OpenVPN connects, can ping LAN hosts but no web pages load

charry2014

After some help OpenVPN is connecting over IPv6 from the OpenVPN client on Android. I can use Termux on Android to ping hosts on the LAN by IPv4 address but I cannot load web pages in the browser on the client - even using just the server IPv4 address in the browser. What is going wrong?

Here some details:
LAN subnet - 192.168.88.0/24 gateway 192.168.88.1
VPN subnet - 192.168.77.0/24 gateway 192.168.77.1

Interfaces - all up in the dashboard:
WAN - 100.77.0.23 and IPv6 2a00:6020:1000:1d:abc:beef
LAN - 192.168.88.1 and IPv6 2a00:6020:1920:c01d:c01a:1324:beef:babe
OVPN_IF - 192.168.77.1 and IPv6 2a00:6020:1000:1d::1

Firewall rules - the logs look clean

I think these rules are too permissive from my half-understanding of things I have read but would fix this after getting things working.

My guess here is that maybe the IPv6 Tunnel Network I set in the OpenVPN server is wrong - I just guessed based on the WAN IPv6 address (see interfaces above) and used 2a00:6020:1000:1d::/64 but why ping would work and web pages not doesn't seem consistent. Otherwise perhaps there is some weird option set somwehere.

Any help gratefully received.

charry2014

Any suggestions anyone? I am completely out of ideas and my hacking at the settings is likely now just making it worse...

Gertjan

@charry2014 said in OpenVPN connects, can ping LAN hosts but no web pages load:

Otherwise perhaps there is some weird option set somwehere.

Looked for it, but couldn't find one.

Just an idea : make everything work with IPv4 first.

Use something like this :

as I guess you use the VPN - and you're the admin anyway, so why block yourself ?

charry2014

Thanks - they really should make the "Remove final obstacle" check-box easier to find

Regarding the IPv4 idea I have been lead to believe from a previous question that my provider only gives me the possibility to connect over IPv6 - which doesn't seem to be an issue as OpenVPN does connect and internet pages load in the browser. It it just web pages hosted by servers on my LAN which don't.

charry2014

Still no idea... I even rebooted pfSense to no avail. I did notice that even when the client shows 'initialisation sequence complete' pfSense OpenVPN status shows no client connected. There is obviously something wrong.

A couple of specific questions -

• I gave my OpenVPN server an IPv6 Tunnel Network of 2a00:6020:1000:1d::/64 which is a complete guess. I have no idea if this is going to work. Can anyone help me be sure this is OK?

• On the Dashboard the OpenVPN Gateway is always Offline - I have verified the IPv6 address it is pinging (2001:4860:4860::8888)can be reached from pfSense ping diagnostic so could this indicate a problem?

• I read that adding the Advanced Configuration option push "route-ipv6 2000::/3"; is required in the OpenVPN server options for IPv6 connections. Is this true?

Gertjan

@charry2014 said in OpenVPN connects, can ping LAN hosts but no web pages load:

I gave my OpenVPN server an IPv6 Tunnel Network of 2a00:6020:1000:1d::/64 which is a complete guess. I have no idea if this is going to work. Can anyone help me be sure this is OK?

I've been asking myself the same qestion.
That's why I defalted to a known good RFC 1918 IP network like 192.168.3.0/24.
After all : the Internet gods will come after you if "2a00:6020:1000:1d::/64" is assigned to some one ;))

@charry2014 said in OpenVPN connects, can ping LAN hosts but no web pages load:

On the Dashboard the OpenVPN Gateway is always Offline

That's not a good sign.

As I'm using 192.168.3.0/24 and 2001:470:xxxx:3::/64 - I own both of them, as 192.168.3.0/24 is RFC1918 and 2001:470:xxxx:3::/64 is part of an IPv6 network that I'm allowed to use.

The tunnel goes over IPv4 (I guess / I don't care ^^).

@charry2014 said in OpenVPN connects, can ping LAN hosts but no web pages load:

I read that adding the Advanced Configuration option push "route-ipv6 2000::/3";

What about the more official doc ?

charry2014

Many thanks - the official document you gave me is a bit more informative (and less German ).

I have been reading docs on IPv6 addressing and am not sure what what IPv6 Tunnel Network I should use. My service provider uses DHCPv6 and a DHCPv6 Prefix Delegation size of 56 in the WAN interface. In the dashboard WAN shows a WAN IPv6 2a00:6020:1000:1d::bbc:beef. I am assuming that as I get a /56 from my provider I should choose a /64 for OpenVPN like the docs say - but what is the correct /64 I should use?

I did notice that even when the client shows 'initialisation sequence complete' pfSense OpenVPN status shows no client connected. There is obviously something wrong.

charry2014

Any ideas anyone. Please....

Bob.Dig

@charry2014 said in OpenVPN connects, can ping LAN hosts but no web pages load:

It it just web pages hosted by servers on my LAN which don't.

So that looks like just a NAT problem?
And for the tunnel you still could use IPv4, even if the tunnel is running over IPv6 I guess.

charry2014

It could be - previously in my OpenVPN configs the automatic NAT just worked so I am a bit confused what settings I should use. I read around a bit and ended up with what is below - but the automatic outbound NAT gives the same behaviour.

Can you help me get this working?

charry2014

Another week later and I am still going round in circles - can anyone help me debug this? It is curious that even when the client is connected the client does not show up in OpenVPN -> Clients and the OpenVPN gateway is offline on the Dashboard. I am wondering if there are deeper problems and the connection is somehow broken - but I have never seen anything like this before and do not know how to debug.

Perhaps there is something fishy in the client log:

