Ovpn Remote Access Openvpncpnnect Android

Summer

@Gertjan said in Host Overrides doesn't override:

Then an android comes into play - and now, you tell me : you did't know that android always phones to home = uses 8.8.8.8 ?
Anyway, this android uses 8.8.8.8 as it DNS source.

@Gertjan thanks for explanation, it seems more complicated than that. Same Android 13 device with same Openvpnconnect version with old ovpn server and pfsense 22.01 was not having this issue.

Now from this client I can ping lan devices but cannot use neither samba server nor HTTP servers in SITEA (instead I can reach fine SITEB hosts).

This is the log from ovpn client:

[ago 25, 2023, 08:27:21] EVENT: CANCELLED

[ago 25, 2023, 08:27:21] EVENT: DISCONNECTED

[ago 25, 2023, 08:27:21] Tunnel bytes per CPU second: 0

[ago 25, 2023, 08:27:21] ----- OpenVPN Stop -----

[ago 25, 2023, 08:27:21] EVENT: CORE_THREAD_DONE

[ago 25, 2023, 08:27:22] OpenVPN core 3.git::081bfebe:RelWithDebInfo android arm64 64-bit PT_PROXY

[ago 25, 2023, 08:27:22] ----- OpenVPN Start -----

[ago 25, 2023, 08:27:22] EVENT: CORE_THREAD_ACTIVE

[ago 25, 2023, 08:27:22] Frame=512/2048/512 mssfix-ctrl=1250

[ago 25, 2023, 08:27:22] UNUSED OPTIONS
0 [persist-tun]
1 [persist-key]
2 [data-ciphers] [AES-256-GCM:AES-128-GCM:AES-256-CBC]
3 [data-ciphers-fallback] [AES-256-CBC]
5 [tls-client]
8 [block-outside-dns]
9 [nobind]
12 [explicit-exit-notify]

[ago 25, 2023, 08:27:22] EVENT: RESOLVE

[ago 25, 2023, 08:27:22] Contacting ovpnserver via UDP

[ago 25, 2023, 08:27:22] EVENT: WAIT

[ago 25, 2023, 08:27:22] Connecting to [ovpnserver() via UDPv4

[ago 25, 2023, 08:27:22] EVENT: CONNECTING

[ago 25, 2023, 08:27:22] Tunnel Options:V4,dev-type tun,link-mtu 1585,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA512,keysize 128,tls-auth,key-method 2,tls-client

[ago 25, 2023, 08:27:22] Creds: UsernameEmpty/PasswordEmpty

[ago 25, 2023, 08:27:22] Peer Info:
IV_VER=3.git::081bfebe:RelWithDebInfo
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.android_3.3.4-9290
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1


[ago 25, 2023, 08:27:22] VERIFY OK: depth=1,  signature: RSA-SHA256

[ago 25, 2023, 08:27:22] VERIFY OK: depth=0,  signature: RSA-SHA256

[ago 25, 2023, 08:27:22] SSL Handshake: peer certificate: CN=w, 2048 bit RSA, cipher: TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD


[ago 25, 2023, 08:27:22] Session is ACTIVE

[ago 25, 2023, 08:27:22] Sending PUSH_REQUEST to server...

[ago 25, 2023, 08:27:22] EVENT: GET_CONFIG

[ago 25, 2023, 08:27:23] Sending PUSH_REQUEST to server...

[ago 25, 2023, 08:27:25] Sending PUSH_REQUEST to server...

[ago 25, 2023, 08:27:28] Sending PUSH_REQUEST to server...

[ago 25, 2023, 08:27:28] OPTIONS:
0 [route] [SITEB.0] [255.255.255.0]
1 [block-outside-dns]
2 [register-dns]
3 [route] [SITEA.0] [255.255.255.0]
4 [route] [SITEB.0] [255.255.255.0]
5 [dhcp-option] [DNS] [10.7.208.3]
6 [route-gateway] [TUNNEL.1]
7 [topology] [subnet]
8 [ping] [10]
9 [ping-restart] [60]
10 [ifconfig] [TUNNEL.2] [255.255.255.0]
11 [peer-id] [0]
12 [cipher] [AES-256-GCM]
13 [key-derivation] [tls-ekm]


[ago 25, 2023, 08:27:28] PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: NONE
  key-derivation: TLS Keying Material Exporter [RFC5705]
  compress: NONE
  peer ID: 0
  control channel: tls-auth enabled

[ago 25, 2023, 08:27:28] EVENT: ASSIGN_IP

[ago 25, 2023, 08:27:28] Connected via tun

[ago 25, 2023, 08:27:28] EVENT: CONNECTED info='ovpnserver via /UDPv4 on tun/TUNNEL.2/ gw=[TUNNEL.1/]'

Summer

@Summer it's not Android related its common to this ovpn server.

Linux client is connected but:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    600    0        0 wlan0
TUNNEL.0       0.0.0.0         255.255.255.0   U     0      0        0 tun0
SITEA.0      TUNNEL.1       255.255.255.0   UG    0      0        0 tun0
SITEB.0      TUNNEL.1       255.255.255.0   UG    0      0        0 tun0

I can ping SITEA hosts but not connect to:

ping SITEA.1
PING SITEA.1 (SITEA.1) 56(84) bytes of data.
64 bytes from SITEA.1: icmp_seq=1 ttl=63 time=68.6 ms

Instead SITEB hosts are both pingable and reachables.

Gertjan

@Summer

When you connect a OpenVPN client device using "Openvpnconnect" :
Connect.
Check the openvpn client (and openvpn server) log.

Then, example, get the numbers :

ipconfig /all

or equivalent on your device.

You want to know :
What is the gateway ?
What is the DNS IP used ?

And there is more.
On the pfSense side :
Is the resolver (unbound) listing on the OpenVPN (server) interface ? On the openvpn client device, can you do this :
nslookup google.com 192.a.b.c where 192.168.a.b.c is the Openvpn server interface on pfSense ?
Or
dig @192.a.b.c google.com

Btw : what is sitea and siteb ? Where are they ?

Here : Configuring OpenVPN Remote Access in pfSense Software : that is the "make openvpn work in 7 minutes" official video and can be reproduced any time.
If "your way" doesn't work, use "that way".

Summer

@Gertjan thanks, I've seen the tutorial, the ovpn client is connected, the gateway is using is the ovpn.server.

I've removed the option Redirect IPv4 Gateway

Now from Diagnostics > pfTop > src ovpn.clientip

pfTop: Up State 1-5/5 (690), View: default, Order: bytes
PR        DIR SRC                           DEST                                   STATE                AGE       EXP     PKTS    BYTES
tcp       In  OVPN.CLIENT:40692               SITEA:445                 FIN_WAIT_2:ESTABLISHED  00:03:24  00:13:36       58    26849
tcp       Out OVPN.CLIENT:40692               SITEA:445                ESTABLISHED:FIN_WAIT_2   00:03:24  00:13:36       58    26849

This means client reach the host in the SITEA lan but looking at the client is like in a ethernal waiting status.

I've give up deleted old ovpn server and created a new following the tutorial (just keeped old key and certs). Now it won't start:

Exiting due to fatal error
Insufficient key material or header text not found in file '[[INLINE]]' (0/128/256 bytes found/min/max)
OpenVPN PID written: 54909
DCO version: FreeBSD 14.0-CURRENT #1 plus-RELENG_23_05_1-n256108-459fc493a87: Wed Jun 28 04:23:25 UTC 2023     root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_05_1-main/obj/armv7/5FnzzDxN/var/jenkins/workspace/pfSense-Plus-snapshots-23_05_1-main/sources/
library versions: OpenSSL 1.1.1t-freebsd  7 Feb 2023, LZO 2.10
OpenVPN 2.6.2 armv7-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]

Gertjan

@Summer said in Ovpn Remote Access Openvpncpnnect Android:

This means client reach the host in the SITEA lan but looking at the client is like in a ethernal waiting status.

