OpenVPN, Windows works, Android doesn't, help?

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › OpenVPN, Windows works, Android doesn't, help?

1 | 2

pomtom44

128 posts

Master Geek

#2350212 8-Nov-2019 13:45

muppet:

Well if that's the case and everything is routing via the router correctly, it doesn't sound like what I said applies.

Can you ping your pihole when your VPN is connected?

I cant seem to ping anything on my Home LAN (But I can ping the local router)

Sharesies kids

Free kids accounts - trade shares and funds (NZ, US) with Sharesies (affiliate link).

muppet

2553 posts

Uber Geek

Trusted

#2350213 8-Nov-2019 13:48

Are you sure your Android is being pushed a route?

It sounds like you might be getting a VPN connected, but not doing anything to route traffic over it.

With openVPN you can either "push" routes down the client, or configure routes on the client itself.

When the OpenVPN client is connected, can you browse to ipchicken.com to find your current public IP? Is is the IP of your home ISP, or still the IP of your Phone's wifi/mobile connection?

It still sounds like a simple routing problem :)

The router has a route back to the VPN range, yea??

pomtom44

128 posts

Master Geek

#2350227 8-Nov-2019 13:56

muppet:

Are you sure your Android is being pushed a route?

It sounds like you might be getting a VPN connected, but not doing anything to route traffic over it.

With openVPN you can either "push" routes down the client, or configure routes on the client itself.

When the OpenVPN client is connected, can you browse to ipchicken.com to find your current public IP? Is is the IP of your home ISP, or still the IP of your Phone's wifi/mobile connection?

It still sounds like a simple routing problem :)

The router has a route back to the VPN range, yea??

If I bypass my local dns and set it to google (8.8.8.8) Both android and windows get internet and show my home IP

However if I set DNS to my PiHole, it appears to be timing out on my andriod (Cant resolve IP is my guess)
and using my local DNS Server (local to client) on my windows PC
When I do a tracert it shows the hostname of the local router, not my home router
However when I do a dns lookup using a hostname from my home lan, it resolves it fine, so it appears DNS can be routed?

pomtom44

128 posts

Master Geek

#2350229 8-Nov-2019 14:03

muppet:

Are you sure your Android is being pushed a route?

It sounds like you might be getting a VPN connected, but not doing anything to route traffic over it.

With openVPN you can either "push" routes down the client, or configure routes on the client itself.

When the OpenVPN client is connected, can you browse to ipchicken.com to find your current public IP? Is is the IP of your home ISP, or still the IP of your Phone's wifi/mobile connection?

It still sounds like a simple routing problem :)

The router has a route back to the VPN range, yea??

Ok i think it is a routing issue for just my DNS?
I tried to do other queries and they fail, for some reason the one device i tried to query on my LAN happened to work? (caching?)

Spyware

3728 posts

Uber Geek

Lifetime subscriber

#2350231 8-Nov-2019 14:08

How does /23 make the OpenVPN server and tunnel networks different??

Spark Max Fibre using Mikrotik CCR1009-8G-1S-1S+, CRS125-24G-1S, Unifi UAP, U6-Pro, UAP-AC-M-Pro, Apple TV 4K (2022), Apple TV 4K (2017), iPad Air 1st gen, iPad Air 4th gen, iPhone 13, SkyNZ3151 (the white box). If it doesn't move then it's data cabled.

pomtom44

128 posts

Master Geek

#2350232 8-Nov-2019 14:10

Spyware:

How does /23 make the OpenVPN server and tunnel networks different??

Sorry i dont understand what your asking?

Spyware

3728 posts

Uber Geek

Lifetime subscriber

#2350234 8-Nov-2019 14:12

The two networks are meant to be different networks.

pomtom44

128 posts

Master Geek

#2350238 8-Nov-2019 14:16

Spyware:

The two networks are meant to be different networks.

I have a /23 to allow for IP forwarding from the TUN interface on the VPN server to my LAN
So the end user gets an IP that is passed though to my firewall where I can do IP management on it
Rather than using the NAT on the VPN server and showing all traffic as coming form the servers LAN interface

It works for everything else, just not DNS as far as I can tell

Spyware

3728 posts

Uber Geek

Lifetime subscriber

#2350240 8-Nov-2019 14:19

Route would be invalid then.

pomtom44

128 posts

Master Geek

#2350242 8-Nov-2019 14:22

Spyware:

Route would be invalid then.

Not to come across as rude, but have you read the rest of the thread?

I can get internet when on the VPN showing my homes public IP (using google dns)
I can access internal services on other vlans though my VLAN routing I have on my router

The only thing that doesn't appear to be working is routing DNS queries over the VPN
So either my DNS isnt being sent down the VPN
or theres a routing issue somewhere in my setup (Which I can't find as I have open routing for DNS traffic)

I dont see how using a /23 will break "Only" DNS requests

Spyware

3728 posts

Uber Geek

Lifetime subscriber

#2350313 8-Nov-2019 17:49

pomtom44:

Rather than using the NAT on the VPN server and showing all traffic as coming form the servers LAN interface

It works for everything else, just not DNS as far as I can tell

And why are you NATing traffic between private networks anyway?? It makes no sense.

Spyware

3728 posts

Uber Geek

Lifetime subscriber

#2350435 8-Nov-2019 19:19

No need to masquerade traffic on server at all. You have the route (10.10.101.0/24 gw 10.10.100.2) to the tunnel network on your router, routes to your private networks in client config.

# Allow traffic initiated from VPN tunnel to access everywhere

iptables -I FORWARD -i tun0 -o eth0 -s 10.10.101.0/24 -m conntrack --ctstate NEW -j ACCEPT

# Allow established traffic to pass back and forth

iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

And it all works perfectly, routed end to end.

pomtom44

128 posts

Master Geek

#2350483 8-Nov-2019 22:07

Spyware:

No need to masquerade traffic on server at all. You have the route (10.10.101.0/24 gw 10.10.100.2) to the tunnel network on your router, routes to your private networks in client config.

# Allow traffic initiated from VPN tunnel to access everywhere

iptables -I FORWARD -i tun0 -o eth0 -s 10.10.101.0/24 -m conntrack --ctstate NEW -j ACCEPT

# Allow established traffic to pass back and forth

iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

And it all works perfectly, routed end to end.

that is what i have setup.....

my routing works fine for everything else. just not to my internal DNS

i can access a internal web server fine via its internal IP

and i can get internet if i set the VPN clients DNS to google 8.8.8.8

i just cant get my internal DNS to get queries from my VPN client.

1 | 2