2021-07-07 17:21:31 official build 0.7.22 running on samsung SM-G980F (exynos990), Android 11 (RP1A.200720.012) API 30, ABI arm64-v8a, (samsung/x1seea/x1s:11/RP1A.200720.012/G980FXXS8DUE4:user/release-keys)
2021-07-07 17:21:31 Building configuration…
2021-07-07 17:21:31 started Socket Thread
2021-07-07 17:21:31 Network Status: CONNECTED LTE to MOBILE web.vodafone.de
2021-07-07 17:21:31 Debug state info: CONNECTED LTE to MOBILE web.vodafone.de, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2021-07-07 17:21:31 Debug state info: CONNECTED LTE to MOBILE web.vodafone.de, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2021-07-07 17:21:31 P:WARNING: linker: Warning: "/data/app/~~fyJTip2PqSNVJwkrHarwmQ==/de.blinkt.openvpn-20-BWAy1UbXInZrowo7caw==/lib/arm64/libovpnexec.so" is not a directory (ignoring)
2021-07-07 17:21:31 Current Parameter Settings:
2021-07-07 17:21:31   config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2021-07-07 17:21:31   mode = 0
2021-07-07 17:21:31   show_ciphers = DISABLED
2021-07-07 17:21:31   show_digests = DISABLED
2021-07-07 17:21:31   show_engines = DISABLED
2021-07-07 17:21:31   genkey = DISABLED
2021-07-07 17:21:31   genkey_filename = '[UNDEF]'
2021-07-07 17:21:31   key_pass_file = '[UNDEF]'
2021-07-07 17:21:31   show_tls_ciphers = DISABLED
2021-07-07 17:21:31   connect_retry_max = 0
2021-07-07 17:21:31 Connection profiles [0]:
2021-07-07 17:21:31   proto = udp
2021-07-07 17:21:31   local = '[UNDEF]'
2021-07-07 17:21:31   local_port = '1194'
2021-07-07 17:21:31   remote = 'myhostlanipv6.dyndns.biz'
2021-07-07 17:21:31   remote_port = '1194'
2021-07-07 17:21:31   remote_float = DISABLED
2021-07-07 17:21:31   bind_defined = DISABLED
2021-07-07 17:21:31   bind_local = ENABLED
2021-07-07 17:21:31   bind_ipv6_only = DISABLED
2021-07-07 17:21:31   connect_retry_seconds = 2
2021-07-07 17:21:31   connect_timeout = 120
2021-07-07 17:21:31   socks_proxy_server = '[UNDEF]'
2021-07-07 17:21:31   socks_proxy_port = '[UNDEF]'
2021-07-07 17:21:31   tun_mtu = 1500
2021-07-07 17:21:31   tun_mtu_defined = ENABLED
2021-07-07 17:21:31   link_mtu = 1500
2021-07-07 17:21:31   link_mtu_defined = DISABLED
2021-07-07 17:21:31   tun_mtu_extra = 0
2021-07-07 17:21:31   tun_mtu_extra_defined = DISABLED
2021-07-07 17:21:31   mtu_discover_type = -1
2021-07-07 17:21:31   fragment = 0
2021-07-07 17:21:31   mssfix = 1450
2021-07-07 17:21:31   explicit_exit_notification = 0
2021-07-07 17:21:31   tls_auth_file = '[INLINE]'
2021-07-07 17:21:31   key_direction = 1
2021-07-07 17:21:31   tls_crypt_file = '[UNDEF]'
2021-07-07 17:21:31   tls_crypt_v2_file = '[UNDEF]'
2021-07-07 17:21:31 Connection profiles END
2021-07-07 17:21:31   remote_random = DISABLED
2021-07-07 17:21:31   ipchange = '[UNDEF]'
2021-07-07 17:21:31   dev = 'tun'
2021-07-07 17:21:31   dev_type = '[UNDEF]'
2021-07-07 17:21:31   dev_node = '[UNDEF]'
2021-07-07 17:21:31   lladdr = '[UNDEF]'
2021-07-07 17:21:31   topology = 1
2021-07-07 17:21:31   ifconfig_local = '[UNDEF]'
2021-07-07 17:21:31   ifconfig_remote_netmask = '[UNDEF]'
2021-07-07 17:21:31   ifconfig_noexec = DISABLED
2021-07-07 17:21:31   ifconfig_nowarn = ENABLED
2021-07-07 17:21:31   ifconfig_ipv6_local = '[UNDEF]'
2021-07-07 17:21:31   ifconfig_ipv6_netbits = 0
2021-07-07 17:21:31   ifconfig_ipv6_remote = '[UNDEF]'
2021-07-07 17:21:31   shaper = 0
2021-07-07 17:21:31   mtu_test = 0
2021-07-07 17:21:31   mlock = DISABLED
2021-07-07 17:21:31   keepalive_ping = 0
2021-07-07 17:21:31   keepalive_timeout = 0
2021-07-07 17:21:31   inactivity_timeout = 0
2021-07-07 17:21:31   ping_send_timeout = 0
2021-07-07 17:21:31   ping_rec_timeout = 0
2021-07-07 17:21:31   ping_rec_timeout_action = 0
2021-07-07 17:21:31   ping_timer_remote = DISABLED
2021-07-07 17:21:31   remap_sigusr1 = 0
2021-07-07 17:21:31   persist_tun = ENABLED
2021-07-07 17:21:31   persist_local_ip = DISABLED
2021-07-07 17:21:31   persist_remote_ip = DISABLED
2021-07-07 17:21:31   persist_key = DISABLED
2021-07-07 17:21:31   passtos = DISABLED
2021-07-07 17:21:31   resolve_retry_seconds = 60
2021-07-07 17:21:31   resolve_in_advance = ENABLED
2021-07-07 17:21:31   username = '[UNDEF]'
2021-07-07 17:21:31   groupname = '[UNDEF]'
2021-07-07 17:21:31   chroot_dir = '[UNDEF]'
2021-07-07 17:21:31   cd_dir = '[UNDEF]'
2021-07-07 17:21:31   writepid = '[UNDEF]'
2021-07-07 17:21:31   up_script = '[UNDEF]'
2021-07-07 17:21:31   down_script = '[UNDEF]'
2021-07-07 17:21:31   down_pre = DISABLED
2021-07-07 17:21:31   up_restart = DISABLED
2021-07-07 17:21:31   up_delay = DISABLED
2021-07-07 17:21:31   daemon = DISABLED
2021-07-07 17:21:31   log = DISABLED
2021-07-07 17:21:31   suppress_timestamps = DISABLED
2021-07-07 17:21:31   machine_readable_output = ENABLED
2021-07-07 17:21:31   nice = 0
2021-07-07 17:21:31   verbosity = 4
2021-07-07 17:21:31   mute = 0
2021-07-07 17:21:31   gremlin = 0
2021-07-07 17:21:31   status_file = '[UNDEF]'
2021-07-07 17:21:31   status_file_version = 1
2021-07-07 17:21:31   status_file_update_freq = 60
2021-07-07 17:21:31   occ = ENABLED
2021-07-07 17:21:31   rcvbuf = 0
2021-07-07 17:21:31   sndbuf = 0
2021-07-07 17:21:31   sockflags = 0
2021-07-07 17:21:31   fast_io = DISABLED
2021-07-07 17:21:31   comp.alg = 0
2021-07-07 17:21:31   comp.flags = 0
2021-07-07 17:21:31   route_script = '[UNDEF]'
2021-07-07 17:21:31   route_default_gateway = '[UNDEF]'
2021-07-07 17:21:31   route_default_metric = 0
2021-07-07 17:21:31   route_noexec = DISABLED
2021-07-07 17:21:31   route_delay = 0
2021-07-07 17:21:31   route_delay_window = 30
2021-07-07 17:21:31   route_delay_defined = DISABLED
2021-07-07 17:21:31   route_nopull = DISABLED
2021-07-07 17:21:31   route_gateway_via_dhcp = DISABLED
2021-07-07 17:21:31   allow_pull_fqdn = DISABLED
2021-07-07 17:21:31   management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2021-07-07 17:21:31   management_port = 'unix'
2021-07-07 17:21:31   management_user_pass = '[UNDEF]'
2021-07-07 17:21:31   management_log_history_cache = 250
2021-07-07 17:21:31   management_echo_buffer_size = 100
2021-07-07 17:21:31   management_write_peer_info_file = '[UNDEF]'
2021-07-07 17:21:31   management_client_user = '[UNDEF]'
2021-07-07 17:21:31   management_client_group = '[UNDEF]'
2021-07-07 17:21:31   management_flags = 16678
2021-07-07 17:21:31   shared_secret_file = '[UNDEF]'
2021-07-07 17:21:31   key_direction = 1