And the firewall of SITEA and SITEB accepts connections from the OpenVPN network ?

Packet capture on the network where SITEA and SITEB is situated ?

@Summer said in Ovpn Remote Access Openvpncpnnect Android:

Insufficient key material or header text not found in file

Don't be impressed with that message.
Google : openvpn Insufficient key material or header text not found in file => read => done.
I've never seen that error but is clear that some info is missing (you've forgotten a step and that bites now back)

Gertjan

@Summer said in Ovpn Remote Access Openvpncpnnect Android:

This means client reach the host in the SITEA lan but looking at the client is like in a ethernal waiting status.

And the firewall of SITEA and SITEB accepts connections from the OpenVPN network ?

Packet capture on the network where SITEA and SITEB is situated ?

@Summer said in Ovpn Remote Access Openvpncpnnect Android:

Insufficient key material or header text not found in file

Don't be impressed with that message.
Google : openvpn Insufficient key material or header text not found in file => read => done.
I've never seen that error but its clear to me that some info is missing (you've forgotten a step and that bites you back)

Summer

@Gertjan said in Ovpn Remote Access Openvpncpnnect Android:

I've never seen that error but its clear to me that some info is missing (you've forgotten a step and that bites you back)

this is solved, I'm connected but still in the previous situation.

@Gertjan said in Ovpn Remote Access Openvpncpnnect Android:

And the firewall of SITEA and SITEB accepts connections from the OpenVPN network ?

Packet capture on the network where SITEA and SITEB is situated ?

Sources show SITEAhost Destination OVPN.CLIENT but
and for HTTP request Source show OVPN.CLIENT and destination SITEAhost but there's something wrong:

Diagnostics > Packet Capture show:

Gertjan

@Summer said in Ovpn Remote Access Openvpncpnnect Android:

And the firewall of SITEA and SITEB accepts connections from the OpenVPN network ?
27ca8628-8de0-4346-9668-ae5fc39359e8-image.png

You showed the firewall of the device on which the web server is running ?
Do you run a web server on pfSense ?

What is the interface your showing ?
You showed just a pass rule. On where what ? How should I know if that rules is an issue ?

The http request is send to a device on which a web-server is running : my question was : is this web server answering your requests ? Does this web server receive your requests ? You've looked at the web server logs ?
I see no answer from this device in your packet capture.

Summer

@Gertjan said in Ovpn Remote Access Openvpncpnnect Android:

You showed the firewall of the device on which the web server is running ?

yes, it is

@Gertjan said in Ovpn Remote Access Openvpncpnnect Android:

Do you run a web server on pfSense ?

Yes the default GUI

@Gertjan said in Ovpn Remote Access Openvpncpnnect Android:

You showed just a pass rule. On where what ? How should I know if that rules is an issue ?

I've setup this rule on both OVPN and LAN first line (just to test).

@Gertjan said in Ovpn Remote Access Openvpncpnnect Android:

What is the interface your showing ?

it's just wireshark of the Diagnostic > Packet Capture

@Gertjan said in Ovpn Remote Access Openvpncpnnect Android:

The http request is send to a device on which a web-server is running : my question was : is this web server answering your requests ?

Yes the server show this log:

OVPNCLIENTIP - - [25/Aug/2023:09:15:03 +0000] "GET /login/ HTTP/1.1" 200 25532 "-" "Mozilla/5.0 (Linux; Android 13) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/116.0.0.0 Mobile DuckDuckGo/5 Safari/537.36"

@Gertjan said in Ovpn Remote Access Openvpncpnnect Android:

I see no answer from this device in your packet capture.

Me too but I cannot understand why.
flow should be:

OVPN.CLIENT > SITEAHOST
SITEAHOST > OVPN.CLIENT

if I ping OVPN.CLIENT from SITEAHOST it answer both ways, but all the rest fail:

Summer

Is there a way to look at the Internal Routing (iroute)?

This is not a site-to-site but cannot be the case?

