OpenVPN, Windows works, Android doesn't, help?

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › OpenVPN, Windows works, Android doesn't, help?

pomtom44

128 posts

Master Geek

#260028 7-Nov-2019 12:12

HI all

Bit of a technical one so hoping I can get some help here

I have a OpenVPN server running at home, and I have it working from my laptop, just not my phone.

I have my laptop (windows 10) and android (one plus) connected to the same WiFi (Friends network)

My laptop I can browse to both internal services (NAS and Dev web server) and external websites (Google showing public IP as my home's IP)

My phone I can get internal services, but not external ones

I can see the traffic from my phone on my firewall leaving to the internet, but I can't get detailed enough logging to see w hats coming back
(I could try find a w ay to get logging if needed)

Im a little lost as the only difference between these is windows vs android, the routing and networks are exactly the same otherwise, so im not sure why its not working as i expect it to

any help would be appreciated.

For reference:
Server: Ubuntu 16.04
VPN IP Range 10.10.101.x
VPN VLAN 10.10.100.x
Static route pointing 10.10.101.x to server IP on 100 network

Laptop Windows 10
Phone andriod / one plus 5

1 | 2

3506 posts

Uber Geek

Trusted

#2349452 7-Nov-2019 13:40

How have you got DNS configured on laptop vs phone vs server?

Backblaze

Backblaze Unlimited Backup. World’s easiest cloud backup. Get peace of mind knowing your files are backed up securely in the cloud (affiliate link).

pomtom44

128 posts

Master Geek

#2349455 7-Nov-2019 13:55

mdf:

How have you got DNS configured on laptop vs phone vs server?

For the guest lan
Laptop + phone both using router for dns

Server is using a internal PiHole for DNS

VPN pushes the same PiHole IP to all clients

mdf

3506 posts

Uber Geek

Trusted

#2350079 8-Nov-2019 10:43

I am a long way from an expert on this, but the fact you can get internal but not external services via the VPN makes me thing its a DNS issue. Android bakes in Google's DNS servers (8.8.8.8 and 8.8.4.4) for some things. Have you blocked or redirected that as part of setting up Pi-Hole?

pomtom44

128 posts

Master Geek

#2350107 8-Nov-2019 11:14

mdf:

I am a long way from an expert on this, but the fact you can get internal but not external services via the VPN makes me thing its a DNS issue. Android bakes in Google's DNS servers (8.8.8.8 and 8.8.4.4) for some things. Have you blocked or redirected that as part of setting up Pi-Hole?

I did a packet capture on my router and I can see DNS traffic from my phone going to the pihole, but no web traffic hitting the router.
so unless android is rejecting these requests or its being blocked somewhere else?

Im going to do a pcap at every step along the path and see if I can see where the traffic is being blocked

mdf

3506 posts

Uber Geek

Trusted

#2350109 8-Nov-2019 11:32

My instinct (based on not that much if I'm being honest with you) is that the PiHole is causing the problem rather than the the OpenVPN server. You could also try either spinning up another OpenVPN machine/docker and using Google DNS rather than the PiHole, or else setting the PiHole upstream DNS servers to 8.8.8.8 and see if that helps isolate the problem.

pomtom44

128 posts

Master Geek

#2350112 8-Nov-2019 11:53

mdf:

My instinct (based on not that much if I'm being honest with you) is that the PiHole is causing the problem rather than the the OpenVPN server. You could also try either spinning up another OpenVPN machine/docker and using Google DNS rather than the PiHole, or else setting the PiHole upstream DNS servers to 8.8.8.8 and see if that helps isolate the problem.

Interesting, your right, Changing the DNS to 8.8.8.8 worked fine, but setting it to go though the pihole doesnt.

So now the question is why?

It works fine on my PC, and it works fine on my phone when im at home, just not when im going through the VPN?

so it has to be a openvpn android issue with local dns?

mdf

3506 posts

Uber Geek

Trusted

#2350183 8-Nov-2019 13:05

What router are you running? Some of the more prosumer/SOHO models have the ability to redirect all DNS queries/queries on port 53. I do this on an ERL so that all DNS queries on the kids' VLAN are forced to the Pihole. Works well.

pomtom44

128 posts

Master Geek

#2350188 8-Nov-2019 13:26

mdf:

What router are you running? Some of the more prosumer/SOHO models have the ability to redirect all DNS queries/queries on port 53. I do this on an ERL so that all DNS queries on the kids' VLAN are forced to the Pihole. Works well.

Unifi USG
I have external DNS blocked at firewall level, and internal dns set via DHCP for usual clients (and via openvpn config for VPN clients)

I did some tests from my windows PC and I think I can see where the problem is now
The windows PC still seems to be using the local DNS for resolving IP's where andriod seems to be using the remote DNS (Client side)

So windows gets the IP of the server then sends the traffic down the VPN, where andriod is trying to get the IP down the VPN first.
Must be a problem with my PiHole and routing down the VPN.

So two problems now
1) How to force all traffic down the vpn from windows
2) How to allow PiHole to route DNS back down the VPN

muppet

2553 posts

Uber Geek

Trusted

#2350189 8-Nov-2019 13:26

It's a simple routing problem.

Let's say your LAN is 192.168.0.0/24 with your home router being 192.168.0.1/24

Your pihole let's say is 192.168.0.10 and your OpenVPN server is 192.168.0.5.

For OpenVPN to work you have to allocate some other network, let's say you've allocated 10.0.0.0/24.

