Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




89 posts

Master Geek


#260028 7-Nov-2019 12:12
Send private message

HI all

Bit of a technical one so hoping I can get some help here

 

I have a OpenVPN server running at home, and I have it working from my laptop, just not my phone.

 

I have my laptop (windows 10) and android (one plus) connected to the same WiFi (Friends network)

 

My laptop I can browse to both internal services (NAS and Dev web server) and external websites (Google showing public IP as my home's IP)

 

My phone I can get internal services, but not external ones

 

I can see the traffic from my phone on my firewall leaving to the internet, but I can't get detailed enough logging to see w hats coming back
(I could try find a w ay to get logging if needed)

 

Im a little lost as the only difference between these is windows vs android, the routing and networks are exactly the same otherwise, so im not sure why its not working as i expect it to

any help would be appreciated.

 

 

 

For reference:
Server: Ubuntu 16.04
VPN IP Range 10.10.101.x
VPN VLAN 10.10.100.x
Static route pointing 10.10.101.x to server IP on 100 network

 

Laptop Windows 10
Phone andriod / one plus 5


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2

mdf

2550 posts

Uber Geek

Trusted
Subscriber

  #2349452 7-Nov-2019 13:40
Send private message

How have you got DNS configured on laptop vs phone vs server?




89 posts

Master Geek


  #2349455 7-Nov-2019 13:55
Send private message

mdf:

 

How have you got DNS configured on laptop vs phone vs server?

 

 



For the guest lan
Laptop + phone both using router for dns 

Server is using a internal PiHole for DNS

VPN pushes the same PiHole IP to all clients


 
 
 
 


mdf

2550 posts

Uber Geek

Trusted
Subscriber

  #2350079 8-Nov-2019 10:43
Send private message

I am a long way from an expert on this, but the fact you can get internal but not external services via the VPN makes me thing its a DNS issue. Android bakes in Google's DNS servers (8.8.8.8 and 8.8.4.4) for some things. Have you blocked or redirected that as part of setting up Pi-Hole? 




89 posts

Master Geek


  #2350107 8-Nov-2019 11:14
Send private message

mdf:

 

I am a long way from an expert on this, but the fact you can get internal but not external services via the VPN makes me thing its a DNS issue. Android bakes in Google's DNS servers (8.8.8.8 and 8.8.4.4) for some things. Have you blocked or redirected that as part of setting up Pi-Hole? 

 

 

 

 

I did a packet capture on my router and I can see DNS traffic from my phone going to the pihole, but no web traffic hitting the router.
so unless android is rejecting these requests or its being blocked somewhere else?

Im going to do a pcap at every step along the path and see if I can see where the traffic is being blocked


mdf

2550 posts

Uber Geek

Trusted
Subscriber

  #2350109 8-Nov-2019 11:32
Send private message

My instinct (based on not that much if I'm being honest with you) is that the PiHole is causing the problem rather than the the OpenVPN server. You could also try either spinning up another OpenVPN machine/docker and using Google DNS rather than the PiHole, or else setting the PiHole upstream DNS servers to 8.8.8.8 and see if that helps isolate the problem. 




89 posts

Master Geek


  #2350112 8-Nov-2019 11:53
Send private message

mdf:

 

My instinct (based on not that much if I'm being honest with you) is that the PiHole is causing the problem rather than the the OpenVPN server. You could also try either spinning up another OpenVPN machine/docker and using Google DNS rather than the PiHole, or else setting the PiHole upstream DNS servers to 8.8.8.8 and see if that helps isolate the problem. 

 



Interesting, your right, Changing the DNS to 8.8.8.8 worked fine, but setting it to go though the pihole doesnt.

 

So now the question is why?

It works fine on my PC, and it works fine on my phone when im at home, just not when im going through the VPN?

 

so it has to be a openvpn android issue with local dns?


mdf

2550 posts

Uber Geek

Trusted
Subscriber

  #2350183 8-Nov-2019 13:05
Send private message

What router are you running? Some of the more prosumer/SOHO models have the ability to redirect all DNS queries/queries on port 53. I do this on an ERL so that all DNS queries on the kids' VLAN are forced to the Pihole. Works well.


 
 
 
 




89 posts

Master Geek


  #2350188 8-Nov-2019 13:26
Send private message

mdf:

 

What router are you running? Some of the more prosumer/SOHO models have the ability to redirect all DNS queries/queries on port 53. I do this on an ERL so that all DNS queries on the kids' VLAN are forced to the Pihole. Works well.

