Opened 6 years ago
Closed 2 years ago
#1200 closed Bug / Defect (wontfix)
route net_gateway not work on android 8
Reported by: | frans_a4 | Owned by: | OpenVPN Inc. |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | OpenVPN Connect | Version: | |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | openvpn, route, net_gateway, Android |
Cc: |
Description
route www.whatismyip.com 255.255.255.255 net_gateway
OR
route XX.XX.XX.XX 255.255.255.255 net_gateway
(XX.XX.XX.XX = IP Address)
Not work on Android 8.
The above command works Fine on Android 6 , windows 10
Change History (13)
comment:1 Changed 6 years ago by
comment:2 Changed 6 years ago by
Hi, Sorry for my poor English.
The problem is a bit difficult to explain. It seems that there are two problems.
Problem1)
route DOMAIN 255.255.255.255 net_gateway
not work on android.
Example:
route www.whatismyip.com 255.255.255.255 net_gateway
I get the following Error in OpenVPN-Client on Android log:
Error parsing IPv4 route: [route] [www.whatismyip.com] [255.255.255.255] [net_gateway] : addr_pair_mask_parse_error: AddrMaskPair? parse error 'route': www.whatismyip.com/255.255.255.255 : ip_exception: error parsing route IP address 'www.whatismyip.com' : Invalid argument
Details:
OpenVPN Server: 2.4.7 on windows server 2016
OpenVPN Client (Android): 3.0.5 on Samsung s7 (SM-G930FD) Android 8.0.0 (Patch level: March 1, 2019)
Note: I have to connect to OpenVPN server via http proxy because tls Handshake is blocked on my Country Firewall.
X.X.X.X IS my Server-IP.
My Server Config:
proto tcp4 port 1194 dev tun route-metric 1 ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt" cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt" key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key" dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh2048.pem" server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 comp-lzo persist-key persist-tun route-delay 2 tap-sleep 3 status openvpn-status.log verb 3
My client Config:
client dev tun proto tcp remote X.X.X.X 1194 route X.X.X.X 255.255.255.255 net_gateway route www.whatismyip.com 255.255.255.255 net_gateway ;http-proxy-retry http-proxy X.X.X.X 808 auto <http-proxy-user-pass> PROXY-USER PROXY-PASS </http-proxy-user-pass> auth-nocache resolv-retry infinite nobind persist-key persist-tun route-delay 1 3 comp-lzo verb 3 <ca> ........ </ca> <cert> ........ </cert> <key> ........ </key>
OpenVPN on Android Client LOG:
10:42:09.897 -- ----- OpenVPN Start ----- 10:42:09.898 -- EVENT: CORE_THREAD_ACTIVE 10:42:09.901 -- Frame=512/2048/512 mssfix-ctrl=1250 10:42:09.911 -- UNUSED OPTIONS 8 [auth-nocache] 9 [resolv-retry] [infinite] 10 [nobind] 11 [persist-key] 12 [persist-tun] 13 [route-delay] [1] [3] 15 [verb] [3] 10:42:09.911 -- EVENT: RESOLVE 10:42:09.919 -- Contacting X.X.X.X:808 via HTTP Proxy 10:42:09.920 -- EVENT: WAIT_PROXY 10:42:10.175 -- EVENT: WAIT 10:42:10.180 -- TO PROXY: CONNECT X.X.X.X:1194 HTTP/1.0 Host: X.X.X.X 10:42:11.329 -- FROM PROXY: HTTP/1.1 407 Unauthorized Server: Proxy Proxy-Authenticate: Basic realm="CCProxy Authorization" Cache-control: no-cache Connection: Close Proxy-Connection: Close Content-Length: 0 10:42:11.333 -- TCP recv EOF 10:42:11.336 -- Proxy method: Basic Proxy-Authenticate header method=Basic [0] realm=CCProxy Authorization 10:42:11.346 -- Contacting X.X.X.X:808 via HTTP Proxy 10:42:11.349 -- EVENT: WAIT_PROXY 10:42:11.534 -- EVENT: WAIT 10:42:11.540 -- TO PROXY: CONNECT X.X.X.X:1194 HTTP/1.0 Host: X.X.X.X Proxy-Authorization: Basic YYYYYYYYYYYYY 10:42:12.721 -- FROM PROXY: HTTP/1.1 200 Connection established Proxy-agent: CCProxy 10:42:12.724 -- Connecting to [X.X.X.X]:1194 (X.X.X.X) via TCPv4-via-HTTP 10:42:12.867 -- Proxy: Skipped 1 byte(s) of HTML 10:42:12.869 -- EVENT: CONNECTING 10:42:12.874 -- Tunnel Options:V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client 10:42:12.875 -- Creds: UsernameEmpty/PasswordEmpty 10:42:12.877 -- Peer Info: IV_GUI_VER=OC30Android IV_VER=3.2 IV_PLAT=android IV_NCP=2 IV_TCPNL=1 IV_PROTO=2 IV_LZO=1 IV_AUTO_SESS=1 IV_BS64DL=1 10:42:13.060 -- VERIFY OK : depth=1 cert. version : 3 serial number : ZZZZZZZZZZZZZ issuer name : C=US, ST=CA, L=SanFrancisco, O=os, OU=changeme, CN=os-ca, ??=changeme, emailAddress=mail@host.domain subject name : C=US, ST=CA, L=SanFrancisco, O=os, OU=changeme, CN=os-ca, ??=changeme, emailAddress=mail@host.domain issued on : 2019-06-18 07:41:44 expires on : 2029-06-15 07:41:44 signed using : RSA with SHA-256 RSA key size : 4096 bits basic constraints : CA=true 10:42:13.063 -- VERIFY OK : depth=0 cert. version : 3 serial number : 01 issuer name : C=US, ST=CA, L=SanFrancisco, O=os, OU=changeme, CN=os-ca, ??=changeme, emailAddress=mail@host.domain subject name : C=US, ST=CA, L=SanFrancisco, O=os, OU=changeme, CN=server, ??=changeme, emailAddress=mail@host.domain issued on : 2019-06-18 07:42:39 expires on : 2029-06-15 07:42:39 signed using : RSA with SHA-256 RSA key size : 4096 bits basic constraints : CA=false cert. type : SSL Server key usage : Digital Signature, Key Encipherment ext key usage : TLS Web Server Authentication 10:42:13.669 -- SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 10:42:13.673 -- Session is ACTIVE 10:42:13.675 -- EVENT: GET_CONFIG 10:42:13.698 -- Sending PUSH_REQUEST to server... 10:42:13.828 -- OPTIONS: 0 [route] [X.X.X.X] [255.255.255.255] [net_gateway] 1 [route] [www.whatismyip.com] [255.255.255.255] [net_gateway] 2 [redirect-gateway] [def1] 3 [dhcp-option] [DNS] [8.8.8.8] 4 [dhcp-option] [DNS] [8.8.4.4] 5 [route] [10.8.0.1] 6 [topology] [net30] 7 [ping] [10] 8 [ping-restart] [120] 9 [ifconfig] [10.8.0.6] [10.8.0.5] 10 [peer-id] [0] 11 [cipher] [AES-256-GCM] 10:42:13.830 -- PROTOCOL OPTIONS: cipher: AES-256-GCM digest: SHA1 compress: LZO peer ID: 0 10:42:13.832 -- EVENT: ASSIGN_IP 10:42:13.839 -- Error parsing IPv4 route: [route] [www.whatismyip.com] [255.255.255.255] [net_gateway] : addr_pair_mask_parse_error: AddrMaskPair parse error 'route': www.whatismyip.com/255.255.255.255 : ip_exception: error parsing route IP address 'www.whatismyip.com' : Invalid argument 10:42:13.842 -- Exclude routes emulation: 0.0.0.0/5 8.0.0.0/7 10.0.0.0/13 10.8.0.0/32 10.8.0.2/31 10.8.0.4/30 10.8.0.8/29 10.8.0.16/28 10.8.0.32/27 10.8.0.64/26 10.8.0.128/25 10.8.1.0/24 10.8.2.0/23 10.8.4.0/22 10.8.8.0/21 10.8.16.0/20 10.8.32.0/19 10.8.64.0/18 10.8.128.0/17 10.9.0.0/16 10.10.0.0/15 10.12.0.0/14 10.16.0.0/12 10.32.0.0/11 10.64.0.0/10 10.128.0.0/9 11.0.0.0/8 12.0.0.0/6 16.0.0.0/4 32.0.0.0/3 64.0.0.0/4 80.0.0.0/5 88.0.0.0/6 92.0.0.0/7 94.0.0.0/8 X.X.X.X/9 X.X.X.X/10 X.X.X.X/12 X.X.X.X/13 X.X.X.X/18 X.X.X.X/20 X.X.X.X/21 X.X.X.X/22 X.X.X.X/23 X.X.X.X/24 X.X.X.X/25 X.X.X.X/26 X.X.X.X/30 X.X.X.X/31 X.X.X.X/32 X.X.X.X/29 X.X.X.X/28 X.X.X.X/27 X.X.X.X/19 X.X.X.X/17 X.X.X.X/16 X.X.X.X/15 X.X.X.X/14 X.X.X.X/11 X.X.X.X/3 128.0.0.0/1 10:42:13.981 -- Connected via tun 10:42:13.983 -- LZO-ASYM init swap=0 asym=0
comment:3 Changed 6 years ago by
Problem2) This is my main problem. I use a local http proxy Tunnel to connect to openVPN Server for Traffic Obfuscation on Android (Same as Obfsproxy on windows https://community.openvpn.net/openvpn/wiki/TrafficObfuscation)
OpenVPN Client -> My Local Http Proxy Tunnel -> My Server Http Tunnel (Run on the same machine that is running OpenVPN-Server) -> OpenVPN Server
I add the following line in the client config to use my local http proxy:
http-proxy 127.0.0.1 8088
But OpenVPN Client gets stuck in a loop, trying to connect and then failing. So to solve my problem I added the following line to Client Config:
route X.X.X.X 255.255.255.255 net_gateway
The above command works fine on Android 6 and Windows 10 And prevents looping. But The above command not solve the problem on Android 8, And OpenVPN gets stuck in a loop, trying to connect and then failing (Transport Error. trying to reconnect...).
Note: If I use OpenVPN for Android 0.6.73 (de.blinkt.openvpn on googleplay) And set my local-http-proxy-tunnel APP on "Allowed Apps" > exclude secction, Everything works fine on Android 8. But I want to use only the config file to solve my problem.
Same Issue with HTTP Injector https://play.google.com/store/apps/details?id=com.evozi.injector (As Local http proxy on port 8989) + CCProxy http proxy server + OpenVPN
Similar Issue:
https://github.com/StreisandEffect/streisand/issues/922 (Issues with OpenVPN and SSLDroid in Android 8.0)
https://github.com/shadowsocks/shadowsocks-android/issues/1620 (Issues with OpenVPN And Local socks proxy)
Details:
OpenVPN Server: 2.4.7 on windows server 2016
OpenVPN Client (Android): 3.0.5 on Samsung s7 (SM-G930FD) Android 8.0.0 (Patch level: March 1, 2019)
Note: I have to connect to OpenVPN server via http proxy because tls Handshake is blocked on my Country Firewall.
X.X.X.X IS my Server-IP.
My Server Config:
proto tcp4 port 1194 dev tun route-metric 1 ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt" cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt" key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key" dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh2048.pem" server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 comp-lzo persist-key persist-tun route-delay 2 tap-sleep 3 status openvpn-status.log verb 3
My client Config:
client dev tun proto tcp remote X.X.X.X 1194 route X.X.X.X 255.255.255.255 net_gateway ;http-proxy-retry http-proxy 127.0.0.1 8088 auto auth-nocache resolv-retry infinite nobind persist-key persist-tun route-delay 1 3 comp-lzo verb 3 <ca> ........ </ca> <cert> ........ </cert> <key> ........ </key>
OpenVPN on Android Client LOG:
13:05:01.131 -- ----- OpenVPN Start ----- 13:05:01.132 -- EVENT: CORE_THREAD_ACTIVE 13:05:01.138 -- Frame=512/2048/512 mssfix-ctrl=1250 13:05:01.142 -- UNUSED OPTIONS 6 [auth-nocache] 7 [resolv-retry] [infinite] 8 [nobind] 9 [persist-key] 10 [persist-tun] 11 [route-delay] [1] [3] 13 [verb] [3] 13:05:01.142 -- EVENT: RESOLVE 13:05:01.145 -- Contacting 127.0.0.1:8088 via HTTP Proxy 13:05:01.145 -- EVENT: WAIT_PROXY 13:05:01.150 -- EVENT: WAIT 13:05:01.153 -- TO PROXY: CONNECT X.X.X.X:1194 HTTP/1.0 Host: X.X.X.X 13:05:03.168 -- FROM PROXY: HTTP/1.1 200 Connection established Connection: Keep-Alive 13:05:03.170 -- Connecting to [X.X.X.X]:1194 (127.0.0.1) via TCPv4-via-HTTP 13:05:03.831 -- Proxy: Skipped 1 byte(s) of HTML 13:05:03.833 -- EVENT: CONNECTING 13:05:03.839 -- Tunnel Options:V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client 13:05:03.841 -- Creds: UsernameEmpty/PasswordEmpty 13:05:03.844 -- Peer Info: IV_GUI_VER=OC30Android IV_VER=3.2 IV_PLAT=android IV_NCP=2 IV_TCPNL=1 IV_PROTO=2 IV_LZO=1 IV_AUTO_SESS=1 IV_BS64DL=1 13:05:04.379 -- VERIFY OK : depth=1 cert. version : 3 serial number : YYYYYYYYYYYYYYY issuer name : C=US, ST=CA, L=SanFrancisco, O=os, OU=changeme, CN=os-ca, ??