Issues connecting Android Ovpn to PFSense Firewall

The Lurker

Fully [H]
Joined
Jul 1, 2001
Messages
19,492
I need a sanity check. For the longest time I was able to flawlessly connect from my Android phone to my home based PFSense using Open VPN. Sometime earlier this year this stopped working. I am guessing right around the time I changed phones (S21 to S24). The ovpn client log file on the phone does mention "Endpoint address family (IPv6) is incompatible with transport protocol (UDP4)". After a lot of troubleshooting and reading the only conclusion I can make is that the issue is caused by the phone now being assigned an IPv6 but my home internet is still on IPv4. However, if it is then I don't understand why. Shouldnt Tmobiles network provide the proper translation allowing the two to communicate? I have tried to ping the server with the phone and the ping does reach it. I have tried to enable IPv6 on the WAN port and on the LAN as well. I have even tried to allow PFsense to grab an IPv6 from Verizon but they dont support that everywhere at this time.

Am I correct here, is the issue IPv6 vs IPv4 or something else?

The only thing I can come up with next is to setup a IPv6 to IPv4 tunnel but I want to make sure I didnt overlook something a lot simpler before I go down that rabbit hole.
 
Didnt work.

I am starting to suspect something else is a miss. I have gone through and systemically turn off firewall rules and that didnt do it either.

I am almost at the point where I may just reinstall the whole firewall and just try to start fresh because I cannot find a single reason why its not working.
Does it work when you're connected to a WiFi network on your phone (where you'd be getting IPv4 WAN address)? How are you connecting back home, is it Dynamic DNS and can you verify a dig (Unix/Linux) / nslookup (Windows) lookup returns to the correct IP? T-Mobile should allow you to connect to IPv4 addresses even if they are only issuing IPv6 now.

Rather than nuke the whole firewall, probably you can just recreate the OpenVPN tunnel and make new config files for clients. But if you're gonna nuke it, it'd be a good time to switch to OPNsense and WireGuard :)
 
Does it work when you're connected to a WiFi network on your phone (where you'd be getting IPv4 WAN address)? How are you connecting back home, is it Dynamic DNS and can you verify a dig (Unix/Linux) / nslookup (Windows) lookup returns to the correct IP? T-Mobile should allow you to connect to IPv4 addresses even if they are only issuing IPv6 now.

Rather than nuke the whole firewall, probably you can just recreate the OpenVPN tunnel and make new config files for clients. But if you're gonna nuke it, it'd be a good time to switch to OPNsense and WireGuard
Yes. I can successfully connect to the openvpn server from the phone using the local IP address of the firewall.

I have a dynamic dns update service that pfsense updates with my current IP (which hasnt changed in 8 months anyway) and I have also tried using the public IP address as well. I have verified that the correct IP is being returned and I also updated it with the IPv6 address of the tunnel and I can see the client tries both addresses when im using the dyndns domain.

I did setup the HE tunnel for shit and giggles and I think that works but I cant connect through that either.

I have also tried accessing the server using my work hotspot (now that I have one) and that has both a V4 and V6 IP and that doesnt work either.

I am at the point where I think this is a lot simpler then I thought and something on my PFsense is simply preventing a connection from being established. I am playing with the firewall rules, ports and filtering. Although, none of that changed 8 months ago so I have no idea why could be a problem today.

I think I played with OPNSense years ago and went back to PFSens and stuck with it almost 10 years.
 
Something you could try based on the udp6 proto: go into your phone's apn settings and set it to ipv4 only.

Pfsense also has default wan ipv6 blocking rules you may need to toggle off if your apn gives issues with switching from an ipv4/ipv6 connection
 
Something you could try based on the udp6 proto: go into your phone's apn settings and set it to ipv4 only.

Pfsense also has default wan ipv6 blocking rules you may need to toggle off if your apn gives issues with switching from an ipv4/ipv6 connection
I tried the first one, T-Mobile now locks the apn settings.

I definitely found that checkbox in PFsense and made sure it's checked.
 
This makes no sense. I am looking at the firewall logs and I dont even see a connection attempt being made on the port the openvpn server is listening on.
 
I assume you're connecting thru ddns? Is your pfsense also your gateway? Could be a port forwarding issue.

I can freely edit tmo apns on all my android devices, though I do not have an s24. Seems unlikely they lock it? Can you create a new custom apn?
 
I assume you're connecting thru ddns? Is your pfsense also your gateway? Could be a port forwarding issue.
What do mean "connecting thru DDNS"?

My PFsense is also my gateway, it's connected directly to my ONT outside.

I am also thinking port forwarding but it is configured correctly. I almost want to just open it to the Internet for a second and try but that could be a disaster. So I was thinking of granting access to my phones IPv6 address (the IPv4 is a 172.).
 
