4. Use OpenVPN to allow Android clients to access Windows servers?

Use OpenVPN to allow Android clients to access Windows servers?

  • R

    Hi all,

    I've set up Pfsense as an OpenVPN server to allow remote Android clients to access resources on Windows servers behind the Pfsense box.

    I read this: https://community.openvpn.net/openvpn/wiki/BridgingAndRouting On recommendation from another thread, and it says:

    And you want to bridge if:
    ...
    You have Windows server(s) you want to access and require network neighbourhood discovery to work via VPN and WINS is not an option to implement.

    That does sound like what I want to happen. However, that requires TAP and TAP doesn't seem to work on Android.

    In any case, I'd be okay with switching to accessing the Windows server via IP address, but...

    The VPN connection works, and the Android device can access the Pfsense box and the Internet via the VPN, but none of the rest of the network. Googling around, this seems to be a routing issue, that the server isn't sending the route from the VPN subnet to the LAN subnet. However, here's my OpenVPN server config:

    dev ovpns1
verb 4
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-GCM
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
multihome
engine rdrand
tls-server
server 10.1.0.0 255.255.255.0
server-ipv6 fe80::/64
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user <snip> false server1 1194
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'VPN+Cert' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 192.168.178.0 255.255.255.0"
push "route-ipv6 <snip>::/64"
duplicate-cn
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.4096
tls-auth /var/etc/openvpn/server1.tls-auth 0
ncp-ciphers AES-256-GCM
persist-remote-ip
float
topology subnet
fast-io
sndbuf 524288
rcvbuf 524288

    As you can see, the server is configured correctly to add a route to my LAN subnet on 192.168.178.0. However, the Android device never seems to add it. Running ip r on Termux shows a single tun0 route of 10.1.0.0/24 ... src 10.1.0.2

    This is true even if I configure OpenVPN Connect to add a custom route with the same numbers.

    Basically, is there anything wrong with my config which would prevent the Android client accessing the rest of my LAN? Or is this more likely a bug in Android/OpenVPN Connect?

    PS: I did run the Pfsense wizard to create the server in the first place, so the Firewall rules were made.

    0
  • R

    Forgot to attach some logs. These are from the server, log level 4:

    Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> SENT CONTROL [ripdog]: 'PUSH_REPLY,route 192.168.178.0 255.255.255.0,route-ipv6 <snip>::/64,tun-ipv6,route-gateway 10.1.0.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fe80::1000/64 fe80::1,ifconfig 10.1.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> PUSH: Received control message: 'PUSH_REQUEST'
Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> MULTI: primary virtual IPv6 for ripdog/<android IP>: fe80::1000
Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> MULTI: Learn: fe80::1000 -> ripdog/<android IP>
Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> MULTI: primary virtual IP for ripdog/<android IP>: 10.1.0.2
Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> MULTI: Learn: 10.1.0.2 -> ripdog/<android IP>
Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_4a096a81963c2dc7629027cfc8e3c7ca.tmp
Sep 25 16:59:55 	openvpn 	66643 	ripdog/<android IP> MULTI_sva: pool returned IPv4=10.1.0.2, IPv6=fe80::1000
Sep 25 16:59:54 	openvpn 		user 'ripdog' authenticated
Sep 25 16:59:54 	openvpn 	66643 	<android IP> [ripdog] Peer Connection Initiated with [AF_INET6]::ffff:<android IP>:4730 (via ::ffff:<pfsense IP>%pppoe0)
Sep 25 16:59:54 	openvpn 	66643 	<android IP> Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sep 25 16:59:54 	openvpn 	66643 	<android IP> TLS: Username/Password authentication deferred for username 'ripdog' [CN SET]
Sep 25 16:59:54 	openvpn 	66643 	<android IP> PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.8
Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_TCPNL=1
Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_COMP_STUBv2=1
Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_COMP_STUB=1
Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_LZO=1
Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_LZ4v2=1
Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_LZ4=1
Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_NCP=2
Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_PROTO=2
Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_PLAT=android
Sep 25 16:59:54 	openvpn 	66643 	<android IP> peer info: IV_VER=2.5_master
<snip TLS>
Sep 25 16:59:54 	openvpn 	66643 	<android IP> TLS: Initial packet from [AF_INET6]::ffff:<android IP>:4730 (via ::ffff:<pfsense IP>%pppoe0), sid=91b4984b ce8c5424
Sep 25 16:59:54 	openvpn 	66643 	<android IP> Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
Sep 25 16:59:54 	openvpn 	66643 	<android IP> Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
Sep 25 16:59:54 	openvpn 	66643 	<android IP> Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Sep 25 16:59:54 	openvpn 	66643 	<android IP> Control Channel MTU parms [ L:1621 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Sep 25 16:59:54 	openvpn 	66643 	<android IP> Re-using SSL/TLS context
Sep 25 16:59:54 	openvpn 	66643 	MULTI: multi_create_instance called

    There's nothing interesting on the client logs, they're very short.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy