Use OpenVPN to allow Android clients to access Windows servers?
-
Hi all,
I've set up Pfsense as an OpenVPN server to allow remote Android clients to access resources on Windows servers behind the Pfsense box.
I read this: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting On recommendation from another thread, and it says:
And you want to bridge if:
...
You have Windows server(s) you want to access and require network neighbourhood discovery to work via VPN and WINS is not an option to implement.That does sound like what I want to happen. However, that requires TAP and TAP doesn't seem to work on Android.
In any case, I'd be okay with switching to accessing the Windows server via IP address, but...
The VPN connection works, and the Android device can access the Pfsense box and the Internet via the VPN, but none of the rest of the network. Googling around, this seems to be a routing issue, that the server isn't sending the route from the VPN subnet to the LAN subnet. However, here's my OpenVPN server config:
dev ovpns1 verb 4 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-GCM auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh multihome engine rdrand tls-server server 10.1.0.0 255.255.255.0 server-ipv6 fe80::/64 client-config-dir /var/etc/openvpn-csc/server1 username-as-common-name plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user <snip> false server1 1194 tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'VPN+Cert' 1" lport 1194 management /var/etc/openvpn/server1.sock unix push "route 192.168.178.0 255.255.255.0" push "route-ipv6 <snip>::/64" duplicate-cn ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.4096 tls-auth /var/etc/openvpn/server1.tls-auth 0 ncp-ciphers AES-256-GCM persist-remote-ip float topology subnet fast-io sndbuf 524288 rcvbuf 524288
As you can see, the server is configured correctly to add a route to my LAN subnet on 192.168.178.0. However, the Android device never seems to add it. Running
ip r
on Termux shows a single tun0 route of10.1.0.0/24 ... src 10.1.0.2
This is true even if I configure OpenVPN Connect to add a custom route with the same numbers.
Basically, is there anything wrong with my config which would prevent the Android client accessing the rest of my LAN? Or is this more likely a bug in Android/OpenVPN Connect?
PS: I did run the Pfsense wizard to create the server in the first place, so the Firewall rules were made.
-
Forgot to attach some logs. These are from the server, log level 4:
Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ] Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> SENT CONTROL [ripdog]: 'PUSH_REPLY,route 192.168.178.0 255.255.255.0,route-ipv6 <snip>::/64,tun-ipv6,route-gateway 10.1.0.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fe80::1000/64 fe80::1,ifconfig 10.1.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1) Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> PUSH: Received control message: 'PUSH_REQUEST' Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> MULTI: primary virtual IPv6 for ripdog/<android IP>: fe80::1000 Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> MULTI: Learn: fe80::1000 -> ripdog/<android IP> Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> MULTI: primary virtual IP for ripdog/<android IP>: 10.1.0.2 Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> MULTI: Learn: 10.1.0.2 -> ripdog/<android IP> Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_4a096a81963c2dc7629027cfc8e3c7ca.tmp Sep 25 16:59:55 openvpn 66643 ripdog/<android IP> MULTI_sva: pool returned IPv4=10.1.0.2, IPv6=fe80::1000 Sep 25 16:59:54 openvpn user 'ripdog' authenticated Sep 25 16:59:54 openvpn 66643 <android IP> [ripdog] Peer Connection Initiated with [AF_INET6]::ffff:<android IP>:4730 (via ::ffff:<pfsense IP>%pppoe0) Sep 25 16:59:54 openvpn 66643 <android IP> Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Sep 25 16:59:54 openvpn 66643 <android IP> TLS: Username/Password authentication deferred for username 'ripdog' [CN SET] Sep 25 16:59:54 openvpn 66643 <android IP> PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2 Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.8 Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_TCPNL=1 Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_COMP_STUBv2=1 Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_COMP_STUB=1 Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_LZO=1 Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_LZ4v2=1 Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_LZ4=1 Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_NCP=2 Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_PROTO=2 Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_PLAT=android Sep 25 16:59:54 openvpn 66643 <android IP> peer info: IV_VER=2.5_master <snip TLS> Sep 25 16:59:54 openvpn 66643 <android IP> TLS: Initial packet from [AF_INET6]::ffff:<android IP>:4730 (via ::ffff:<pfsense IP>%pppoe0), sid=91b4984b ce8c5424 Sep 25 16:59:54 openvpn 66643 <android IP> Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client' Sep 25 16:59:54 openvpn 66643 <android IP> Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server' Sep 25 16:59:54 openvpn 66643 <android IP> Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ] Sep 25 16:59:54 openvpn 66643 <android IP> Control Channel MTU parms [ L:1621 D:1172 EF:78 EB:0 ET:0 EL:3 ] Sep 25 16:59:54 openvpn 66643 <android IP> Re-using SSL/TLS context Sep 25 16:59:54 openvpn 66643 MULTI: multi_create_instance called
There's nothing interesting on the client logs, they're very short.