=changeme, emailAddress=mail@host.domain subject name : C=US, ST=CA, L=SanFrancisco, O=os, OU=changeme, CN=os-ca, ??=changeme, emailAddress=mail@host.domain issued on : 2019-06-18 07:41:44 expires on : 2029-06-15 07:41:44 signed using : RSA with SHA-256 RSA key size : 4096 bits basic constraints : CA=true 13:05:04.383 -- VERIFY OK : depth=0 cert. version : 3 serial number : 01 issuer name : C=US, ST=CA, L=SanFrancisco, O=os, OU=changeme, CN=os-ca, ??=changeme, emailAddress=mail@host.domain subject name : C=US, ST=CA, L=SanFrancisco, O=os, OU=changeme, CN=server, ??=changeme, emailAddress=mail@host.domain issued on : 2019-06-18 07:42:39 expires on : 2029-06-15 07:42:39 signed using : RSA with SHA-256 RSA key size : 4096 bits basic constraints : CA=false cert. type : SSL Server key usage : Digital Signature, Key Encipherment ext key usage : TLS Web Server Authentication 13:05:05.723 -- SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 13:05:05.727 -- Session is ACTIVE 13:05:05.732 -- EVENT: GET_CONFIG 13:05:05.753 -- Sending PUSH_REQUEST to server... 13:05:06.362 -- OPTIONS: 0 [route] [X.X.X.X] [255.255.255.255] [net_gateway] 1 [redirect-gateway] [def1] 2 [dhcp-option] [DNS] [8.8.8.8] 3 [dhcp-option] [DNS] [8.8.4.4] 4 [route] [10.8.0.1] 5 [topology] [net30] 6 [ping] [10] 7 [ping-restart] [120] 8 [ifconfig] [10.8.0.6] [10.8.0.5] 9 [peer-id] [0] 10 [cipher] [AES-256-GCM] 13:05:06.366 -- PROTOCOL OPTIONS: cipher: AES-256-GCM digest: SHA1 compress: LZO peer ID: 0 13:05:06.370 -- EVENT: ASSIGN_IP 13:05:06.388 -- Exclude routes emulation: 0.0.0.0/5 8.0.0.0/7 10.0.0.0/13 10.8.0.0/32 10.8.0.2/31 10.8.0.4/30 10.8.0.8/29 10.8.0.16/28 10.8.0.32/27 10.8.0.64/26 10.8.0.128/25 10.8.1.0/24 10.8.2.0/23 10.8.4.0/22 10.8.8.0/21 10.8.16.0/20 10.8.32.0/19 10.8.64.0/18 10.8.128.0/17 10.9.0.0/16 10.10.0.0/15 10.12.0.0/14 10.16.0.0/12 10.32.0.0/11 10.64.0.0/10 10.128.0.0/9 11.0.0.0/8 12.0.0.0/6 16.0.0.0/4 32.0.0.0/3 64.0.0.0/4 80.0.0.0/5 88.0.0.0/6 X.X.X.X/7 X.X.X.X/8 X.X.X.X/9 X.X.X.X/10 X.X.X.X/12 X.X.X.X/13 X.X.X.X/18 X.X.X.X/20 X.X.X.X/21 X.X.X.X/22 X.X.X.X/23 X.X.X.X/24 X.X.X.X/25 X.X.X.X/26 X.X.X.X/30 X.X.X.X/31 X.X.X.X/32 X.X.X.X/29 X.X.X.X/28 X.X.X.X/27 X.X.X.X/19 X.X.X.X/17 X.X.X.X/16 X.X.X.X/15 X.X.X.X/14 X.X.X.X/11 X.X.X.X/3 128.0.0.0/1 13:05:06.506 -- Connected via tun 13:05:06.508 -- LZO-ASYM init swap=0 asym=0 13:05:06.510 -- EVENT: CONNECTED info='@X.X.X.X:1194 (127.0.0.1) via /TCPv4-via-HTTP on tun/10.8.0.6/ gw=[10.8.0.5/]' trans=TO_CONNECTED 13:05:06.537 -- TCP recv EOF 13:05:06.539 -- Transport Error: Transport error on 'X.X.X.X' via HTTP proxy 127.0.0.1:8088 : NETWORK_EOF_ERROR 13:05:06.541 -- EVENT: TRANSPORT_ERROR info='Transport error on 'X.X.X.X' via HTTP proxy 127.0.0.1:8088 : NETWORK_EOF_ERROR' trans=TO_DISCONNECTED 13:05:06.546 -- Client terminated, restarting in 5000 ms... 13:05:11.551 -- EVENT: RECONNECTING 13:05:11.565 -- Contacting 127.0.0.1:8088 via HTTP Proxy 13:05:11.567 -- EVENT: WAIT_PROXY 13:05:11.589 -- EVENT: WAIT 13:05:11.596 -- TO PROXY: CONNECT X.X.X.X:1194 HTTP/1.0 Host: X.X.X.X 13:05:14.397 -- FROM PROXY: HTTP/1.1 200 Connection established Connection: Keep-Alive ...