 



Unifi USG
I have external DNS blocked at firewall level, and internal dns set via DHCP for usual clients (and via openvpn config for VPN clients)

I did some tests from my windows PC and I think I can see where the problem is now
The windows PC still seems to be using the local DNS for resolving IP's where andriod seems to be using the remote DNS (Client side)

So windows gets the IP of the server then sends the traffic down the VPN, where andriod is trying to get the IP down the VPN first.
Must be a problem with my PiHole and routing down the VPN. 

So two problems now
1) How to force all traffic down the vpn from windows
2) How to allow PiHole to route DNS back down the VPN



2235 posts

Uber Geek

Trusted

  #2350189 8-Nov-2019 13:26
Send private message

It's a simple routing problem.

 

Let's say your LAN is 192.168.0.0/24 with your home router being 192.168.0.1/24

 

Your pihole let's say is 192.168.0.10 and your OpenVPN server is 192.168.0.5.

 

For OpenVPN to work you have to allocate some other network, let's say you've allocated 10.0.0.0/24.

 

So your OpenVPN server has both 192.168.0.5/25 with a default route to 192.168.0.1 and 10.0.0.1/24(VPN interface range)

 

 

 

Your phone connects and gets 10.0.0.2/24 as its IP.  It sends a DNS request to 192.168.0.10 (your pihole)

 

Your pihole looks to send back an answer to your phone at 10.0.0.2, looks in its routing table and goes "I don't know how to route to 10.0.0.0/24 so I'll send it to my default gateway of 192.168.0.1".

 

Your home router also doesn't know about 10.0.0.0/24 so routes it out to the Internet.

 

 

 

The fix is to add a route to your pihole (or your home router) to say "To get to the 10.0.0.0/24 network, route to 192.168.0.5"

 

Then it'll work.

 

The "easier" way to fix this is to ensure your home router is also the host running OpenVPN.  Everything uses it as the default gateway and it just works.




89 posts

Master Geek


  #2350190 8-Nov-2019 13:29
Send private message

muppet:

 

It's a simple routing problem.

 

Let's say your LAN is 192.168.0.0/24 with your home router being 192.168.0.1/24

 

Your pihole let's say is 192.168.0.10 and your OpenVPN server is 192.168.0.5.

 

For OpenVPN to work you have to allocate some other network, let's say you've allocated 10.0.0.0/24.

 

So your OpenVPN server has both 192.168.0.5/25 with a default route to 192.168.0.1 and 10.0.0.1/24(VPN interface range)

 

 

 

Your phone connects and gets 10.0.0.2/24 as its IP.  It sends a DNS request to 192.168.0.10 (your pihole)

 

Your pihole looks to send back an answer to your phone at 10.0.0.2, looks in its routing table and goes "I don't know how to route to 10.0.0.0/24 so I'll send it to my default gateway of 192.168.0.1".

 

Your home router also doesn't know about 10.0.0.0/24 so routes it out to the Internet.

 

 

 

The fix is to add a route to your pihole (or your home router) to say "To get to the 10.0.0.0/24 network, route to 192.168.0.5"

 

Then it'll work.

 

The "easier" way to fix this is to ensure your home router is also the host running OpenVPN.  Everything uses it as the default gateway and it just works.

 

 

 

 

I have a static route already on my router pointing to the VPN server
I just dont think that the DNS server is using that route?

 

I also tried setting up the VPN on my router, but had issues with it, (cant remember as it was a while ago)
I could look at trying it again though

 

 

 

 




89 posts

Master Geek


  #2350203 8-Nov-2019 13:32
Send private message

muppet:

 

It's a simple routing problem.

 

Let's say your LAN is 192.168.0.0/24 with your home router being 192.168.0.1/24

 

Your pihole let's say is 192.168.0.10 and your OpenVPN server is 192.168.0.5.

 

For OpenVPN to work you have to allocate some other network, let's say you've allocated 10.0.0.0/24.

 

So your OpenVPN server has both 192.168.0.5/25 with a default route to 192.168.0.1 and 10.0.0.1/24(VPN interface range)

 

 

 

Your phone connects and gets 10.0.0.2/24 as its IP.  It sends a DNS request to 192.168.0.10 (your pihole)

 

Your pihole looks to send back an answer to your phone at 10.0.0.2, looks in its routing table and goes "I don't know how to route to 10.0.0.0/24 so I'll send it to my default gateway of 192.168.0.1".