2021-07-07 17:21:31   ciphername = 'AES-128-CBC'
2021-07-07 17:21:31   ncp_enabled = ENABLED
2021-07-07 17:21:31   ncp_ciphers = 'AES-128-GCM:AES-128-CBC'
2021-07-07 17:21:31   authname = 'SHA512'
2021-07-07 17:21:31   prng_hash = 'SHA1'
2021-07-07 17:21:31   prng_nonce_secret_len = 16
2021-07-07 17:21:31   keysize = 0
2021-07-07 17:21:31   engine = DISABLED
2021-07-07 17:21:31   replay = ENABLED
2021-07-07 17:21:31   mute_replay_warnings = DISABLED
2021-07-07 17:21:31   replay_window = 64
2021-07-07 17:21:31   replay_time = 15
2021-07-07 17:21:31   packet_id_file = '[UNDEF]'
2021-07-07 17:21:31   test_crypto = DISABLED
2021-07-07 17:21:31   tls_server = DISABLED
2021-07-07 17:21:31   tls_client = ENABLED
2021-07-07 17:21:31   ca_file = '[INLINE]'
2021-07-07 17:21:31   ca_path = '[UNDEF]'
2021-07-07 17:21:31   dh_file = '[UNDEF]'
2021-07-07 17:21:31   cert_file = '[INLINE]'
2021-07-07 17:21:31   extra_certs_file = '[UNDEF]'
2021-07-07 17:21:31   priv_key_file = '[INLINE]'
2021-07-07 17:21:31   pkcs12_file = '[UNDEF]'
2021-07-07 17:21:31   cipher_list = '[UNDEF]'
2021-07-07 17:21:31   cipher_list_tls13 = '[UNDEF]'
2021-07-07 17:21:31   tls_cert_profile = '[UNDEF]'
2021-07-07 17:21:31   tls_verify = '[UNDEF]'
2021-07-07 17:21:31   tls_export_cert = '[UNDEF]'
2021-07-07 17:21:31   verify_x509_type = 2
2021-07-07 17:21:31   verify_x509_name = 'internal-ca'
2021-07-07 17:21:31   crl_file = '[UNDEF]'
2021-07-07 17:21:31   ns_cert_type = 0
2021-07-07 17:21:31   remote_cert_ku[i] = 65535
2021-07-07 17:21:31   remote_cert_ku[i] = 0
2021-07-07 17:21:31   remote_cert_ku[i] = 0
2021-07-07 17:21:31   remote_cert_ku[i] = 0
2021-07-07 17:21:31   remote_cert_ku[i] = 0
2021-07-07 17:21:31   remote_cert_ku[i] = 0
2021-07-07 17:21:31   remote_cert_ku[i] = 0
2021-07-07 17:21:31   remote_cert_ku[i] = 0
2021-07-07 17:21:31   remote_cert_ku[i] = 0
2021-07-07 17:21:31   remote_cert_ku[i] = 0
2021-07-07 17:21:31   remote_cert_ku[i] = 0
2021-07-07 17:21:31   remote_cert_ku[i] = 0
2021-07-07 17:21:31   remote_cert_ku[i] = 0
2021-07-07 17:21:31   remote_cert_ku[i] = 0
2021-07-07 17:21:31   remote_cert_ku[i] = 0
2021-07-07 17:21:31   remote_cert_ku[i] = 0
2021-07-07 17:21:31   remote_cert_eku = 'TLS Web Server Authentication'
2021-07-07 17:21:31   ssl_flags = 0
2021-07-07 17:21:31   tls_timeout = 2
2021-07-07 17:21:31   renegotiate_bytes = -1
2021-07-07 17:21:31   renegotiate_packets = 0
2021-07-07 17:21:31   renegotiate_seconds = 3600
2021-07-07 17:21:31   handshake_window = 60
2021-07-07 17:21:31   transition_window = 3600
2021-07-07 17:21:31   single_session = DISABLED
2021-07-07 17:21:31   push_peer_info = DISABLED
2021-07-07 17:21:31   tls_exit = DISABLED
2021-07-07 17:21:31   tls_crypt_v2_metadata = '[UNDEF]'
2021-07-07 17:21:31   server_network = 0.0.0.0
2021-07-07 17:21:31   server_netmask = 0.0.0.0
2021-07-07 17:21:31   server_network_ipv6 = ::
2021-07-07 17:21:31   server_netbits_ipv6 = 0
2021-07-07 17:21:31   server_bridge_ip = 0.0.0.0
2021-07-07 17:21:31   server_bridge_netmask = 0.0.0.0
2021-07-07 17:21:31   server_bridge_pool_start = 0.0.0.0
2021-07-07 17:21:31   server_bridge_pool_end = 0.0.0.0
2021-07-07 17:21:31   ifconfig_pool_defined = DISABLED
