No VPN traffic since OpenVPN Connect v3.4.0

[getle]

Hi,

since updating to version 3.4.0, the VPN connection between Android and a Sophos XGS no longer works. Although the VPN can be established, no data traffic flows over the connection. In the Google Play Store, other users report the same problem (see reviews). I have attached the connection log here.

Thanks for any help.

Code: Select all

[Feb. 05, 2024, 15:57:32] ----- OpenVPN Start -----

[Feb. 05, 2024, 15:57:32] EVENT: CORE_THREAD_ACTIVE

[Feb. 05, 2024, 15:57:32] OpenVPN core 3.8.4connectX(3.git::c424d46c:RelWithDebInfo) android arm64 64-bit PT_PROXY

[Feb. 05, 2024, 15:57:32] Frame=512/2112/512 mssfix-ctrl=1250

[Feb. 05, 2024, 15:57:32] NOTE: This configuration contains options that were not used:

[Feb. 05, 2024, 15:57:32] Unsupported option (ignored)

[Feb. 05, 2024, 15:57:32] 5 [resolv-retry] [infinite]

[Feb. 05, 2024, 15:57:32] 7 [persist-key]

[Feb. 05, 2024, 15:57:32] 8 [persist-tun]

[Feb. 05, 2024, 15:57:32] 16 [route-delay] [4]

[Feb. 05, 2024, 15:57:32] 20 [explicit-exit-notify]

[Feb. 05, 2024, 15:57:32] EVENT: RESOLVE

[Feb. 05, 2024, 15:57:32] Contacting <VPN IP>:<Port> via UDP

[Feb. 05, 2024, 15:57:32] EVENT: WAIT

[Feb. 05, 2024, 15:57:32] Connecting to [<VPN DNS>]:<Port> (<VPN IP>) via UDP

[Feb. 05, 2024, 15:57:32] EVENT: CONNECTING

[Feb. 05, 2024, 15:57:32] Tunnel Options:V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client

[Feb. 05, 2024, 15:57:32] Creds: Username/Password

[Feb. 05, 2024, 15:57:32] Sending Peer Info:
IV_VER=3.8.4connectX
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=990
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_LZO=1
IV_LZO_SWAP=1
IV_LZ4=1
IV_LZ4v2=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=net.openvpn.connect.android_3.4.0-9755
IV_SSO=webauth,openurl,crtext


[Feb. 05, 2024, 15:57:32] VERIFY OK: depth=1, <CA Cert Data>, signature: RSA-SHA256

[Feb. 05, 2024, 15:57:32] VERIFY OK: depth=0, <Server Cert Data>, signature: RSA-SHA256

[Feb. 05, 2024, 15:57:32] SSL Handshake: peer certificate: <Server CN Name>, 2048 bit RSA, cipher: TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD


[Feb. 05, 2024, 15:57:32] Session is ACTIVE

[Feb. 05, 2024, 15:57:32] Sending PUSH_REQUEST to server...

[Feb. 05, 2024, 15:57:32] EVENT: GET_CONFIG

[Feb. 05, 2024, 15:57:32] OPTIONS:
0 [route] [remote_host] [255.255.255.255] [net_gateway]
1 [route-gateway] [<Virtual Gateway IP>]
2 [sndbuf] [0]
3 [rcvbuf] [0]
4 [ping] [45]
5 [ping-restart] [180]
6 [route] [<Virtual Subnet>] [255.255.255.0]
7 [topology] [subnet]
8 [route] [remote_host] [255.255.255.255] [net_gateway]
9 [inactive] [3600] [30720]
10 [dhcp-option] [DNS] [<DNS 1>]
11 [dhcp-option] [DNS] [<DNS 2>]
12 [dhcp-option] [DOMAIN] [<Internal Domain>]
13 [ifconfig] [<Virtual IP>] [255.255.255.0]
14 [peer-id] [5]
15 [cipher] [AES-256-GCM]
16 [block-ipv6]
17 [block-ipv4]


[Feb. 05, 2024, 15:57:32] PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: NONE
  key-derivation: OpenVPN PRF
  compress: ANY
  peer ID: 5

[Feb. 05, 2024, 15:57:32] EVENT: ASSIGN_IP

[Feb. 05, 2024, 15:57:32] exception parsing IPv4 route: [route] [remote_host] [255.255.255.255] [net_gateway] : addr_pair_mask_parse_error: AddrMaskPair parse error 'route': remote_host/255.255.255.255 : ip_exception: error parsing route IP address 'remote_host' : Invalid argument

[Feb. 05, 2024, 15:57:32] exception parsing IPv4 route: [route] [remote_host] [255.255.255.255] [net_gateway] : addr_pair_mask_parse_error: AddrMaskPair parse error 'route': remote_host/255.255.255.255 : ip_exception: error parsing route IP address 'remote_host' : Invalid argument

[Feb. 05, 2024, 15:57:32] Connected via tun

[Feb. 05, 2024, 15:57:32] LZO-ASYM init swap=0 asym=1

[Feb. 05, 2024, 15:57:32] Comp-stub init swap=1

[Feb. 05, 2024, 15:57:32] EVENT: CONNECTED info='<Username>@<VPN DNS>:<Port> (<VPN IP>) via /UDP on tun/<Virtual IP>/ gw=[<Virtual Gateway IP>/] mtu=(default)'

[Feb. 05, 2024, 15:57:32] EVENT: COMPRESSION_ENABLED info='Asymmetric compression enabled.  Server may send compressed data.  This may be a potential security issue.' trans=TO_DISCONNECTED

[ffff]

Same here, OpenVPN Connect for Android stopped working somewhere in January.

(I'm seeing people saying the Windows version doesn't work too, viewtopic.php?t=35669&sid=006390b95ac59 ... de2d4d013b)

Interestingly, OpenVPN connection from Linux works like a charm: I see the remote network servers. But from the Android version, when activated, I can't see neither the remote network servers nor access the internet from the device. They both use the same .ovpn settings:

Code: Select all

client
dev tun
proto udp
float
nobind
cipher AES-128-CBC
comp-lzo no
resolv-retry infinite
remote-cert-tls server
persist-key
remote xxx.xxx.xxx.xxx xxx
<ca>
-----BEGIN CERTIFICATE-----

[primetechguides]

I had the same issue with 3.4.0

This on the server side fixed it for me. Thanks to another thread on here.

Code: Select all

push 'comp-lzo no'

[avg2424]

So I just had an interesting issue.

The issue was originally on my android, but it might also be affected in Windows... I haven't tested that yet.

I recently changed my VPN settings to be more secure. I was having issues where I could connect to my OpenVPN server just fine, but no data would transfer across except for very specific things.
I could connect fine, but couldn't access email, websites, cctv, the gateway to my endpoint, etc... I could access file share on my server, however.

I have two VPNs in two different locations, both configured exactly the same, except for port being used for the VPN. One worked perfectly fine, the other did not, that made it more confusing...

After some head and chin scratching, come to find out the issue is because my config file specifies my IP versus name.

Code: Select all

remote 123.456.7.89 1234
float
nobind
blah blah blah

For shits and grins, I decided to test by name and voila! data worked again!
And no, my IP from the config file wasn't wrong.

Code: Select all

remote my.openvpn.server 1234
float
nobind
blah blah blah

So do me a favor and try (if you can) to change your config file to name, versus IP. See if that does it for you.

[avg2424]

Upon further investigation, it appears to be an IPv4 problem.

OpenVPN was translating the DNS configuration file to IPv6, it was strictly using IPv4 for the IP configuration file.

I used my IPv6 address in the configuration file and I was able to connect to data.
So, instead of just testing by DNS name, try testing to your IPv6 address.

It may not necessarily be an OpenVPN issue versus an android APN/carrier issue. Sadly, I couldn't test this theory by forcing IPv4 in my APN because it's locked. Even creating a new APN, I couldn't disable the old one to force it to the IPv4 one.
If I remember correctly, this test connection did work over public wifi, so it's possibly a carrier issue?

[dohabandit]

Found this thread as I was pulling my hair out trying to find out why OpenVPN 3.4 wasn't working with my Sophos XG. I saw similar error messages in the logs which is why I am here.

What correct this issue for me was deleting the profile off the Android phone that was using hardcoded IP addresses for the VPN concentrator (Sophos) and switching the configuration on the Sophos side to "override hostname" and putting in a FQDN that resolves to the IP of the gateway.

The main symptom that occurred was I could easily establish an OVPN connection to sophos, and I could connect to local resources, but any hairpinning of traffic back to the internet via the Sophos XG acting as a gateway was failing for HTTP/S. I confirmed I was able to TCP traceroute using HE NetTools, so I know traffic was routing, and the Sophos log files / policy test all showed no issues, but HTTP/S traffic was blocked.

[lolipop2005]

With version 3.4.2 it works without problems.