Configuration questions

johnpoz · Jan 20, 2020, 9:49 PM

What did you hand your client for dns? What are you trying to query... Make sure you can query it - out of the box pfsense unbound would not allow tunnel IP to query it, since it would not be listed in the automatic ACLs that are created.. Simple enough to test by doing a nslookup or dig directly to NS you sent to the client..

zkab · Jan 21, 2020, 3:10 PM

I want that connecting clients will use DNS given in System/General Setup (Googles DNS).

I changed to accept the default values (blanks) at VPN/OpenVPN/Servers in the Advanced Client Settings:

DNS Default Domain ... Provide a default domain name to clients (unchecked)
DNS Server enable ... Provide a DNS server list to clients. Addresses may be IPv4 or IPv6 (unchecked)
DNS Server 1-4 (blank)

Now I can access sites on Internet as well as ping devices on my LAN.
I have a question though ...
When I change from one website to another I get for a short second error message telling my that connection was interrupted and
after that the website is shown ... can this timing message be suppressed?

stephenw10 · Jan 21, 2020, 3:46 PM

What sort of latency are you seeing from the client to external sites?

I wouldn't expect to see that unless it really high.

Steve

zkab · Jan 21, 2020, 4:22 PM

As I said the message shows for a short time (0.5 seconds) but still it is annoying ...
I have a feeling the message shows when I switch from domestic websites to international sites and back ... not when I check domestic sites.
It is in Swedish but translated it looks like this ...

Connection was broken
A network change was discovered

stephenw10 · Jan 21, 2020, 5:25 PM

Ok but what sort or RTT are you seeing to whatever site caused that when you;re connected to tunnel? It would have to be huge....

Seems more likely you're seeing the result of some traffic going directly and other traffic going through the tunnel.

Steve

zkab · Jan 22, 2020, 11:53 AM

When I make a ping RTT varies from time=1.62 ms to time=124 ms for the sites.
The amount information I get from accessing the websites are not huge ... just plain website data.
I can't see any pattern ... it is more random.
You mentioned 'Seems more likely you're seeing the result of some traffic going directly and other traffic going through the tunnel' ... but
I don't understand why 'pfsense/openvpn' navigate the result differently ... I have in 'Tunnel Settings' checked 'Redirect Gateway' (Force all client
generated traffic through the tunnel).

Is it a 'pfsense/OpenVPN' or 'OpenVPN for Android' problem?
Is there some kind of log where I can see what is going on?

stephenw10 · Jan 22, 2020, 5:31 PM

1.62ms seems very low, too low for any logical connection especially if that's over cellular.

124ms seems high but could be correct for cellular+VPN.

I'm not aware of any issue with the Android OpenVPN client, it does seem like a client issue though. Can you test from a different client?

You might be seeing blocked TCP traffic in the pfSense firewall log is packets are not being sent both ways.

Steve

zkab · Jan 27, 2020, 12:12 PM

OK ... I tested with Windows client & Chrome.
When I access websites there is the usual Chrome message in the left bottom corner (for a short second) ... waiting for xxx ... before I get the website.
I guess that is the same problem I had in Android so as I understand the problem is on the serverside and not on the client side ...
How do I proceed to get openvpn working?

stephenw10 · Jan 27, 2020, 2:57 PM

It is working as I understand it, you said you were able to connect to internal resources and external sites no?

I assume of you go to a 'whatismyIP' type site it reports the public IP of the server as your traffic is going through that?

Steve

zkab · Jan 27, 2020, 3:49 PM

It is working more or less ... still the ANNOYING network error message.
If my mobile is at 4G mobile network then I can't reach my resources on my internal network.
With my limited knowledge I had the feeling that I it didn't matter if my mobile is on a public open network or a GSM 4G network I could always reach my OpenVPN server.

stephenw10 · Jan 27, 2020, 10:43 PM

It shouldn't make any difference how you're connected unless your provider is filtering OpenVPN traffic maybe. Unlikely.

As long as there is no subnet conflict between the server side LAN you're trying to reach and the subnet you're connecting from.

But check the public IP you are routing from to see how that traffic is flowing. It really looked like you were routing only some traffic over the tunnel which will cause all sorts of issues.

Steve

zkab · Jan 28, 2020, 1:56 PM

I rebooted pfsense and my mobile and all of a sudden I can reach my internal devices when I am on 4G network.
I use an app call 'PingTools Network Utilities' and it shows following (beeing on 4G & vpn):

Mobile: 100.98.184.83
4G Gateway: 100.98.184.83
Internat: my dyn-dns ip-address (which is correct)

My internal network is 192.168.1.0/24 and I can ping (beeing on 4G & vpn) 192.168.1.7 which is good.
And I can reach all external websites also ... but still the network error message.

When my mobile is on a public open network vpn works OK ... except the network error message.

WhatsMyIp gives me as I understand correct values ...

4G & vpn - my dyn-dns ip-address
public open network & vpn - my dyn-dns ip-address
4G without vpn - another ip that is not my dyn-dns ip-address (guess that is from my mobile operator) ... which is correct

As I understand openvpn is working OK and all traffic is routed over the tunnel.
Can the latency error message be solved ... is it a openvpn server or openvpn android client issue?

stephenw10 · Jan 28, 2020, 3:03 PM

Seems like an Android issue if you are not seeing it in Windows.

zkab · Jan 28, 2020, 3:36 PM

OK ... I will check their forum
Thanks for your patience and support

zkab · Feb 11, 2020, 12:03 PM

I understand that network change is not a call of openvpn ... it should be handle by OS (Android).
But ERR_NETWORK_CHANGED occurs only when I run openvpn ... so where do I see what kind of network change has occurred?
Log file for opnvpn client on Android or openvpn server?
I don't see in which end I should start.
The error message drives me crazy ...

stephenw10 · Feb 11, 2020, 1:24 PM

The network change is almost certainly between the direct connection and the VPN connection. Though it seems it can also be cause by intermittent IPv6.
What do you actually need the Android client to do here? Route all traffic? Just access the internal LAN?
You could put in a client specific override so it doesn't redirect all traffic which would likely solve it as most traffic would then use the local connection.

This is an Android/Chrome problem though, there's little we can do about it in pfSense.

Steve

zkab · Feb 11, 2020, 3:14 PM

Thanks again ... I understand this is an Android/Chrome problem and I really appreciate that you take your time to help me.
Getting support from Google is dead end ... they don't care about their customers at all.
What I want to do with Android client is to access my LAN and Internet in a safe mode when I am on 4G or public wifi.
You mentioned ... it seems it can also be cause by intermittent IPv6 ... how can I test that?
The OpenVPN server is running in pfSense connected to my LAN.

stephenw10 · Feb 12, 2020, 12:04 AM

Well that seemed to be what people were suggesting in Google's forum. Nothing definitive.
You can disable it behind pfSense but otherwise I'm not sure how you might disable it in Android globally. I imagine you can find a wifi location without IPv6 though.

Try setting up the VPN for just you local subnet rather than all traffic and see if you still see issues.
I can imagine both local connections and the VPN are trying to be the default route. Usually OpenVPN just set's itself and there's no problem though.

Steve