Opened 8 months ago

Last modified 2 months ago

#1200 assigned Bug / Defect

route net_gateway not work on android 8

Reported by: frans_a4 Owned by: plaisthos
Priority: major Milestone:
Component: Generic / unclassified Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: openvpn, route, net_gateway, Android
Cc:

Description

route www.whatismyip.com 255.255.255.255 net_gateway
OR
route XX.XX.XX.XX 255.255.255.255 net_gateway
(XX.XX.XX.XX = IP Address)
Not work on Android 8.

The above command works Fine on Android 6 , windows 10

Change History (9)

comment:1 Changed 8 months ago by plaisthos

Please provide log and OpenVPN for Android version

comment:2 Changed 8 months ago by frans_a4

Hi, Sorry for my poor English.

The problem is a bit difficult to explain. It seems that there are two problems.

Problem1)

route DOMAIN 255.255.255.255 net_gateway

not work on android.

Example:

route www.whatismyip.com 255.255.255.255 net_gateway

I get the following Error in OpenVPN-Client on Android log:
Error parsing IPv4 route: [route] [www.whatismyip.com] [255.255.255.255] [net_gateway] : addr_pair_mask_parse_error: AddrMaskPair? parse error 'route': www.whatismyip.com/255.255.255.255 : ip_exception: error parsing route IP address 'www.whatismyip.com' : Invalid argument

Details:
OpenVPN Server: 2.4.7 on windows server 2016
OpenVPN Client (Android): 3.0.5 on Samsung s7 (SM-G930FD) Android 8.0.0 (Patch level: March 1, 2019)
Note: I have to connect to OpenVPN server via http proxy because tls Handshake is blocked on my Country Firewall.
X.X.X.X IS my Server-IP.

My Server Config:

proto tcp4
port 1194
dev tun
route-metric 1
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh2048.pem"
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
persist-key
persist-tun
route-delay 2
tap-sleep 3
status openvpn-status.log
verb 3

My client Config:

client
dev tun
proto tcp
remote X.X.X.X 1194
route X.X.X.X 255.255.255.255 net_gateway
route www.whatismyip.com 255.255.255.255 net_gateway
;http-proxy-retry
http-proxy X.X.X.X 808 auto
<http-proxy-user-pass>
PROXY-USER
PROXY-PASS
</http-proxy-user-pass>
auth-nocache
resolv-retry infinite
nobind
persist-key
persist-tun
route-delay 1 3
comp-lzo
verb 3

<ca>
........
</ca>

<cert>
........
</cert>

<key>
........
</key>

OpenVPN on Android Client LOG:

10:42:09.897 -- ----- OpenVPN Start -----
10:42:09.898 -- EVENT: CORE_THREAD_ACTIVE
10:42:09.901 -- Frame=512/2048/512 mssfix-ctrl=1250

10:42:09.911 -- UNUSED OPTIONS
8 [auth-nocache] 
9 [resolv-retry] [infinite] 
10 [nobind] 
11 [persist-key] 
12 [persist-tun] 
13 [route-delay] [1] [3] 
15 [verb] [3] 

10:42:09.911 -- EVENT: RESOLVE

10:42:09.919 -- Contacting X.X.X.X:808 via HTTP Proxy

10:42:09.920 -- EVENT: WAIT_PROXY

10:42:10.175 -- EVENT: WAIT

10:42:10.180 -- TO PROXY: CONNECT X.X.X.X:1194 HTTP/1.0
Host: X.X.X.X


10:42:11.329 -- FROM PROXY: HTTP/1.1 407 Unauthorized
Server: Proxy
Proxy-Authenticate: Basic realm="CCProxy Authorization"
Cache-control: no-cache
Connection: Close
Proxy-Connection: Close
Content-Length: 0


10:42:11.333 -- TCP recv EOF

10:42:11.336 -- Proxy method: Basic
Proxy-Authenticate header
method=Basic
[0] realm=CCProxy Authorization


10:42:11.346 -- Contacting X.X.X.X:808 via HTTP Proxy

10:42:11.349 -- EVENT: WAIT_PROXY

10:42:11.534 -- EVENT: WAIT

10:42:11.540 -- TO PROXY: CONNECT X.X.X.X:1194 HTTP/1.0
Host: X.X.X.X
Proxy-Authorization: Basic YYYYYYYYYYYYY