2021-07-07 17:21:31   ifconfig_pool_start = 0.0.0.0
2021-07-07 17:21:31   ifconfig_pool_end = 0.0.0.0
2021-07-07 17:21:31   ifconfig_pool_netmask = 0.0.0.0
2021-07-07 17:21:31   ifconfig_pool_persist_filename = '[UNDEF]'
2021-07-07 17:21:31   ifconfig_pool_persist_refresh_freq = 600
2021-07-07 17:21:31   ifconfig_ipv6_pool_defined = DISABLED
2021-07-07 17:21:31   ifconfig_ipv6_pool_base = ::
2021-07-07 17:21:31   ifconfig_ipv6_pool_netbits = 0
2021-07-07 17:21:31   n_bcast_buf = 256
2021-07-07 17:21:31   tcp_queue_limit = 64
2021-07-07 17:21:31   real_hash_size = 256
2021-07-07 17:21:31   virtual_hash_size = 256
2021-07-07 17:21:31   client_connect_script = '[UNDEF]'
2021-07-07 17:21:31   learn_address_script = '[UNDEF]'
2021-07-07 17:21:31   client_disconnect_script = '[UNDEF]'
2021-07-07 17:21:31   client_config_dir = '[UNDEF]'
2021-07-07 17:21:31   ccd_exclusive = DISABLED
2021-07-07 17:21:31   tmp_dir = '/data/data/de.blinkt.openvpn/cache'
2021-07-07 17:21:31   push_ifconfig_defined = DISABLED
2021-07-07 17:21:31   push_ifconfig_local = 0.0.0.0
2021-07-07 17:21:31   push_ifconfig_remote_netmask = 0.0.0.0
2021-07-07 17:21:31   push_ifconfig_ipv6_defined = DISABLED
2021-07-07 17:21:31   push_ifconfig_ipv6_local = ::/0
2021-07-07 17:21:31   push_ifconfig_ipv6_remote = ::
2021-07-07 17:21:31   enable_c2c = DISABLED
2021-07-07 17:21:31   duplicate_cn = DISABLED
2021-07-07 17:21:31   cf_max = 0
2021-07-07 17:21:31 Waiting 0s seconds between connection attempt
2021-07-07 17:21:31   cf_per = 0
2021-07-07 17:21:31   max_clients = 1024
2021-07-07 17:21:31   max_routes_per_client = 256
2021-07-07 17:21:31   auth_user_pass_verify_script = '[UNDEF]'
2021-07-07 17:21:31   auth_user_pass_verify_script_via_file = DISABLED
2021-07-07 17:21:31   auth_token_generate = DISABLED
2021-07-07 17:21:31   auth_token_lifetime = 0
2021-07-07 17:21:31   auth_token_secret_file = '[UNDEF]'
2021-07-07 17:21:31   port_share_host = '[UNDEF]'
2021-07-07 17:21:31   port_share_port = '[UNDEF]'
2021-07-07 17:21:31   vlan_tagging = DISABLED
2021-07-07 17:21:31   vlan_accept = all
2021-07-07 17:21:31   vlan_pvid = 1
2021-07-07 17:21:31   client = ENABLED
2021-07-07 17:21:31   pull = ENABLED
2021-07-07 17:21:31   auth_user_pass_file = '[UNDEF]'
2021-07-07 17:21:31 OpenVPN 2.5-icsopenvpn [git:icsopenvpn/v0.7.22-0-g9b79d2c5] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar 15 2021
2021-07-07 17:21:31 library versions: OpenSSL 1.1.1j  16 Feb 2021, LZO 2.10
2021-07-07 17:21:31 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2021-07-07 17:21:31 MANAGEMENT: CMD 'version 3'
2021-07-07 17:21:31 MANAGEMENT: CMD 'hold release'
2021-07-07 17:21:31 MANAGEMENT: CMD 'bytecount 2'
2021-07-07 17:21:31 MANAGEMENT: CMD 'state on'
2021-07-07 17:21:31 MANAGEMENT: >STATE:1625671291,RESOLVE,,,,,,
2021-07-07 17:21:31 MANAGEMENT: CMD 'proxy NONE'
2021-07-07 17:21:32 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-07-07 17:21:32 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-07-07 17:21:32 Control Channel MTU parms [ L:1621 D:1140 EF:110 EB:0 ET:0 EL:3 ]
2021-07-07 17:21:32 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2021-07-07 17:21:32 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-client'
