0

Trying to setup OpenVPN to connect android devices back to my home network. Currently I'm able to connect to the VPN but can't transfer any data, IE can't ping, can't hit sites etc. Here's my server config file

port 1234
proto udp
dev tap
dev-node tap-bridge
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"
topology subnet
push "topology subnet"
ifconfig-pool-persist ipp.txt
server-bridge 172.26.0.2 255.255.255.248 172.26.0.3 172.26.0.5
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

Here's my client config

client
dev tap
dev-node tap-bridge
proto udp
remote **** 1234
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
topology subnet

Here's from the status windows of the VPN server

Mon Nov  8 20:50:33 2021 174.215.16.183:15438 TLS: Initial packet from [AF_INET6]::ffff:174.215.16.183:15438, sid=8c2f0064 9d7a75c8
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 VERIFY OK: depth=1, CN=example.com
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 VERIFY OK: depth=0, CN=Client1
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 peer info: IV_VER=3.git::662eae9a:Release
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 peer info: IV_PLAT=android
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 peer info: IV_NCP=2
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 peer info: IV_TCPNL=1
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 peer info: IV_PROTO=2
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 peer info: IV_AUTO_SESS=1
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.5-7182
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 peer info: IV_SSO=openurl
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1589', remote='link-mtu 1557'
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Mon Nov  8 20:50:33 2021 174.215.16.183:15438 [Client1] Peer Connection Initiated with [AF_INET6]::ffff:174.215.16.183:15438
Mon Nov  8 20:50:33 2021 Client1/174.215.16.183:15438 MULTI_sva: pool returned IPv4=172.26.0.3, IPv6=(Not enabled)
Mon Nov  8 20:50:33 2021 Client1/174.215.16.183:15438 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Nov  8 20:50:33 2021 Client1/174.215.16.183:15438 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Nov  8 20:50:33 2021 Client1/174.215.16.183:15438 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Nov  8 20:50:33 2021 Client1/174.215.16.183:15438 PUSH: Received control message: 'PUSH_REQUEST'
Mon Nov  8 20:50:33 2021 Client1/174.215.16.183:15438 SENT CONTROL [Client1]: 'PUSH_REPLY,topology subnet,route-gateway 172.26.0.2,ping 10,ping-restart 120,ifconfig 172.26.0.3 255.255.255.248,peer-id 0,cipher AES-256-GCM' (status=1)
Mon Nov  8 20:50:33 2021 Client1/174.215.16.183:15438 MULTI: Learn: 00:01:fe:80:00:00@0 -> Client1/174.215.16.183:15438
Mon Nov  8 20:50:33 2021 Client1/174.215.16.183:15438 MULTI: Learn: 3a:ff:fe:80:00:00@0 -> Client1/174.215.16.183:15438

Finally, here's the logs from the android device.

20:10:43.123 -- ----- OpenVPN Start -----

20:10:43.124 -- EVENT: CORE_THREAD_ACTIVE

20:10:43.126 -- OpenVPN core 3.git::662eae9a:Release android arm64 64-bit PT_PROXY

20:10:43.127 -- Frame=512/2048/512 mssfix-ctrl=1250

20:10:43.127 -- UNUSED OPTIONS
1 [dev-node] [tap-bridge] 
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
13 [verb] [3] 

20:10:43.128 -- EVENT: RESOLVE

20:10:43.130 -- Contacting 1.2.3.4:1234 via UDP

20:10:43.131 -- EVENT: WAIT

20:10:43.132 -- Connecting to [example.com]:1234 (1.2.3.4) via UDPv4

20:10:43.200 -- EVENT: CONNECTING

20:10:43.204 -- Tunnel Options:V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client

20:10:43.204 -- Creds: UsernameEmpty/PasswordEmpty

20:10:43.205 -- Peer Info:
IV_VER=3.git::662eae9a:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.android_3.2.5-7182
IV_SSO=openurl


20:10:43.296 -- VERIFY OK: depth=1, /CN=example

20:10:43.297 -- VERIFY OK: depth=0, /CN=server

20:10:43.428 -- SSL Handshake: CN=server, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA

20:10:43.429 -- Session is ACTIVE

20:10:43.429 -- EVENT: GET_CONFIG

20:10:43.432 -- Sending PUSH_REQUEST to server...

20:10:43.486 -- OPTIONS:
0 [topology] [subnet] 
1 [route-gateway] [172.26.0.2] 
2 [ping] [10] 
3 [ping-restart] [120] 
4 [ifconfig] [172.26.0.3] [255.255.255.248] 
5 [peer-id] [0] 
6 [cipher] [AES-256-GCM] 


20:10:43.487 -- PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: NONE
  compress: NONE
  peer ID: 0

20:10:43.488 -- EVENT: ASSIGN_IP

20:10:43.499 -- Connected via tun

20:10:43.500 -- EVENT: CONNECTED info='example.com:6832 (1.2.3.4) via /UDPv4 on tun/172.26.0.3/ gw=[172.26.0.2/]'

20:10:43.992 -- TUN write exception: write_some: Invalid argument

20:10:44.012 -- TUN write exception: write_some: Invalid argument

20:10:44.013 -- TUN write exception: write_some: Invalid argument

When sending a ping from the android device directed at the VPN server (172.26.0.2) I'm getting no response from the server however the bottom line in the server logs continues to grow with what I believe is a mac address changing every ping. This also happens when trying to request something from within the LAN, website, cameras, etc.

Mon Nov  8 20:50:33 2021 Client1/174.215.16.183:15438 MULTI: Learn: 3a:ff:fe:80:00:00@0 -> Client1/174.215.16.183:15438

On the android logs, the last line just repeats it's self every couple of seconds or so.

20:10:44.013 -- TUN write exception: write_some: Invalid argument
huzer1
  • 3
  • 1
  • Does this answer your question? [Should I use tap or tun for openvpn?](https://serverfault.com/questions/21157/should-i-use-tap-or-tun-for-openvpn) – Nikita Kipriyanov Nov 09 '21 at 06:10

1 Answers1

1

Android won't work with tap. Use tun. See the wiki.

Your other option may be recompiling the kernel in Android so it'll support tap.

Another important consideration is that tun is more efficient. The tap (virtual Ethernet) mode must be only used when absolutely necessary. Don't use it unless you know for sure you need it and can explain why.

Nikita Kipriyanov
  • 8,033
  • 1
  • 21
  • 39