNDEF]'
 2014-01-07 21:43:01   cert_file = '[[INLINE]]'
 2014-01-07 21:43:01   priv_key_file = '[[INLINE]]'
 2014-01-07 21:43:01   pkcs12_file = '[UNDEF]'
 2014-01-07 21:43:01   cipher_list = '[UNDEF]'
 2014-01-07 21:43:01   tls_verify = '[UNDEF]'
 2014-01-07 21:43:01   tls_export_cert = '[UNDEF]'
 2014-01-07 21:43:01   verify_x509_type = 0
 2014-01-07 21:43:01   verify_x509_name = '[UNDEF]'
 2014-01-07 21:43:01   crl_file = '[UNDEF]'
 2014-01-07 21:43:01   ns_cert_type = 1
 2014-01-07 21:43:01   remote_cert_ku[i] = 0
 2014-01-07 21:43:01   remote_cert_ku[i] = 0
 2014-01-07 21:43:01   remote_cert_ku[i] = 0
 2014-01-07 21:43:01   remote_cert_ku[i] = 0
 2014-01-07 21:43:01   remote_cert_ku[i] = 0
 2014-01-07 21:43:01   remote_cert_ku[i] = 0
 2014-01-07 21:43:01   remote_cert_ku[i] = 0
 2014-01-07 21:43:01   remote_cert_ku[i] = 0
 2014-01-07 21:43:01   remote_cert_ku[i] = 0
 2014-01-07 21:43:01   remote_cert_ku[i] = 0
 2014-01-07 21:43:01   remote_cert_ku[i] = 0
 2014-01-07 21:43:01   remote_cert_ku[i] = 0
 2014-01-07 21:43:01   remote_cert_ku[i] = 0
 2014-01-07 21:43:01   remote_cert_ku[i] = 0
 2014-01-07 21:43:01   remote_cert_ku[i] = 0
 2014-01-07 21:43:01   remote_cert_ku[i] = 0
 2014-01-07 21:43:01   remote_cert_eku = '[UNDEF]'
 2014-01-07 21:43:01   ssl_flags = 0
 2014-01-07 21:43:01   tls_timeout = 2
 2014-01-07 21:43:01   renegotiate_bytes = 0
 2014-01-07 21:43:01   renegotiate_packets = 0
 2014-01-07 21:43:01   renegotiate_seconds = 3600
 2014-01-07 21:43:01   handshake_window = 60
 2014-01-07 21:43:01   transition_window = 3600
 2014-01-07 21:43:01   single_session = DISABLED
 2014-01-07 21:43:01   push_peer_info = DISABLED
 2014-01-07 21:43:01   tls_exit = DISABLED
 2014-01-07 21:43:01   tls_auth_file = '[[INLINE]]'
 2014-01-07 21:43:01   client = ENABLED
 2014-01-07 21:43:01   pull = ENABLED
 2014-01-07 21:43:01   auth_user_pass_file = '[UNDEF]'
 2014-01-07 21:43:01 OpenVPN 2.4-icsopenvpn android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [SNAPPY] [EPOLL] [MH] [IPv6] built on Dec  9 2013
 2014-01-07 21:43:01 MANAGEMENT: Connected to management server at /data/data/de.blinkt.openvpn/cache/mgmtsocket
 2014-01-07 21:43:01 MANAGEMENT: CMD 'hold release'
 2014-01-07 21:43:01 MANAGEMENT: CMD 'bytecount 2'
 2014-01-07 21:43:01 MANAGEMENT: CMD 'state on'
 2014-01-07 21:43:01 MANAGEMENT: >STATE:1389116580,RESOLVE,,,
 2014-01-07 21:43:02 MANAGEMENT: CMD 'proxy NONE'
 2014-01-07 21:43:03 Control Channel Authentication: tls-auth using INLINE static key file
 2014-01-07 21:43:03 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
 2014-01-07 21:43:03 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
 2014-01-07 21:43:03 LZO compression initializing
 2014-01-07 21:43:03 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
 2014-01-07 21:43:03 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:393 ET:0 EL:0 ]
 2014-01-07 21:43:03 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
 2014-01-07 21:43:03 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
 2014-01-07 21:43:03 Local Options hash (VER=V4): '504e774e'
 2014-01-07 21:43:03 Expected Remote Options hash (VER=V4): '14168603'
 2014-01-07 21:43:03 TCP/UDP: Preserving recently used remote address: [AF_INET]<router WAN "white" IP>:5000
 2014-01-07 21:43:03 Socket Buffers: R=[163840->131072] S=[163840->131072]
 2014-01-07 21:43:03 Protecting socket fd 4
 2014-01-07 21:43:03 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
 2014-01-07 21:43:03 UDP link local: (not bound)
 2014-01-07 21:43:03 UDP link remote: [AF_INET]<router WAN "white" IP>:5000
 2014-01-07 21:43:03 MANAGEMENT: >STATE:1389116583,WAIT,,,
 2014-01-07 21:43:03 MANAGEMENT: >STATE:1389116583,AUTH,,,
 2014-01-07 21:43:03 TLS: Initial packet from [AF_INET]<router WAN "white" IP>:5000, sid=de18cf85 7229fe50
 2014-01-07 21:43:04 VERIFY OK: depth=1, <certificate credentials>
 2014-01-07 21:43:04 VERIFY OK: nsCertType=SERVER
 2014-01-07 21:43:04 VERIFY OK: depth=0, <certificate credentials>
 2014-01-07 21:43:05 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
