Use OpenVPN to allow Android clients to access Windows servers?



  • Hi all,

    I've set up Pfsense as an OpenVPN server to allow remote Android clients to access resources on Windows servers behind the Pfsense box.

    I read this: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting On recommendation from another thread, and it says:

    And you want to bridge if:
    ...
    You have Windows server(s) you want to access and require network neighbourhood discovery to work via VPN and WINS is not an option to implement.

    That does sound like what I want to happen. However, that requires TAP and TAP doesn't seem to work on Android.

    In any case, I'd be okay with switching to accessing the Windows server via IP address, but...

    The VPN connection works, and the Android device can access the Pfsense box and the Internet via the VPN, but none of the rest of the network. Googling around, this seems to be a routing issue, that the server isn't sending the route from the VPN subnet to the LAN subnet. However, here's my OpenVPN server config:

    dev ovpns1
    verb 4
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-GCM
    auth SHA256
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    multihome
    engine rdrand
    tls-server
    server 10.1.0.0 255.255.255.0
    server-ipv6 fe80::/64
    client-config-dir /var/etc/openvpn-csc/server1
    username-as-common-name
    plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user <snip> false server1 1194
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'VPN+Cert' 1"
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    push "route 192.168.178.0 255.255.255.0"
    push "route-ipv6 <snip>::/64"
    duplicate-cn
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.4096
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    ncp-ciphers AES-256-GCM
    persist-remote-ip
    float
    topology subnet
    fast-io
    sndbuf 524288
    rcvbuf 524288
    

    As you can see, the server is configured correctly to add a route to my LAN subnet on 192.168.178.0. However, the Android device never seems to add it. Running ip r on Termux shows a single tun0 route of 10.1.0.0/24 ... src 10.1.0.2

    This is true even if I configure OpenVPN Connect to add a custom route with the same numbers.

    Basically, is there anything wrong with my config which would prevent the Android client accessing the rest of my LAN? Or is this more likely a bug in Android/OpenVPN Connect?

    PS: I did run the Pfsense wizard to create the server in the first place, so the Firewall rules were made.



  • Forgot to attach some logs. These are from the server, log level 4:

    Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
    Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
    Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
    Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> SENT CONTROL [ripdog]: 'PUSH_REPLY,route 192.168.178.0 255.255.255.0,route-ipv6 <snip>::/64,tun-ipv6,route-gateway 10.1.0.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fe80::1000/64 fe80::1,ifconfig 10.1.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
    Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> PUSH: Received control message: 'PUSH_REQUEST'
    Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> MULTI: primary virtual IPv6 for ripdog/<android IP>: fe80::1000
    Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> MULTI: Learn: fe80::1000 -> ripdog/<android IP>
    Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> MULTI: primary virtual IP for ripdog/<android IP>: 10.1.0.2
    Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> MULTI: Learn: 10.1.0.2 -> ripdog/<android IP>
    Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_4a096a81963c2dc7629027cfc8e3c7ca.tmp
    Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> MULTI_sva: pool returned IPv4=10.1.0.2, IPv6=fe80::1000
    Sep 25 16:59:54 	openvpn 		user 'ripdog' authenticated
    Sep 25 16:59:54 	openvpn 	66643 	<android IP> [ripdog] Peer Connection Initiated with [AF_INET6]::ffff:<android IP>:4730 (via ::ffff:<pfsense IP>%pppoe0)
    Sep 25 16:59:54 	openvpn 	66643 	<android IP> Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
    Sep 25 16:59:54 	openvpn 	66643 	<android IP> TLS: Username/Password authentication deferred for username 'ripdog' [CN SET]
    Sep 25 16:59:54 	openvpn 	66643 	<android IP> PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
    Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.8
    Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_TCPNL=1
    Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_COMP_STUBv2=1
    Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_COMP_STUB=1
    Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_LZO=1
    Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_LZ4v2=1
    Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_LZ4=1
    Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_NCP=2
    Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_PROTO=2
    Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_PLAT=android
    Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_VER=2.5_master
    <snip TLS>
    Sep 25 16:59:54 	openvpn 	66643 	<android IP> TLS: Initial packet from [AF_INET6]::ffff:<android IP>:4730 (via ::ffff:<pfsense IP>%pppoe0), sid=91b4984b ce8c5424
    Sep 25 16:59:54 	openvpn 	66643 	<android IP> Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
    Sep 25 16:59:54 	openvpn 	66643 	<android IP> Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
    Sep 25 16:59:54 	openvpn 	66643 	<android IP> Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
    Sep 25 16:59:54 	openvpn 	66643 	<android IP> Control Channel MTU parms [ L:1621 D:1172 EF:78 EB:0 ET:0 EL:3 ]
    Sep 25 16:59:54 	openvpn 	66643 	<android IP> Re-using SSL/TLS context
    Sep 25 16:59:54 	openvpn 	66643 	MULTI: multi_create_instance called
    

    There's nothing interesting on the client logs, they're very short.


Log in to reply