Can Pfsense reache ovpnclient? Yes

route -n get OVPN.CLIENT
   route to: OVPN.CLIENT
destination: TUNNEL.0
       mask: 255.255.255.0
        fib: 0
  interface: ovpns4
      flags: <UP,DONE,PINNED>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0

Can Pfsense reache SITEA host ? Yes

route -n get SITEA.1
   route to: SITEA.1
destination: SITEA.0
       mask: 255.255.255.0
        fib: 0
  interface: mvneta1
      flags: <UP,DONE,PINNED>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0

Can ovpn client reach:

SITEA.1? yes traceroute show: OVPNTUNNEL.SERVER > SITEA.1
SITEAB.1? yes traceroute show: OVPNTUNNEL.SERVER > SITEB.1
pfsenseLANip ? NO traceroute got no answer.

Can ovpn client reach HTTP server?

http://SITEA.1/ : yes page is loaded correclty
http://SITEA.1/login : no (page exist and it's reachable from LAN)

Now who can interfer when adding a path after IP ?

Gertjan

@Summer said in Ovpn Remote Access Openvpncpnnect Android:

http://SITEA.1/login : no (page exist and it's reachable from LAN)

Show the web server log from SITEA.1 at that moment.

Summer

@Gertjan
from browser I get:

http://SITEA.1/ : yes page is loaded correclty

Request Method:
GET
Status Code:
200 OK

and from server side:

OVPN.CLIENT - - [25/Aug/2023:15:12:47 +0200] "GET / HTTP/1.1" 200 64 "-" "Mozilla/5.0 (Linux; Android 13; Nokia X10 Build/TKQ1.220807.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/116.0.0.0 Mobile Safari/537.36"

http://SITEA.1/login : no (page exist and it's reachable from LAN)

Request Method:
Status Code:
it just wait forever

and from server side:

OVPN.CLIENT - - [25/Aug/2023:15:13:28 +0200] "GET /login HTTP/1.1" 301 5 "-" "Mozilla/5.0 (Linux; Android 13; Nokia X10 Build/TKQ1.220807.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/116.0.0.0 Mobile Safari/537.36"
OVPN.CLIENT - - [25/Aug/2023:15:13:47 +0200] "GET /favicon.ico HTTP/1.1" 404 46488 "http://SITEA.1/" "Mozilla/5.0 (Linux; Android 13; Nokia X10 Build/TKQ1.220807.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/116.0.0.0 Mobile Safari/537.36"
OVPN.CLIENT - - [25/Aug/2023:15:14:28 +0200] "GET /login/ HTTP/1.1" 200 46358 "-" "Mozilla/5.0 (Linux; Android 13; Nokia X10 Build/TKQ1.220807.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/116.0.0.0 Mobile Safari/537.36"

but the browser is wating nothing is loaded.

Gertjan

@Summer

After a first [15:13:28] GET /login the web server emits a "301" or permanent redirect
After a second [15:14:28] GET /login/ the web server emits a "200" which means "Succes, got that file, here it is", and it send a web page back to the browser

Take note of the details : the browser was asking for content in the folder login (hence the /login/)
The first try was using /login - this can be a file called login or login.html or login.php

The "301" was answered by the web server as by the web server config.

It depends on your web server settings what happens when you do a
/ (nothing) - normally it searches for the file index.html, or index.htm or index.php or ?
/login means a file called login ? This seconds is a bit flawwed
/login/ as / but in the /login/ folder in the web root directory.

The browser was also looking fr the /favicon.ico file, the error code 401 means : file not found (in the web server's web root folder)

Summer

@Gertjan Your analysis make sense, I've looked at server log as requesting the resource from LAN:

http://SITEA.1/login : result in a fast loading of the page

LAN.CLIENT - - [25/Aug/2023:15:57:40 +0200] "GET /favicon.ico HTTP/1.1" 404 50056 "http://acciaio.internal/uslat" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36"
LAN.CLIENT - - [25/Aug/2023:15:57:50 +0200] "GET /login HTTP/1.1" 301 5 "-" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36"
LAN.CLIENT - - [25/Aug/2023:15:57:50 +0200] "GET /login/ HTTP/1.1" 200 49950 "-" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36"
LAN.CLIENT - - [25/Aug/2023:15:57:50 +0200] "GET /static/app.css HTTP/1.1" 304 0 "http://acciaio.internal/static/app.css" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36"

But closely looking seems using dns resolver host override: that from ovpn.client fail.