Are you resolving your server thru a dynamic dns service rather than using your machine's public ip?

Have you logged all ingress on the port as well? Not just the ovpn logs
 
Are you resolving your server thru a dynamic dns service rather than using your machine's public ip?

Have you logged all ingress on the port as well? Not just the ovpn logs

I have tried both, using the public IP and dyndns.

I have logged the firewall traffic. OpenVPN, funny enough, shows an attempted connection and then an immediate disconnect.
 
So it is reaching the ovpn server, it may then be a handshake issue. I am sorry if you mentioned it, but have you tried creating a new ovpn server config in pfsense? Or at least generating new keys while making sure the server ca is not out of date

I might even suggest just moving to wireguard, could simplify things and the wireguard android app has much better diagnostics
 
So it is reaching the ovpn server, it may then be a handshake issue. I am sorry if you mentioned it, but have you tried creating a new ovpn server config in pfsense? Or at least generating new keys while making sure the server ca is not out of date

I might even suggest just moving to wireguard, could simplify things and the wireguard android app has much better diagnostics
I did create a new VPN server config and it didnt help.

I also renewed(but I can go in now and create new ones) all the CA keys even though none were expired.
 
I have logged the firewall traffic. OpenVPN, funny enough, shows an attempted connection and then an immediate disconnect.
Ok. So what I thought was connection attempts was simply PFsense polling the VPN server and the log entries are just noise.
 
Just tried setting up Wireguard and I'm already lost between what keys go where. But before any of that even matters, I cant get it to handshake with the firewall.

This should be all thats needed:
1724342615327.png
 
I think the firewall rule was wrong.

Destination is supposed to be the WAN and source is ANY.

Now it clearly is attempting a connection but my server isn't responding.
 
Ok. Now I can connect through the Lan again, had to make a new config file. I'm so pissed at this thing.
 
OpenVPN still doesnt work but I feel like I am getting closer. But I know for a fact it is not a IPV6 vs IPV4 situation. Something else is not permitting the connection.


But if you're gonna nuke it, it'd be a good time to switch to OPNsense and WireGuard

I was able to setup wireguard but with TailScale. At least now I can access my network again. But I hate having to go through a third party so I am going to keep investigating OpenVPN.
 
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/firewall-rules.html

Basic rules should allow this to work.

This is basically what my rules look like except instead of WAN rule it's a floating rule for OPNsense + WireGuard. I use this calculator and then in my WireGuard configs I just explicitly only allow certain IPs. Like maybe I want to route all traffic, maybe I only want to route to my LAN/VLANs, or maybe I want to route everything except the local network I'm connected to.

If you still can't get this working please share a screenshot of all your rules under WAN interface and all your firewall rules under the OpenVPN interface. Obviously blur out anything if it exposes sensitive information but I don't think it would.
 
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/firewall-rules.html

Basic rules should allow this to work.

This is basically what my rules look like except instead of WAN rule it's a floating rule for OPNsense + WireGuard. I use this calculator and then in my WireGuard configs I just explicitly only allow certain IPs. Like maybe I want to route all traffic, maybe I only want to route to my LAN/VLANs, or maybe I want to route everything except the local network I'm connected to.

If you still can't get this working please share a screenshot of all your rules under WAN interface and all your firewall rules under the OpenVPN interface. Obviously blur out anything if it exposes sensitive information but I don't think it would.
1725556535795.png

1725556548338.png
 
Rules look right to me, I'd probably just change the protocol to IPv4+IPv6 in case you're coming in from an IPv6 address (e.g. T-Mobile cellular)

Maybe try duplicating your "OpenVPN RemoteAccess wizard" rule into Floating instead of just WAN? Does pfSense have a live view like OPNsense does? Look at that when you have a client coming in. If not look at the logs at the time and see if it's getting denied what rule is being enforced. You'll also need to do the stuff from the second post to make sure IPv6 works.
 
Rules look right to me, I'd probably just change the protocol to IPv4+IPv6 in case you're coming in from an IPv6 address (e.g. T-Mobile cellular)

Maybe try duplicating your "OpenVPN RemoteAccess wizard" rule into Floating instead of just WAN? Does pfSense have a live view like OPNsense does? Look at that when you have a client coming in. If not look at the logs at the time and see if it's getting denied what rule is being enforced. You'll also need to do the stuff from the second post to make sure IPv6 works.
I did the change to the OVPN file as instructed.

I also added a NAT rule to make the port static to avoid any issues with it re-writing it.

Ive also gone ahead and disabled all traffic filtering too troubleshoot too.

I will go through the logs next.
 
Back
Top