2021-07-07 17:21:32 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-server'
2021-07-07 17:21:32 TCP/UDP: Preserving recently used remote address: [AF_INET6]2a00:6020:1000:9::84b:bbd5:1194
2021-07-07 17:21:32 Socket Buffers: R=[245760->245760] S=[245760->245760]
2021-07-07 17:21:32 setsockopt(IPV6_V6ONLY=0)
2021-07-07 17:21:32 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2021-07-07 17:21:32 UDP link local (bound): [AF_INET6][undef]:1194
2021-07-07 17:21:32 UDP link remote: [AF_INET6]2a00:6020:1000:9::84b:bbd5:1194
2021-07-07 17:21:32 MANAGEMENT: >STATE:1625671292,WAIT,,,,,,
2021-07-07 17:21:32 MANAGEMENT: >STATE:1625671292,AUTH,,,,,,
2021-07-07 17:21:32 TLS: Initial packet from [AF_INET6]2a00:6020:1000:9::84b:bbd5:1194, sid=cdc01c69 e7bb580d
2021-07-07 17:21:32 VERIFY OK: depth=1, CN=internal-ca
2021-07-07 17:21:32 VERIFY KU OK
2021-07-07 17:21:32 Validating certificate extended key usage
2021-07-07 17:21:32 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-07-07 17:21:32 VERIFY EKU OK
2021-07-07 17:21:32 VERIFY X509NAME OK: CN=internal-ca
2021-07-07 17:21:32 VERIFY OK: depth=0, CN=internal-ca
2021-07-07 17:21:32 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1601', remote='link-mtu 1602'
2021-07-07 17:21:32 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2021-07-07 17:21:32 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2021-07-07 17:21:32 [internal-ca] Peer Connection Initiated with [AF_INET6]2a00:6020:1000:9::84b:bbd5:1194
2021-07-07 17:21:34 MANAGEMENT: >STATE:1625671294,GET_CONFIG,,,,,,
2021-07-07 17:21:34 SENT CONTROL [internal-ca]: 'PUSH_REQUEST' (status=1)
2021-07-07 17:21:34 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DOMAIN mylocaldomain.net,dhcp-option DNS 192.168.77.1,dhcp-option DNS6 2001:4860:4860::8888,dhcp-option DNS6 2620:119:53::53,dhcp-option DNS6 2620:119:35::35,block-outside-dns,register-dns,redirect-gateway def1,redirect-gateway ipv6,compress ,route-ipv6 2000::/3,tun-ipv6,route-gateway 192.168.77.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 2a00:6020:1000:9::1000/64 2a00:6020:1000:9::1,ifconfig 192.168.77.2 255.255.255.0,peer-id 1'
2021-07-07 17:21:34 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: block-outside-dns (2.5_master)
2021-07-07 17:21:34 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:7: register-dns (2.5_master)
2021-07-07 17:21:34 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2021-07-07 17:21:34 OPTIONS IMPORT: timers and/or timeouts modified
2021-07-07 17:21:34 OPTIONS IMPORT: compression parms modified
2021-07-07 17:21:34 OPTIONS IMPORT: --ifconfig/up options modified
2021-07-07 17:21:34 OPTIONS IMPORT: route options modified
2021-07-07 17:21:34 OPTIONS IMPORT: route-related options modified
2021-07-07 17:21:34 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2021-07-07 17:21:34 OPTIONS IMPORT: peer-id set
2021-07-07 17:21:34 OPTIONS IMPORT: adjusting link_mtu to 1624
2021-07-07 17:21:34 Using peer cipher 'AES-128-CBC'
