Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Use OpenVPN to allow Android clients to access Windows servers?

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 266 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ripdog
      last edited by

      Hi all,

      I've set up Pfsense as an OpenVPN server to allow remote Android clients to access resources on Windows servers behind the Pfsense box.

      I read this: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting On recommendation from another thread, and it says:

      And you want to bridge if:
      ...
      You have Windows server(s) you want to access and require network neighbourhood discovery to work via VPN and WINS is not an option to implement.

      That does sound like what I want to happen. However, that requires TAP and TAP doesn't seem to work on Android.

      In any case, I'd be okay with switching to accessing the Windows server via IP address, but...

      The VPN connection works, and the Android device can access the Pfsense box and the Internet via the VPN, but none of the rest of the network. Googling around, this seems to be a routing issue, that the server isn't sending the route from the VPN subnet to the LAN subnet. However, here's my OpenVPN server config:

      dev ovpns1
      verb 4
      dev-type tun
      dev-node /dev/tun1
      writepid /var/run/openvpn_server1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp
      cipher AES-256-GCM
      auth SHA256
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      client-connect /usr/local/sbin/openvpn.attributes.sh
      client-disconnect /usr/local/sbin/openvpn.attributes.sh
      multihome
      engine rdrand
      tls-server
      server 10.1.0.0 255.255.255.0
      server-ipv6 fe80::/64
      client-config-dir /var/etc/openvpn-csc/server1
      username-as-common-name
      plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user <snip> false server1 1194
      tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'VPN+Cert' 1"
      lport 1194
      management /var/etc/openvpn/server1.sock unix
      push "route 192.168.178.0 255.255.255.0"
      push "route-ipv6 <snip>::/64"
      duplicate-cn
      ca /var/etc/openvpn/server1.ca
      cert /var/etc/openvpn/server1.cert
      key /var/etc/openvpn/server1.key
      dh /etc/dh-parameters.4096
      tls-auth /var/etc/openvpn/server1.tls-auth 0
      ncp-ciphers AES-256-GCM
      persist-remote-ip
      float
      topology subnet
      fast-io
      sndbuf 524288
      rcvbuf 524288
      

      As you can see, the server is configured correctly to add a route to my LAN subnet on 192.168.178.0. However, the Android device never seems to add it. Running ip r on Termux shows a single tun0 route of 10.1.0.0/24 ... src 10.1.0.2

      This is true even if I configure OpenVPN Connect to add a custom route with the same numbers.

      Basically, is there anything wrong with my config which would prevent the Android client accessing the rest of my LAN? Or is this more likely a bug in Android/OpenVPN Connect?

      PS: I did run the Pfsense wizard to create the server in the first place, so the Firewall rules were made.

      1 Reply Last reply Reply Quote 0
      • R
        ripdog
        last edited by ripdog

        Forgot to attach some logs. These are from the server, log level 4:

        Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
        Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
        Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
        Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> SENT CONTROL [ripdog]: 'PUSH_REPLY,route 192.168.178.0 255.255.255.0,route-ipv6 <snip>::/64,tun-ipv6,route-gateway 10.1.0.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fe80::1000/64 fe80::1,ifconfig 10.1.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
        Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> PUSH: Received control message: 'PUSH_REQUEST'
        Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> MULTI: primary virtual IPv6 for ripdog/<android IP>: fe80::1000
        Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> MULTI: Learn: fe80::1000 -> ripdog/<android IP>
        Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> MULTI: primary virtual IP for ripdog/<android IP>: 10.1.0.2
        Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> MULTI: Learn: 10.1.0.2 -> ripdog/<android IP>
        Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_4a096a81963c2dc7629027cfc8e3c7ca.tmp
        Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> MULTI_sva: pool returned IPv4=10.1.0.2, IPv6=fe80::1000
        Sep 25 16:59:54 	openvpn 		user 'ripdog' authenticated
        Sep 25 16:59:54 	openvpn 	66643 	<android IP> [ripdog] Peer Connection Initiated with [AF_INET6]::ffff:<android IP>:4730 (via ::ffff:<pfsense IP>%pppoe0)
        Sep 25 16:59:54 	openvpn 	66643 	<android IP> Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
        Sep 25 16:59:54 	openvpn 	66643 	<android IP> TLS: Username/Password authentication deferred for username 'ripdog' [CN SET]
        Sep 25 16:59:54 	openvpn 	66643 	<android IP> PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
        Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.8
        Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_TCPNL=1
        Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_COMP_STUBv2=1
        Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_COMP_STUB=1
        Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_LZO=1
        Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_LZ4v2=1
        Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_LZ4=1
        Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_NCP=2
        Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_PROTO=2
        Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_PLAT=android
        Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_VER=2.5_master
        <snip TLS>
        Sep 25 16:59:54 	openvpn 	66643 	<android IP> TLS: Initial packet from [AF_INET6]::ffff:<android IP>:4730 (via ::ffff:<pfsense IP>%pppoe0), sid=91b4984b ce8c5424
        Sep 25 16:59:54 	openvpn 	66643 	<android IP> Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
        Sep 25 16:59:54 	openvpn 	66643 	<android IP> Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
        Sep 25 16:59:54 	openvpn 	66643 	<android IP> Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
        Sep 25 16:59:54 	openvpn 	66643 	<android IP> Control Channel MTU parms [ L:1621 D:1172 EF:78 EB:0 ET:0 EL:3 ]
        Sep 25 16:59:54 	openvpn 	66643 	<android IP> Re-using SSL/TLS context
        Sep 25 16:59:54 	openvpn 	66643 	MULTI: multi_create_instance called
        

        There's nothing interesting on the client logs, they're very short.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.