 2014-01-07 21:43:05 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
 2014-01-07 21:43:05 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
 2014-01-07 21:43:05 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
 2014-01-07 21:43:05 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
 2014-01-07 21:43:05 [<server name>] Peer Connection Initiated with [AF_INET]<router WAN "white" IP>:5000
 2014-01-07 21:43:06 MANAGEMENT: >STATE:1389116586,GET_CONFIG,,,
 2014-01-07 21:43:07 SENT CONTROL [<server name>]: 'PUSH_REQUEST' (status=1)
 2014-01-07 21:43:07 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route 10.20.30.1,topology net30,ping 10,ping-restart 120,ifconfig 10.20.30.6 10.20.30.5'
 2014-01-07 21:43:07 OPTIONS IMPORT: timers and/or timeouts modified
 2014-01-07 21:43:07 OPTIONS IMPORT: --ifconfig/up options modified
 2014-01-07 21:43:07 OPTIONS IMPORT: route options modified
 2014-01-07 21:43:07 ROUTE_GATEWAY 172.21.12.168/255.255.0.0 IFACE=ccmni0 HWADDR=e2:96:c2:92:42:f9
 2014-01-07 21:43:07 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
 2014-01-07 21:43:07 MANAGEMENT: >STATE:1389116587,ASSIGN_IP,,10.20.30.6,
 2014-01-07 21:43:07 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
 2014-01-07 21:43:07 MANAGEMENT: CMD 'needok 'ROUTE' ok'
 2014-01-07 21:43:07 MANAGEMENT: CMD 'needok 'ROUTE' ok'
 2014-01-07 21:43:07 MANAGEMENT: CMD 'needok 'ROUTE' ok'
 2014-01-07 21:43:07 MANAGEMENT: >STATE:1389116587,ADD_ROUTES,,,
 2014-01-07 21:43:07 MANAGEMENT: CMD 'needok 'ROUTE' ok'
 2014-01-07 21:43:07 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
 2014-01-07 21:43:07 Открытие tun-интерфейса:
 2014-01-07 21:43:07 Адрес IPv4: 10.20.30.6/30 IPv6: null MTU: 1500
 2014-01-07 21:43:07 DNS-сервер: , Домен: null
 2014-01-07 21:43:07 Маршруты: <router WAN "white" IP>/32, 0.0.0.0/1, 128.0.0.0/1, 10.20.30.1/32
 2014-01-07 21:43:07 Маршруты IPv6: 
 2014-01-07 21:43:07 No DNS servers being used. Name resolution may not work. Consider setting custom DNS Servers. Please also note that Android will keep using your proxy settings specified for your mobile/Wi-Fi connection when no DNS servers are set.
 2014-01-07 21:43:07 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
 2014-01-07 21:43:07 Initialization Sequence Completed
 2014-01-07 21:43:07 MANAGEMENT: >STATE:1389116587,CONNECTED,SUCCESS,10.20.30.6,<router WAN "white" IP>
 2014-01-07 21:45:07 [<server name>] Inactivity timeout (--ping-restart), restarting
 2014-01-07 21:45:07 TCP/UDP: Closing socket
 2014-01-07 21:45:07 SIGUSR1[soft,ping-restart] received, process restarting
 2014-01-07 21:45:07 MANAGEMENT: >STATE:1389116707,RECONNECTING,ping-restart,,
 2014-01-07 21:45:07 MANAGEMENT: CMD 'hold release'
 2014-01-07 21:45:07 MANAGEMENT: CMD 'bytecount 2'
 2014-01-07 21:45:07 MANAGEMENT: CMD 'state on'
 2014-01-07 21:45:07 MANAGEMENT: CMD 'proxy NONE'
 2014-01-07 21:45:08 Control Channel Authentication: tls-auth using INLINE static key file
 2014-01-07 21:45:08 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
 2014-01-07 21:45:08 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
 2014-01-07 21:45:08 LZO compression initializing
 2014-01-07 21:45:08 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
 2014-01-07 21:45:08 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:393 ET:0 EL:0 ]
 2014-01-07 21:45:08 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
 2014-01-07 21:45:08 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
 2014-01-07 21:45:08 Local Options hash (VER=V4): '504e774e'
 2014-01-07 21:45:08 Expected Remote Options hash (VER=V4): '14168603'
 2014-01-07 21:45:08 TCP/UDP: Preserving recently used remote address: [AF_INET]<router WAN "white" IP>:5000
 2014-01-07 21:45:08 Socket Buffers: R=[163840->131072] S=[163840->131072]
 2014-01-07 21:45:08 Protecting socket fd 4
 2014-01-07 21:45:08 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
 2014-01-07 21:45:08 UDP link local: (not bound)
 2014-01-07 21:45:08 UDP link remote: [AF_INET]<router WAN "white" IP>:5000
 2014-01-07 21:45:08 MANAGEMENT: >STATE:1389116708,WAIT,,,

Here I see two things:
First:

Code: Select all

2014-01-07 21:43:00 Warning: Error redirecting stdout/stderr to --log file: /sdcard/openvpn/openvpn.log: Permission denied (errno=13)

Does anybody have an idea how it is possible if microSD card formatted in FAT32?

Second:

Code: Select all

2014-01-07 21:43:07 No DNS servers being used. Name resolution may not work. Consider setting custom DNS Servers. Please also note that Android will keep using your proxy settings specified for your mobile/Wi-Fi connection when no DNS servers are set.

Maybe this makes connections impossible.
Should I add a directive like

Code: Select all

push "dhcp-option DNS 192.168.2.1"

?
Will try.

[jcg1541]

I have the similar problem. I suspect that a fix is in the android browser setting.

The android kernel is a stripped down Linux kernel. It does not allow multiple routes adding dropping, like a regular Linux. What kind of voodoo allows openvpn client to add any route through the openvpn tunnel? There seems to be one more layer of routing between a browser and the kernel that redirect the browser's traffic to the tunnel.

If you use a chroot program in android, and use the arm compiled "route" program to look at the routing table of the android, you don't see any route pushed to the system. Instead, I think the openvpn client reconfigures your browser in android to redirect certain traffic destinations to the tunnel. That rpeconiguration, I suspect, is hidden from user's view.