LOOP & LOOP!
comment:4 Changed 6 years ago by
If you xxx out all of the IP address in a configuration that has a routing loop, it is really hard to see what is happening and if there is any bug. So please provide log/config without x.x.x.x so we can figure out what is really happening. This sound like a bug in the route exculsion emulation but that part is redacted from your log, so these logs are worthless. Also try if the same config works with openvpn for android without explicitly excempting the app. It is uses a different algorithm so it might yield other result and can help understanding what the real issue is.
comment:5 Changed 6 years ago by
About Problem2)
OpenVPN for Android 0.7.8 Last version (de.blinkt.openvpn) has a problem with http proxy and it seems Ignores http-proxy settings https://github.com/schwabe/ics-openvpn/issues/869
So I test with OpenVPN for Android v0.6.73 on Android 8.
My Results:
- OpenVPN for Android v0.6.73 on Android 8 + Local http proxy + without any setting on "Allowed Apps" > exclude + mobile data: OpenVPN After 2~3 Looping can connect.
- OpenVPN for Android v0.6.73 on Android 8 + Local http proxy + without any setting on "Allowed Apps" > exclude + wifi: OpenVPN can not connect and gets stuck in a loop, trying to connect and then failing.
- OpenVPN for Android v0.6.73 works fine only if I set my local-http-proxy-tunnel App on "Allowed Apps" > exclude Section.
Note: If I connect to openvpn server without Local Proxy, It seams After connecting,
route X.X.X.X 255.255.255.255 net_gateway
works fine.
For example, after a successful connection to the openvpn server and after VPN connection is established, I checked my IP via php script (that was hosted on the X.X.X.X server) And I saw that my real IP Were returned. So after a successful connection to the openvpn server, connect to X.X.X.X is done directly, And not through VPN.
========
OpenVPN on Android Client Full LOG:
https://dl.dropboxusercontent.com/s/05hu2wex2p06ayt/OpenVPN-Full-Logs.txt
Thanks.
comment:7 Changed 5 years ago by
Owner: | set to plaisthos |
---|---|
Status: | new → assigned |
comment:8 Changed 5 years ago by
This not OpenVPN for Android but rather OpenVPN Connect. Use the official support for that Android client.
comment:9 Changed 5 years ago by
I have this problem with OpenVPN Connect on android 8.
OpenVPN Connect on Android 8, gets stuck in a loop, trying to connect and then failing, when using a local http proxy Tunnel to connect to openVPN Server for Traffic Obfuscation.
comment:10 Changed 4 years ago by
Component: | Generic / unclassified → OpenVPN Connect |
---|---|
Owner: | changed from plaisthos to yuriy |
comment:11 Changed 4 years ago by
Owner: | changed from yuriy to denys |
---|
comment:12 Changed 4 years ago by
Owner: | changed from denys to OpenVPN Inc. |
---|
comment:13 Changed 2 years ago by
Resolution: | → wontfix |
---|---|
Status: | assigned → closed |
OpenVPN Inc does not want to receive any feedback for the "Connect"
OpenVPN clients via the community bug trackers (here and in GH issues).
Please resubmit - if still relevant - via https://support.openvpn.net/
Please provide log and OpenVPN for Android version