 

Your home router also doesn't know about 10.0.0.0/24 so routes it out to the Internet.

 

 

 

The fix is to add a route to your pihole (or your home router) to say "To get to the 10.0.0.0/24 network, route to 192.168.0.5"

 

Then it'll work.

 

The "easier" way to fix this is to ensure your home router is also the host running OpenVPN.  Everything uses it as the default gateway and it just works.

 



I remembered why I didn't use the USG as the VPN
I can't do static IP assignments per device
I can with OpenVPN
Hence running the VPN on a server rather than the router

 

 

 

 


2235 posts

Uber Geek

Trusted

  #2350204 8-Nov-2019 13:33
Send private message

Depending on how your router is working, it probably won't allow that traffic because it's failing statefulness.

 

That's because:

 

 

 

Incoming Packet: Packet from Phone -> OpenVPN Server -> Pihole.

 

But the RETURN traffic is

 

Return Packet: PiHole->ROUTER->OpenVPN Server->Phone

 

 

 

If your router is clever/stateful it'll be going "Hang on, I never saw an incoming packet for DNS, I'm not allowing this bogus reply out the door"

 

Again, the better fix is to put the route on the pihole, not the router.  That way the router never sees the traffic.




89 posts

Master Geek


  #2350206 8-Nov-2019 13:36
Send private message

muppet:

 

Depending on how your router is working, it probably won't allow that traffic because it's failing statefulness.

 

That's because:

 

 

 

Incoming Packet: Packet from Phone -> OpenVPN Server -> Pihole.

 

But the RETURN traffic is

 

Return Packet: PiHole->ROUTER->OpenVPN Server->Phone

 

 

 

If your router is clever/stateful it'll be going "Hang on, I never saw an incoming packet for DNS, I'm not allowing this bogus reply out the door"

 

Again, the better fix is to put the route on the pihole, not the router.  That way the router never sees the traffic.

 



The DNS has to go though the router as my DNS server is on a different VLAN to the VPN server
So I can put the route on the DNS server but it still has to go though the router in order to reach the VPN server.


2235 posts

Uber Geek

Trusted

  #2350207 8-Nov-2019 13:39
Send private message

Well if that's the case and everything is routing via the router correctly, it doesn't sound like what I said applies.

 

Can you ping your pihole when your VPN is connected?




89 posts

Master Geek


  #2350209 8-Nov-2019 13:44
Send private message

To make it easier, heres my network

192.168.99.40 - DNS / PiHole
10.10.100.2 - OpenVPN server
10.10.101.x - OpenVPN Network
(Vlan is a /23 for OpenVPN stuff) 

Static route for 10.10.101.0 to 10.10.100.2

 

 


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

OPPO Find X2 Lite brings flagship features to mid-range 5G smartphone
Posted 29-May-2020 12:52


Sony introduces the digital camera ZV-1 for content creators
Posted 27-May-2020 12:47


Samsung Announces 2020 QLED TV Range
Posted 20-May-2020 16:29


D-Link A/NZ launches AI-Powered body temperature measuring system
Posted 20-May-2020 16:22


NortonLifeLock Online Banking Protection now available for New Zealand banks
Posted 20-May-2020 16:14


SD Express delivers new gigabyte speeds for SD memory cards
Posted 20-May-2020 15:00


D-Link A/NZ launches Nuclias cloud managed network solution hosted in Australia
Posted 11-May-2020 17:53


Logitech introduces new video streaming solution for home studios
Posted 11-May-2020 17:48


Next generation Volvo cars to be powered by Luminar LiDAR technology
Posted 7-May-2020 13:56


D-Link A/NZ launches Wi-Fi Certified EasyMesh system
Posted 7-May-2020 13:51


Spark teams up with Microsoft to bring Xbox All Access to New Zealand
Posted 7-May-2020 13:01


Microsoft plans to establish its first datacenter region in New Zealand
Posted 6-May-2020 11:35


Genesis School-gen has joined forces with Mind Lab Kids
Posted 1-May-2020 12:53


Malwarebytes expands into privacy with fast, frictionless VPN
Posted 30-Apr-2020 16:06


Kordia to donate TV airtime on Channel 200 to community groups
Posted 30-Apr-2020 16:00



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.