2021-07-07 17:21:34 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2021-07-07 17:21:34 Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-07-07 17:21:34 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2021-07-07 17:21:34 Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-07-07 17:21:34 ROUTE_GATEWAY 127.100.103.119 IFACE=android-gw
2021-07-07 17:21:34 GDG6: remote_host_ipv6=2a00:6020:1000:9::84b:bbd5
2021-07-07 17:21:34 ROUTE6_GATEWAY :: IFACE=android-gw
2021-07-07 17:21:34 do_ifconfig, ipv4=1, ipv6=1
2021-07-07 17:21:34 MANAGEMENT: >STATE:1625671294,ASSIGN_IP,,192.168.77.2,,,,,2a00:6020:1000:9::1000
2021-07-07 17:21:34 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2021-07-07 17:21:34 MANAGEMENT: CMD 'needok 'IFCONFIG6' ok'
2021-07-07 17:21:34 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2021-07-07 17:21:34 add_route_ipv6(2000::/3 -> 2a00:6020:1000:9::1 metric -1) dev (null)
2021-07-07 17:21:34 MANAGEMENT: CMD 'needok 'ROUTE6' ok'
2021-07-07 17:21:34 add_route_ipv6(::/3 -> 2a00:6020:1000:9::1 metric -1) dev (null)
2021-07-07 17:21:34 MANAGEMENT: CMD 'needok 'ROUTE6' ok'
2021-07-07 17:21:34 add_route_ipv6(2000::/4 -> 2a00:6020:1000:9::1 metric -1) dev (null)
2021-07-07 17:21:34 MANAGEMENT: CMD 'needok 'ROUTE6' ok'
2021-07-07 17:21:34 add_route_ipv6(3000::/4 -> 2a00:6020:1000:9::1 metric -1) dev (null)
2021-07-07 17:21:34 MANAGEMENT: CMD 'needok 'ROUTE6' ok'
2021-07-07 17:21:34 add_route_ipv6(fc00::/7 -> 2a00:6020:1000:9::1 metric -1) dev (null)
2021-07-07 17:21:34 MANAGEMENT: CMD 'needok 'ROUTE6' ok'
2021-07-07 17:21:34 MANAGEMENT: CMD 'needok 'DNS6SERVER' ok'
2021-07-07 17:21:34 MANAGEMENT: CMD 'needok 'DNS6SERVER' ok'
2021-07-07 17:21:34 MANAGEMENT: CMD 'needok 'DNS6SERVER' ok'
2021-07-07 17:21:34 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2021-07-07 17:21:34 MANAGEMENT: CMD 'needok 'DNSDOMAIN' ok'
2021-07-07 17:21:34 Opening tun interface:
2021-07-07 17:21:34 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
2021-07-07 17:21:34 Local IPv4: 192.168.77.2/24 IPv6: 2a00:6020:1000:9::1000/64 MTU: 1500
2021-07-07 17:21:34 DNS Server: 2001:4860:4860::8888, 2620:119:53::53, 2620:119:35::35, 192.168.77.1, Domain: lesmartinslocal.net
2021-07-07 17:21:34 Routes: 0.0.0.0/0, 192.168.77.0/24 ::/3, 2000::/4, 2000::/3, 3000::/4, fc00::/7
2021-07-07 17:21:34 Routes excluded:  
2021-07-07 17:21:34 VpnService routes installed: 0.0.0.0/0 ::/3, 2000::/3, fc00::/7
2021-07-07 17:21:34 Disallowed VPN apps: 
2021-07-07 17:21:34 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2021-07-07 17:21:34 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-07-07 17:21:34 Initialization Sequence Completed
2021-07-07 17:21:34 MANAGEMENT: >STATE:1625671294,CONNECTED,SUCCESS,192.168.77.2,2a00:6020:1000:9::84b:bbd5,1194,,,2a00:6020:1000:9::1000
2021-07-07 17:21:34 Debug state info: CONNECTED LTE to MOBILE web.vodafone.de, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 

Or assuming this is a NAT problem as @Bob-Dig suggested what should I try?

syntx

dear,

I have same problem and i disable redirect gateway

charry2014

Many thanks for the suggestion - I tried that, exported a new client profile, and unfortunately no difference.

charry2014

Can anyone offer any help debugging this please - I am not making any progress.