Gertjan

@Summer

See my post here https://forum.netgate.com/topic/176959/host-overrides-doesn-t-override/16?_=1692970326119

Over there I created a host ovrride in unbound. Used OpenVPN, checked that my override worked etc.

Summer

@Gertjan so far I've edited:

server config Advanced client settings:
Dns Resolver : Network Interfaces : All

I was using OpenVPN Connect but I guess you're using another app, because I cannot find that DNS page.

Tried also Android app: OpenVPN for Android by Arne Schwabe
Edit Profile > IP and DNS > Edit DNS.

But 8.8.8.8 is still in use.

Now with the last trick:
https://forum.netgate.com/post/1122380

Correct DNS is used with every app,

Now:

http://acciaio.internal/ : yes page is loaded correclty

Request Method:
GET
Status Code:
200 OK

server log

OVPN.CLIENT - - [25/Aug/2023:16:39:33 +0200] "GET / HTTP/1.1" 403 94 "-" "Mozilla/5.0 (Linux; Android 13; Nokia X10 Build/TKQ1.220807.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/116.0.0.0 Mobile Safari/537.36"

http://acciaio.internal/login : no stuck after

server log:


OVPN.CLIENT - - [25/Aug/2023:16:39:42 +0200] "GET /login HTTP/1.1" 301 5 "-" "Mozilla/5.0 (Linux; Android 13; Nokia X10 Build/TKQ1.220807.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/116.0.0.0 Mobile Safari/537.36"
OVPN.CLIENT - - [25/Aug/2023:16:40:42 +0200] "GET /login/ HTTP/1.1" 200 46341 "-" "Mozilla/5.0 (Linux; Android 13; Nokia X10 Build/TKQ1.220807.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/116.0.0.0 Mobile Safari/537.36"
OVPN.CLIENT - - [25/Aug/2023:16:40:53 +0200] "GET /favicon.ico HTTP/1.1" 404 45114 "http://acciaio.internal/" "Mozilla/5.0 (Linux; Android 13; Nokia X10 Build/TKQ1.220807.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/116.0.0.0 Mobile Safari/537.36"

Gertjan

@Summer said in Ovpn Remote Access Openvpncpnnect Android:

I was using OpenVPN Connect but I guess you're using another app, because I cannot find that DNS page.

I use this app to test :

https://apps.apple.com/us/app/he-net-network-tools/id858241710

@Summer said in Ovpn Remote Access Openvpncpnnect Android:

But 8.8.8.8 is still in use.

Not without humor : I'm protected against 8.8.8.8 as I use an iPhone.
I've nothing against 8.8.8.8, although I like to chose my own stuff, and that includes the DNS I use.
I can image that other Oses don't want you to give that choice.
After all : DNS ==> the big data .... right, bs : money !

More serious :

@Summer said in Ovpn Remote Access Openvpncpnnect Android:

Correct DNS is used with every app,

So you use the DNS of pfSense, the one you've set up in the OpenVPN server ?
You use a browser that doesn't over ride your DNS ?
I've heard that Google makes its own browser. And people even use them ( ?!!). What DNS does this browser use ? Make 1 guess. Are you surprised ?

Summer

@Gertjan said in Ovpn Remote Access Openvpncpnnect Android:

So you use the DNS of pfSense, the one you've set up in the OpenVPN server ?

Yes

@Gertjan said in Ovpn Remote Access Openvpncpnnect Android:

You use a browser that doesn't over ride your DNS ?

It seems that is not happening as same behavior can be replicated with Windows 10 client.

I've tried layer 2 tunnel and works fine for windows, now need to understand what's happening inside Layer3 as some service works and other will not work.