Why doesnt Android Support TAP over VPN?

[The Lurker]

I dont know why I need it, but I was bored, so I setup a VPN between my phone and my house using OpenVPN. I was hoping to use it to access network resources as though I am sitting at home, like my servers utorrent client. After spending 2 hours setting up the VPN, I was less than enthused to keep reading why it wasnt working, but I did. Apparently android doesnt support TAP and I need that in order to access resources on the network.

Why doesnt android support TAP?

Is there anyway around this limitation?

How can I tell if traffic from the phone is truly going through the VPN?

 

[tangoseal]

TAP works with OpenVPN using their official app. But android is very limited in VPN options either way.

 

[The Lurker]

So I first made sure I can successfully establish a connection over TUN and it works great. Then I made the necessary config files for TAP.

I am using there official app and its telling me that TAP tunneling is not supported by the android API.

Where are you seeing that TAP works?

 

[tangoseal]

TAP works with OpenVPN using their official app. But android is very limited in VPN options either way.

Sorry confuse the tech. Tap doesn't work. Only SSL and IPSEC, but not using TAP adaptor stuff.

 

[The Lurker]

OK. So I went back to TUN. I am able to successfully connect to the vpn server from the phone and I am able to successfully ping the phone from computers on the network.

However. I cannot ping the computers on the network from the phone. I can ONLY ping my router. Why isnt my router sending ping requests to the computers on the network?

 

[tangoseal]

OK. So I went back to TUN. I am able to successfully connect to the vpn server from the phone and I am able to successfully ping the phone from computers on the network.

However. I cannot ping the computers on the network from the phone. I can ONLY ping my router. Why isnt my router sending ping requests to the computers on the network?

You either have a NAT problem or you need to have route installed in the router. I use Cisco enterprise stuff and I have to setup ACLs, NATTING, and all kinds of rules.

 

[The Lurker]

You either have a NAT problem or you need to have route installed in the router. I use Cisco enterprise stuff and I have to setup ACLs, NATTING, and all kinds of rules.

I dont know if a NAT is the answer. I added a route in my router so that all internal traffic that is headed to the VPN'd client is sent to the servers local address. This allows a laptop behind the VPN to ping the phone. I have a route setup on the server that direct all traffic headed for the local lan behind the server to the servers local address as well. The later is configured automatically by openVPN upon startup. But still I cannot ping the same machine that can ping the phone. But I CAN ping the router behind the VPN. So for some reason the router is not forwarding the ping to the machines on the network.

I do have another issue. I cannot ping the VPN servers address, the one assigned by the VPN to the server, from the phone.

I am close, I know it.

My network looks like this:

Local lan: 172.16.0.0
Local lans router: 172.16.0.1
VPN server local lan address: 172.16.0.6
VPN server address pool: 172.16.1.0
VPN server address: 172.16.1.1
VPN server gateway address: 172.16.1.2
Phone VPN address: 172.16.1.6
Local lan machines address: 172.16.0.4

 

[tangoseal]

I dont know if a NAT is the answer. I added a route in my router so that all internal traffic that is headed to the VPN'd client is sent to the servers local address. This allows a laptop behind the VPN to ping the phone. I have a route setup on the server that direct all traffic headed for the local lan behind the server to the servers local address as well. The later is configured automatically by openVPN upon startup. But still I cannot ping the same machine that can ping the phone. But I CAN ping the router behind the VPN. So for some reason the router is not forwarding the ping to the machines on the network.

I do have another issue. I cannot ping the VPN servers address, the one assigned by the VPN to the server, from the phone.

I am close, I know it.

My network looks like this:

Local lan: 172.16.0.0
Local lans router: 172.16.0.1
VPN server local lan address: 172.16.0.6
VPN server address pool: 172.16.1.0
VPN server address: 172.16.1.1
VPN server gateway address: 172.16.1.2
Phone VPN address: 172.16.1.6
Local lan machines address: 172.16.0.4

well check if the non-pingable machine has a firewall running in the OS that is preventing pings on both inside and outside interfaces. Windows firewall is notorious for doing this if you check the wrong box or set the wrong rule. Since ping is an ICMP rule usually - check to see if it is blocked or disabled.

 

[The Lurker]

well check if the non-pingable machine has a firewall running in the OS that is preventing pings on both inside and outside interfaces. Windows firewall is notorious for doing this if you check the wrong box or set the wrong rule. Since ping is an ICMP rule usually - check to see if it is blocked or disabled.

That was the first thing I checked. I disabled the firewall on the virtual interface for the VPN and also made sure ICMP was enabled in the windows firewall.

But I found the problem:
Topology – OpenVPN Community

The default topology on a new install is net30. The link above clearly says windows has problems with net30. I assume this isnt a problem for most because most people run OpenVPN on a dedicated linux box. But, once I enabled subnet in the server config, everything started pinging properly in every direction.


The only 2 remaining problems are accessing the local resources on the VPN server once connected. For example, the utorrent web page. Right now, entering the VPN servers local address does not do anything.

AND

I still cannot ping the VPN servers assigned address or local lan address. But I can ping every other computer on the network behind the server.

