Posted: Mon Feb 08, 2016 17:14 Post subject: Android OpenVPN app can not connect to home OpenVPN server
I have a Linksys e2500 flashed with DD-WRT v24-sp2 (03/25/13) big at work. I have full access and authority to making changes to this router.
I have a working OpenVPN server on my pfsense box at home.
On a PC I can connect to my home vpn server from anywhere.
On my phone I can connect to it using the Android OpenVPN app when I'm on mobile data.
I do not have OpenVPN client or server configured in the e2500.
Problem:
On my phone connected to the Wifi of my work's Linksys e2500 mentioned above, I can not connect to my home's OpenVPN server. The connection times out. I'm connected to the main wifi, not guest wifi.
I suspect it has something to do with routing in the e2500's firewall rules.
Code:
#Allow guest bridge access to Internet
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#Block access between private and guest
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d 192.9.200.0/24 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d 192.9.201.0/24 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d 192.9.203.0/24 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
#NAT to make Internet work
#iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -t nat -I POSTROUTING -s 192.168.5.0/24 -j SNAT --to `nvram get lan_ipaddr`
The above rules pertain to a working guest wifi network that only has internet access and is blocked from all subnets on the lan.
Anyway, I have very little understanding of the rules above. I simply pieced them together from some guides online and some help from this forum in the past.
Therefore, I don't know why my OpenVPN client on my android can not connect to my home OpenVPN server when I'm connected to my work's ddwrt router.
I assume the wifi network otherwise works for accessing other internet websites?
Correct
Quote:
If you use the private wireless network w/ the Android, it works?
I never thought to do this... wow. It DOES work when connected to the private wireless network (guest wifi)
Also, I just remembered that the lan wifi has MAC filtering enabled to only allow macs listed - I don't know if that has anything to do with it.
Quote:
Did you try any other wifi devices besides the Android? Would help to know if this is only an Android problem (or only THAT Android device) vs. more general problem.
I haven't since right now I don't have any other wireless devices at my disposal. But now that I see that it works on the private wireless network should I still try when I can get my hands on another wireless device?
Quote:
Does the pfSense server indicate any activity? Any error messages in the log? Any indication at all the server was even reached? What about your home router? Is it capable of providing similar information?
No, it doesn't indicate any activity or indication that a connection is even being attempted (when on the lan wifi)
Quote:
Based on the NAT rule, it appears this router is configured as a WAP (i.e., no WAN). It might be interesting to know if it was configured as a router (WAN to LAN) whether that made a difference. In fact, if you're only using the router for your own purposes, I don't see the need to use a WAP config, but just use the default private network (br0) behind the WAN.
I believe the set up goes ISP > Firewall device > Switch > e2500 router. I put the e2500 is place to offer up Wifi (isolated from the lan) for customers, as well as be able to access the lan PCs when I'm on the lan wifi. So I don't strictly use this for my own purposes.
I should just be happy that I can use my Android to connect to my OpenVPN server at home when connected to the guest Wifi but I'm still wondering how to get it working when connected to the Lan Wifi.
What other information can I provide?
Edit: I've attached some screen shots of the e2500 ddwrt webgui
Your Additional DNSMasq Options are set to br0, they should be br1!
Oh man, I should have expanded window. Below is the full text from the window. I don't remember exactly why I used this section for DHCP for the lan wifi too instead of using the DHCP settings on the Setup > Basic Setup page. Is it a problem to have this in addition to the DHCP settings for the guest wifi (br1)?
Code:
# Enables DHCP on br0
interface=br0
# Set the default gateway for br0 clients
dhcp-option=br0,3,192.9.201.250
# Set the DHCP range and default lease time of 10 hours for br0 clients
dhcp-range=br0,192.9.201.181,192.9.201.185,255.255.255.0,10h
# Enables DHCP on br1
interface=br1
# Set the default gateway for br1 clients
dhcp-option=br1,3,192.168.5.100
# Set the DHCP range and default lease time of 10 hours for br1 clients
dhcp-range=br1,192.168.5.101,192.168.5.110,255.255.255.0,10h
Also, thank you for this valuable advice - I will definitely make those changes as I definitely don't want guests to be able to resolve local DNS names.
eibgrad wrote:
I also make it a habit to specify DNS servers for the guest network.
dhcp-option=br1,6,8.8.8.8,8.8.4.4
I believe it just defaults to the private network's DNS server, so it's not likely the problem. But it's good practice since you probably don't want guests being able to resolve local DNS names, even if they can't access them.