So your OpenVPN server has both 192.168.0.5/25 with a default route to 192.168.0.1 and 10.0.0.1/24(VPN interface range)

Your phone connects and gets 10.0.0.2/24 as its IP. It sends a DNS request to 192.168.0.10 (your pihole)

Your pihole looks to send back an answer to your phone at 10.0.0.2, looks in its routing table and goes "I don't know how to route to 10.0.0.0/24 so I'll send it to my default gateway of 192.168.0.1".

Your home router also doesn't know about 10.0.0.0/24 so routes it out to the Internet.

The fix is to add a route to your pihole (or your home router) to say "To get to the 10.0.0.0/24 network, route to 192.168.0.5"

Then it'll work.

The "easier" way to fix this is to ensure your home router is also the host running OpenVPN. Everything uses it as the default gateway and it just works.

pomtom44

128 posts

Master Geek

#2350190 8-Nov-2019 13:29

muppet:

It's a simple routing problem.

Let's say your LAN is 192.168.0.0/24 with your home router being 192.168.0.1/24

Your pihole let's say is 192.168.0.10 and your OpenVPN server is 192.168.0.5.

For OpenVPN to work you have to allocate some other network, let's say you've allocated 10.0.0.0/24.

So your OpenVPN server has both 192.168.0.5/25 with a default route to 192.168.0.1 and 10.0.0.1/24(VPN interface range)

Your phone connects and gets 10.0.0.2/24 as its IP. It sends a DNS request to 192.168.0.10 (your pihole)

Your pihole looks to send back an answer to your phone at 10.0.0.2, looks in its routing table and goes "I don't know how to route to 10.0.0.0/24 so I'll send it to my default gateway of 192.168.0.1".

Your home router also doesn't know about 10.0.0.0/24 so routes it out to the Internet.

The fix is to add a route to your pihole (or your home router) to say "To get to the 10.0.0.0/24 network, route to 192.168.0.5"

Then it'll work.

The "easier" way to fix this is to ensure your home router is also the host running OpenVPN. Everything uses it as the default gateway and it just works.

I have a static route already on my router pointing to the VPN server
I just dont think that the DNS server is using that route?

I also tried setting up the VPN on my router, but had issues with it, (cant remember as it was a while ago)
I could look at trying it again though

pomtom44

128 posts

Master Geek

#2350203 8-Nov-2019 13:32

muppet:

It's a simple routing problem.

Let's say your LAN is 192.168.0.0/24 with your home router being 192.168.0.1/24

Your pihole let's say is 192.168.0.10 and your OpenVPN server is 192.168.0.5.

For OpenVPN to work you have to allocate some other network, let's say you've allocated 10.0.0.0/24.

So your OpenVPN server has both 192.168.0.5/25 with a default route to 192.168.0.1 and 10.0.0.1/24(VPN interface range)

Your phone connects and gets 10.0.0.2/24 as its IP. It sends a DNS request to 192.168.0.10 (your pihole)

Your pihole looks to send back an answer to your phone at 10.0.0.2, looks in its routing table and goes "I don't know how to route to 10.0.0.0/24 so I'll send it to my default gateway of 192.168.0.1".

Your home router also doesn't know about 10.0.0.0/24 so routes it out to the Internet.

The fix is to add a route to your pihole (or your home router) to say "To get to the 10.0.0.0/24 network, route to 192.168.0.5"

Then it'll work.

The "easier" way to fix this is to ensure your home router is also the host running OpenVPN. Everything uses it as the default gateway and it just works.

I remembered why I didn't use the USG as the VPN
I can't do static IP assignments per device
I can with OpenVPN
Hence running the VPN on a server rather than the router

muppet

2553 posts

Uber Geek

Trusted

#2350204 8-Nov-2019 13:33

Depending on how your router is working, it probably won't allow that traffic because it's failing statefulness.

That's because:

Incoming Packet: Packet from Phone -> OpenVPN Server -> Pihole.

But the RETURN traffic is

Return Packet: PiHole->ROUTER->OpenVPN Server->Phone

If your router is clever/stateful it'll be going "Hang on, I never saw an incoming packet for DNS, I'm not allowing this bogus reply out the door"

Again, the better fix is to put the route on the pihole, not the router. That way the router never sees the traffic.

pomtom44

128 posts

Master Geek

#2350206 8-Nov-2019 13:36

muppet:

Depending on how your router is working, it probably won't allow that traffic because it's failing statefulness.

That's because:

Incoming Packet: Packet from Phone -> OpenVPN Server -> Pihole.

But the RETURN traffic is

Return Packet: PiHole->ROUTER->OpenVPN Server->Phone

If your router is clever/stateful it'll be going "Hang on, I never saw an incoming packet for DNS, I'm not allowing this bogus reply out the door"

Again, the better fix is to put the route on the pihole, not the router. That way the router never sees the traffic.

The DNS has to go though the router as my DNS server is on a different VLAN to the VPN server
So I can put the route on the DNS server but it still has to go though the router in order to reach the VPN server.

muppet

2553 posts

Uber Geek

Trusted

#2350207 8-Nov-2019 13:39

Well if that's the case and everything is routing via the router correctly, it doesn't sound like what I said applies.

Can you ping your pihole when your VPN is connected?

pomtom44

128 posts

Master Geek

#2350209 8-Nov-2019 13:44

To make it easier, heres my network

192.168.99.40 - DNS / PiHole
10.10.100.2 - OpenVPN server
10.10.101.x - OpenVPN Network
(Vlan is a /23 for OpenVPN stuff)

Static route for 10.10.101.0 to 10.10.100.2

1 | 2