 

[The Lurker]

Found the problem.

God damn windows firewall. For some reason even when its off, its not really off. I had to manually disable the firewall on the TUN interface and what do you know. I can ping the VPN server on both local lan and VPN address and access its local resources.

However, still cannot reach the web. Its gotta be either routing or again the firewall.

I have been using wireshark to investigate, but I wish it could show exactly where the connection is screwing up versus just not working.

Ultimate solution: Ditch windows and host VPN server on a *nix box.

 

[klank]

Just spool up a pFsense VM and run OpenVPN there. This is what I do to enable remote access and tunneling for my networks. Use the OVPN wizard to make it even easier.

Both my IOS and Android devices can access anything on the networks.

 

[tangoseal]

Found the problem.

God damn windows firewall. For some reason even when its off, its not really off. I had to manually disable the firewall on the TUN interface and what do you know. I can ping the VPN server on both local lan and VPN address and access its local resources.

However, still cannot reach the web. Its gotta be either routing or again the firewall.

I have been using wireshark to investigate, but I wish it could show exactly where the connection is screwing up versus just not working.

Ultimate solution: Ditch windows and host VPN server on a *nix box.

Nah windows is not your problem. I bet your router or network config is derping everything up. Have you read any instructions or setup guides? Tutorials on youtube? Google? If you haven't that is probably the issue. I make no assumptions however and only offer thoughts.

 

[The Lurker]

Nah windows is not your problem. I bet your router or network config is derping everything up. Have you read any instructions or setup guides? Tutorials on youtube? Google? If you haven't that is probably the issue. I make no assumptions however and only offer thoughts.

That's all I have been doing for the last week. But the guides dont touch upon the gateway itself. They all simply state, to ensure that a static route exists in the gateway to send traffic back to the VPN servers local lan address for packets destined for the VPN network. Which I have done. Local lan traffic can hit VPN clients no problem.

The problem I have is whenever a VPN client attempts to ping an internet IP, it gets no response. However, I do not know if its leaving the network and not getting a response back or not leaving the network.
That may be routing in windows, but that doesnt make sense since OpenVPN automatically creates the proper routes and I even confirmed them.

As I type this. I wonder if I need to push 0.0.0.0 to the VPN clients, though it should be a given with the "redirect-gateway def1" directive.

I have an older HP xeon slim line PC sitting in a file cabinet, I am almost at that point to just chuck another ethernet card in it and setup pfSense.

 

[tangoseal]

I use the following for phone VPN access on my Galaxy Note 3:

OpenVPN Access Server (Virtual machine) - it's already built and all you do is download and run it in a virtual machine host like Vmware or Virtualbox which I am using.

Open VPN Android Client.

A few configurations to the OpenvpnAS and a few configurations to my router and it works perfectly! Try and see if that helps. It does work for me. Make sure you run Layer 3 routing protocol in OpenVNAS and not Layer 2 mode because it will not work with Android. It is self explanatory once you load the virtual machine. It is so dumbed down it is actually funny how easy the VM is to use through the web interface.

 

[The Lurker]

I use the following for phone VPN access on my Galaxy Note 3:

OpenVPN Access Server (Virtual machine) - it's already built and all you do is download and run it in a virtual machine host like Vmware or Virtualbox which I am using.

Open VPN Android Client.

A few configurations to the OpenvpnAS and a few configurations to my router and it works perfectly! Try and see if that helps. It does work for me. Make sure you run Layer 3 routing protocol in OpenVNAS and not Layer 2 mode because it will not work with Android. It is self explanatory once you load the virtual machine. It is so dumbed down it is actually funny how easy the VM is to use through the web interface.

You beat me to it!

I just found out about Open VPN Android Client here: GitHub - schwabe/ics-openvpn: OpenVPN for Android

I was using OpenVPN Connect. I downloaded the OVPNA client, set it up and what do you know. It works. I still cant ping google.com but if I go to google.com in the browser, it loads. When I monitor wireshark I can see the packets flowing from google.com back to the phone. But why doesnt a ping return? I have no fucking clue.

edit:

I also discovered that if I have "push dhcp-option DNS 8.8.8.8" in the configuration file and attempt to browse the web from the phone I cant with either application. Only after I removed that line was I able to browse the web with OVPNA client.

According to the log on the OVPNA client it says that "without a DNS server specified, the connection will use the proxy settings set by your mobile/wifi connection".

edit 2:
Issue 64819 - android - Android 4.4 VPN: DNS request packets' source IP address is always private address - Android Open Source Project - Issue Tracker - Google Project Hosting

Found that bug. Which is peculiar.

edit 3:
Setting "push dhcp-option DNS" to my local router, which can function as the DNS server allows me to browse the web but only with the OVPNA client, not the OpenVPN connect. Cant ping with either still. WTF.

 

[The Lurker]

Spoke too soon, after using it a little more I realized that it was loading cached pages instead of querying them fresh from the DNS. So at this time I can browse the web ONLY with the DNS coming from either the local wifi or the mobile proxy. But the traffic, goes through the VPN.