10:42:12.721 -- FROM PROXY: HTTP/1.1 200 Connection established
Proxy-agent: CCProxy

10:42:12.724 -- Connecting to [X.X.X.X]:1194 (X.X.X.X) via TCPv4-via-HTTP

10:42:12.867 -- Proxy: Skipped 1 byte(s) of HTML

10:42:12.869 -- EVENT: CONNECTING

10:42:12.874 -- Tunnel Options:V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client

10:42:12.875 -- Creds: UsernameEmpty/PasswordEmpty

10:42:12.877 -- Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.2
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1
IV_AUTO_SESS=1
IV_BS64DL=1


10:42:13.060 -- VERIFY OK : depth=1
cert. version     : 3
serial number     : ZZZZZZZZZZZZZ
issuer name       : C=US, ST=CA, L=SanFrancisco, O=os, OU=changeme, CN=os-ca, ??=changeme, emailAddress=mail@host.domain
subject name      : C=US, ST=CA, L=SanFrancisco, O=os, OU=changeme, CN=os-ca, ??=changeme, emailAddress=mail@host.domain
issued  on        : 2019-06-18 07:41:44
expires on        : 2029-06-15 07:41:44
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=true


10:42:13.063 -- VERIFY OK : depth=0
cert. version     : 3
serial number     : 01
issuer name       : C=US, ST=CA, L=SanFrancisco, O=os, OU=changeme, CN=os-ca, ??=changeme, emailAddress=mail@host.domain
subject name      : C=US, ST=CA, L=SanFrancisco, O=os, OU=changeme, CN=server, ??=changeme, emailAddress=mail@host.domain
issued  on        : 2019-06-18 07:42:39
expires on        : 2029-06-15 07:42:39
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=false
cert. type        : SSL Server
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication


10:42:13.669 -- SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

10:42:13.673 -- Session is ACTIVE

10:42:13.675 -- EVENT: GET_CONFIG

10:42:13.698 -- Sending PUSH_REQUEST to server...

10:42:13.828 -- OPTIONS:
0 [route] [X.X.X.X] [255.255.255.255] [net_gateway] 
1 [route] [www.whatismyip.com] [255.255.255.255] [net_gateway] 
2 [redirect-gateway] [def1] 
3 [dhcp-option] [DNS] [8.8.8.8] 
4 [dhcp-option] [DNS] [8.8.4.4] 
5 [route] [10.8.0.1] 
6 [topology] [net30] 
7 [ping] [10] 
8 [ping-restart] [120] 
9 [ifconfig] [10.8.0.6] [10.8.0.5] 
10 [peer-id] [0] 
11 [cipher] [AES-256-GCM] 


10:42:13.830 -- PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA1
  compress: LZO
  peer ID: 0

10:42:13.832 -- EVENT: ASSIGN_IP

10:42:13.839 -- Error parsing IPv4 route: [route] [www.whatismyip.com] [255.255.255.255] [net_gateway]  : addr_pair_mask_parse_error: AddrMaskPair parse error 'route': www.whatismyip.com/255.255.255.255 : ip_exception: error parsing route IP address 'www.whatismyip.com' : Invalid argument

10:42:13.842 -- Exclude routes emulation:
0.0.0.0/5
8.0.0.0/7
10.0.0.0/13
10.8.0.0/32
10.8.0.2/31
10.8.0.4/30
10.8.0.8/29
10.8.0.16/28
10.8.0.32/27
10.8.0.64/26
10.8.0.128/25
10.8.1.0/24
10.8.2.0/23
10.8.4.0/22
10.8.8.0/21
10.8.16.0/20
10.8.32.0/19
10.8.64.0/18
10.8.128.0/17
10.9.0.0/16
10.10.0.0/15
10.12.0.0/14
10.16.0.0/12
10.32.0.0/11
10.64.0.0/10
10.128.0.0/9
11.0.0.0/8
12.0.0.0/6
16.0.0.0/4
32.0.0.0/3
64.0.0.0/4
80.0.0.0/5
88.0.0.0/6
92.0.0.0/7
94.0.0.0/8
X.X.X.X/9
X.X.X.X/10
X.X.X.X/12
X.X.X.X/13
X.X.X.X/18
X.X.X.X/20
X.X.X.X/21
X.X.X.X/22
X.X.X.X/23
X.X.X.X/24
X.X.X.X/25
X.X.X.X/26
X.X.X.X/30
X.X.X.X/31
X.X.X.X/32
X.X.X.X/29
X.X.X.X/28
X.X.X.X/27
X.X.X.X/19
X.X.X.X/17
X.X.X.X/16
X.X.X.X/15
X.X.X.X/14
X.X.X.X/11
X.X.X.X/3
128.0.0.0/1

10:42:13.981 -- Connected via tun

10:42:13.983 -- LZO-ASYM init swap=0 asym=0

comment:3 Changed 8 months ago by frans_a4

Problem2) This is my main problem. I use a local http proxy Tunnel to connect to openVPN Server for Traffic Obfuscation on Android (Same as Obfsproxy on windows https://community.openvpn.net/openvpn/wiki/TrafficObfuscation)

OpenVPN Client -> My Local Http Proxy Tunnel -> My Server Http Tunnel (Run on the same machine that is running OpenVPN-Server) -> OpenVPN Server

I add the following line in the client config to use my local http proxy:

http-proxy 127.0.0.1 8088

But OpenVPN Client gets stuck in a loop, trying to connect and then failing. So to solve my problem I added the following line to Client Config:

route X.X.X.X 255.255.255.255 net_gateway

The above command works fine on Android 6 and Windows 10 And prevents looping. But The above command not solve the problem on Android 8, And OpenVPN gets stuck in a loop, trying to connect and then failing (Transport Error. trying to reconnect...).

Note: If I use OpenVPN for Android 0.6.73 (de.blinkt.openvpn on googleplay) And set my local-http-proxy-tunnel APP on "Allowed Apps" > exclude secction, Everything works fine on Android 8. But I want to use only the config file to solve my problem.

Same Issue with HTTP Injector https://play.google.com/store/apps/details?id=com.evozi.injector (As Local http proxy on port 8989) + CCProxy http proxy server + OpenVPN

Similar Issue:
https://github.com/StreisandEffect/streisand/issues/922 (Issues with OpenVPN and SSLDroid in Android 8.0)

https://github.com/shadowsocks/shadowsocks-android/issues/1620 (Issues with OpenVPN And Local socks proxy)

Details:
OpenVPN Server: 2.4.7 on windows server 2016
OpenVPN Client (Android): 3.0.5 on Samsung s7 (SM-G930FD) Android 8.0.0 (Patch level: March 1, 2019)
Note: I have to connect to OpenVPN server via http proxy because tls Handshake is blocked on my Country Firewall.
X.X.X.X IS my Server-IP.

My Server Config:

proto tcp4
port 1194
dev tun
route-metric 1
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh2048.pem"
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
persist-key
persist-tun
route-delay 2
tap-sleep 3
status openvpn-status.log
verb 3

My client Config:

client
dev tun
proto tcp
remote X.X.X.X 1194
route X.X.X.X 255.255.255.255 net_gateway
;http-proxy-retry
http-proxy 127.0.0.1 8088 auto
auth-nocache
resolv-retry infinite
nobind
persist-key
persist-tun
route-delay 1 3
comp-lzo
verb 3

<ca>
........
</ca>

<cert>
........
</cert>

<key>
........
</key>

OpenVPN on Android Client LOG:

13:05:01.131 -- ----- OpenVPN Start -----

13:05:01.132 -- EVENT: CORE_THREAD_ACTIVE

13:05:01.138 -- Frame=512/2048/512 mssfix-ctrl=1250

13:05:01.142 -- UNUSED OPTIONS
6 [auth-nocache] 
7 [resolv-retry] [infinite] 
8 [nobind] 
9 [persist-key] 
10 [persist-tun] 
11 [route-delay] [1] [3] 
13 [verb] [3] 


13:05:01.142 -- EVENT: RESOLVE

13:05:01.145 -- Contacting 127.0.0.1:8088 via HTTP Proxy

13:05:01.145 -- EVENT: WAIT_PROXY

13:05:01.150 -- EVENT: WAIT

13:05:01.153 -- TO PROXY: CONNECT X.X.X.X:1194 HTTP/1.0
Host: X.X.X.X


13:05:03.168 -- FROM PROXY: HTTP/1.1 200 Connection established
Connection: Keep-Alive


13:05:03.170 -- Connecting to [X.X.X.X]:1194 (127.0.0.1) via TCPv4-via-HTTP

13:05:03.831 -- Proxy: Skipped 1 byte(s) of HTML

13:05:03.833 -- EVENT: CONNECTING

13:05:03.839 -- Tunnel Options:V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client

13:05:03.841 -- Creds: UsernameEmpty/PasswordEmpty

13:05:03.844 -- Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.2
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1
IV_AUTO_SESS=1
IV_BS64DL=1


13:05:04.379 -- VERIFY OK : depth=1
cert. version     : 3
serial number     : YYYYYYYYYYYYYYY
issuer name       : C=US, ST=CA, L=SanFrancisco, O=os, OU=changeme, CN=os-ca, ??=changeme, emailAddress=mail@host.domain
subject name      : C=US, ST=CA, L=SanFrancisco, O=os, OU=changeme, CN=os-ca, ??=changeme, emailAddress=mail@host.domain
issued  on        : 2019-06-18 07:41:44
expires on        : 2029-06-15 07:41:44
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=true


13:05:04.383 -- VERIFY OK : depth=0
cert. version     : 3
serial number     : 01
issuer name       : C=US, ST=CA, L=SanFrancisco, O=os, OU=changeme, CN=os-ca, ??=changeme, emailAddress=mail@host.domain
subject name      : C=US, ST=CA, L=SanFrancisco, O=os, OU=changeme, CN=server, ??=changeme, emailAddress=mail@host.domain
issued  on        : 2019-06-18 07:42:39
expires on        : 2029-06-15 07:42:39
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=false
cert. type        : SSL Server
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication


13:05:05.723 -- SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

13:05:05.727 -- Session is ACTIVE

13:05:05.732 -- EVENT: GET_CONFIG

13:05:05.753 -- Sending PUSH_REQUEST to server...

13:05:06.362 -- OPTIONS:
0 [route] [X.X.X.X] [255.255.255.255] [net_gateway] 
1 [redirect-gateway] [def1] 
2 [dhcp-option] [DNS] [8.8.8.8] 
3 [dhcp-option] [DNS] [8.8.4.4] 
4 [route] [10.8.0.1] 
5 [topology] [net30] 
6 [ping] [10] 
7 [ping-restart] [120] 
8 [ifconfig] [10.8.0.6] [10.8.0.5] 
9 [peer-id] [0] 
10 [cipher] [AES-256-GCM] 


13:05:06.366 -- PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA1
  compress: LZO
  peer ID: 0

13:05:06.370 -- EVENT: ASSIGN_IP

13:05:06.388 -- Exclude routes emulation:
0.0.0.0/5
8.0.0.0/7
10.0.0.0/13
10.8.0.0/32
10.8.0.2/31
10.8.0.4/30
10.8.0.8/29
10.8.0.16/28
10.8.0.32/27
10.8.0.64/26
10.8.0.128/25
10.8.1.0/24
10.8.2.0/23
10.8.4.0/22
10.8.8.0/21
10.8.16.0/20
10.8.32.0/19
10.8.64.0/18
10.8.128.0/17
10.9.0.0/16
10.10.0.0/15
10.12.0.0/14
10.16.0.0/12
10.32.0.0/11
10.64.0.0/10
10.128.0.0/9
11.0.0.0/8
12.0.0.0/6
16.0.0.0/4
32.0.0.0/3
64.0.0.0/4
80.0.0.0/5
88.0.0.0/6
X.X.X.X/7
X.X.X.X/8
X.X.X.X/9
X.X.X.X/10
X.X.X.X/12
X.X.X.X/13
X.X.X.X/18
X.X.X.X/20
X.X.X.X/21
X.X.X.X/22
X.X.X.X/23
X.X.X.X/24
X.X.X.X/25
X.X.X.X/26
X.X.X.X/30
X.X.X.X/31
X.X.X.X/32
X.X.X.X/29
X.X.X.X/28
X.X.X.X/27
X.X.X.X/19
X.X.X.X/17
X.X.X.X/16
X.X.X.X/15
X.X.X.X/14
X.X.X.X/11
X.X.X.X/3
128.0.0.0/1

13:05:06.506 -- Connected via tun

13:05:06.508 -- LZO-ASYM init swap=0 asym=0

13:05:06.510 -- EVENT: CONNECTED info='@X.X.X.X:1194 (127.0.0.1) via /TCPv4-via-HTTP on tun/10.8.0.6/ gw=[10.8.0.5/]' trans=TO_CONNECTED

13:05:06.537 -- TCP recv EOF

13:05:06.539 -- Transport Error: Transport error on 'X.X.X.X' via HTTP proxy 127.0.0.1:8088 : NETWORK_EOF_ERROR

13:05:06.541 -- EVENT: TRANSPORT_ERROR info='Transport error on 'X.X.X.X' via HTTP proxy 127.0.0.1:8088 : NETWORK_EOF_ERROR' trans=TO_DISCONNECTED

13:05:06.546 -- Client terminated, restarting in 5000 ms...

13:05:11.551 -- EVENT: RECONNECTING

13:05:11.565 -- Contacting 127.0.0.1:8088 via HTTP Proxy

13:05:11.567 -- EVENT: WAIT_PROXY

13:05:11.589 -- EVENT: WAIT

13:05:11.596 -- TO PROXY: CONNECT X.X.X.X:1194 HTTP/1.0
Host: X.X.X.X


13:05:14.397 -- FROM PROXY: HTTP/1.1 200 Connection established
Connection: Keep-Alive
...

LOOP & LOOP!

Last edited 8 months ago by frans_a4 (previous) (diff)

comment:4 Changed 8 months ago by plaisthos

If you xxx out all of the IP address in a configuration that has a routing loop, it is really hard to see what is happening and if there is any bug. So please provide log/config without x.x.x.x so we can figure out what is really happening. This sound like a bug in the route exculsion emulation but that part is redacted from your log, so these logs are worthless. Also try if the same config works with openvpn for android without explicitly excempting the app. It is uses a different algorithm so it might yield other result and can help understanding what the real issue is.

comment:5 Changed 8 months ago by frans_a4

About Problem2)
OpenVPN for Android 0.7.8 Last version (de.blinkt.openvpn) has a problem with http proxy and it seems Ignores http-proxy settings https://github.com/schwabe/ics-openvpn/issues/869
So I test with OpenVPN for Android v0.6.73 on Android 8.

My Results:

  • OpenVPN for Android v0.6.73 on Android 8 + Local http proxy + without any setting on "Allowed Apps" > exclude + mobile data: OpenVPN After 2~3 Looping can connect.
  • OpenVPN for Android v0.6.73 on Android 8 + Local http proxy + without any setting on "Allowed Apps" > exclude + wifi: OpenVPN can not connect and gets stuck in a loop, trying to connect and then failing.
  • OpenVPN for Android v0.6.73 works fine only if I set my local-http-proxy-tunnel App on "Allowed Apps" > exclude Section.

Note: If I connect to openvpn server without Local Proxy, It seams After connecting,

route X.X.X.X 255.255.255.255 net_gateway

works fine.

For example, after a successful connection to the openvpn server and after VPN connection is established, I checked my IP via php script (that was hosted on the X.X.X.X server) And I saw that my real IP Were returned. So after a successful connection to the openvpn server, connect to X.X.X.X is done directly, And not through VPN.

========

OpenVPN on Android Client Full LOG:
https://dl.dropboxusercontent.com/s/05hu2wex2p06ayt/OpenVPN-Full-Logs.txt

Thanks.

Last edited 8 months ago by frans_a4 (previous) (diff)

comment:6 Changed 6 months ago by frans_a4

I really need this feature. Please fix the Issue. Thanks.

comment:7 Changed 4 months ago by Gert Döring

Owner: set to plaisthos
Status: newassigned

comment:8 Changed 4 months ago by plaisthos

This not OpenVPN for Android but rather OpenVPN Connect. Use the official support for that Android client.

comment:9 Changed 2 months ago by frans_a4

I have this problem with OpenVPN Connect on android 8.

OpenVPN Connect on Android 8, gets stuck in a loop, trying to connect and then failing, when using a local http proxy Tunnel to connect to openVPN Server for Traffic Obfuscation.

Note: See TracTickets for help on using tickets.