OpenVPN on mobie/android connects but I can't access anything over browser, but when on a foreign WiFi it's fine

I had such success for my first post I thought I’d try to solve a nagging issue I’ve had with openVPN on mobile (pfsense).

Simply, this used to work flawlessly, but for a months now I cannot access my home network servers over browser when connected to my openvpn on my Google Pixel running Android 13. It CONNECTS no problem (quickly even) and I can ping local address as well as internet addresses (1.1.1.1 or google), but i cannot bring up any of my local servers from the browser. It could be a speed issue cause I also have issues with a lot of webpages, often things timing out, getting the pared down version or only being able to load simple ones like the CTA Train tracker (after much delay). From what I understand there’s a speed slow down when connected over OpenVPN but nothing this drastic (also this EXACT same setup used to work flawlessly, even when tethering a laptop to my phone). I’ve run speedtests on my phone when on (1) mobile but connected to nothing, (2) when connected to OpenVPN over mobile and (3) OpenVPN over foreign wifi as well as (4) at home. All are comparably close except the OpenVPN connection over mobile which is drastically slower.

@neogrid was generous enough with their time to help me fix an auto-generated NAT rule that fixed an (maybe!) unrelated problem and I’m wondering if my problem is also in the NAT rules. Another theory I’ve been offered from another forum was that my phone is forcing ipv6 and that’s colliding with something. This may have merit as when I was trouble shooting a created vlan wifi that wasn’t accessing the internet, I would connect my phone to the wifi that DEF didn’t have internet access and was able to pull up webpages. In the About section i had a ipv6 address. So this is possible but I’m not sure how to fix or troubleshoot further.

Screenshots of relavant settings:


(cont)


(cont 2/4)


(cont 3/4)


Please let me know what other information would be helpful for trouble shooting. (fin 4/4)

You need to have a gateway for the openVPN network, I don’t recall if this gets created in the wizard or not.

Also I tend to create a new interface for the openvpn server instead of using the default, just call it MyOpenVPN then you can distinguish it.

You can think of your openVPN as just another network, so you need rules that will allow it to access your vlans or LAN that are in place.

I’d suggest setting up a second OpenVPN server manually, then you can really see how OpenVPN should be configured.

Not too sure what is going wrong in your config, though I don’t combine those IPv4+IPv6 rules however I don’t recall the reason.

1 Like

That’s very observant, I added the ipv4+ipv6 as a feeble, and ultimately fruitless, attempt to address the possibility that my phone was somehow forcing ipv6. I actually don’t have any specific or intentional needs for ipv6 so I would be happy to remove whenever it’s working stably…

where would I see if this is set accurately? lmk if there’s a screenshot i could include to show it please…

Inspect System >> Routing >> Gateways. If it’s not there you can add one.

1 Like

sorry for the delay, been a rough couple days. The name is “WANGW” and the gateway listed is similar to my public IP, it’s actually 5 spots higher… for instance my public IP is xx.xxx.xxx.241 and the gateway listed is xx.xxx.xxx.246

Hmmm not sure if that looks correct. I can see that on mine the GW address is from the tunnel IP network.

Though I haven’t used the wizard to create an OpenVPN RAS, it might be right.

I’m sorry I’m not that familiar with these terms. Tunnel IP is cause you have a site-to-site tunnel set up? so it’s essentially the GW Address you see is akin to the public ip address someone who’s just connected to the internet would see? I have a ATT Fiber ONT and, it’s been years, but I reserved a pool of 5 static ips and there was some tomfoolery i needed to enact to get the ONT to play nice with the pfsense, perhaps that’s why its 5 higher. As a reminder, nothing was changed by me between it working flawlessly and not working on mobile.

Is OpenVPN RAS = OpenVPN Remote Access…System? I’m guessing the ip being 5 away from my public WAN IP is just cause i have a pool of 5 static ips but I will, try, to access the ATT ONT tonight (not 100% sure i remember how to do this)

It sounds like your using the Static IP to connect back home over the VPN, I’m using a DDNS so there could be a difference there, it sounds like it should connect. You will then need a NAT rule for the if you are coming in on another WAN address. I’m not sure how you deal with more that one WAN IP, perhaps using just one to begin with will allow you to progress.

I would review some of Tom’s OpenVPN YT vids, I don’t recall if he has used the Wizard or not.

I have watched a bunch of them but I will def go back for a 2nd or 3rd pass (that’s what I did with the VLAN/IoT ones and I was always picking up/understanding new things).

Everything you said is accurate but I am using a ddns in conjuction with my static IPs. I know it’s unnecessary but i had it setup on a subdomain of my personal webpage for years before i switched to fiber and it’s pool of 5 static IPs. Again, i feel like a broken record, but the setup was working with the ddns enabled for years with ATT before it stopped working. I’m more and more convinced it’s a change to my mobile network provider…

If you are trying to remotely access your internal network from the local network then it won’t work. Which is why you can use cellular and foreign WiFi and it works fine.

Foreign wifi works fine, but cellular does NOT work fine. that’s kind of the crux of the problem…

Has your phone updated recently or have you made any network setting change?

Have you tried to pull logs from the OpenVPN app to see any issues?

I have not made any network setting changes but my phone updates with some regularity. I’ve also upgraded the phone in the interim (Pixel 6 to Pixel 7 with the same issue). Something I have ALSO noticed is that my phone that used to work fine on the subway, no longer does. so it’s possible it’s just a Google Fi issue or one of it’s constituent networks did something to make it worse. My only hesitation to this is that I live in Chicago, and would imagine if it was a Google Fi issue SOMEONE from reddit et al would’ve posted something about it and I’ve found no fellow complaints.

I had not considered pulling logs from OpenVPN. I’m not the beeest at reading logs, but my best understanding here is that it logged me connecting to the VPN but then nothing past that. After the last event in this log i switched over to the browser and continued to get timed out on all my local IP’s as well as webpages. I also opened up JuiceSSH on my phone and successful pinged the ip address of my at home router and 1.1.1.1 but, again, nothing further was added to the log. I’ll look for verbose logging now…

14:27:44.052 -- PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: NONE
  key-derivation: OpenVPN PRF
  compress: NONE
  peer ID: 0
  control channel: tls-auth enabled

14:27:44.053 -- EVENT: ASSIGN_IP

14:27:44.087 -- Connected via tun

14:27:44.088 -- EVENT: CONNECTED info='xxxxxxxxx:1194 (99.124.237.241) via /UDPv4 on tun/10.10.11.2/ gw=[10.10.11.1/]'

i saw that literally yesterday Google Fi announced it was dropping US Cellular as an official provider. Maybe it’s been a long time coming but i know Chicago is the land of US Cell…

So I’ve kind of hit a roadblock with this. I learned from this video at around the 20 min mark how to check the OpenVPN logs, which I was very optimistic about but it didn’t really spit out any obvious, consistent errors. Said it connected with ipv6 disabled and that was it…I was googling each individual entry for any clues, but would be curious if there was any more suggestions for tracking down this issue. I’ll reluctantly move on if i can definitively trace it back to my mobile provider but I keep holding out hope there’s a fix…

I think if I can answer this I can solve my problem. Why can i ssh into my various server gui’s but not bring up the WebUI in the browser? what would present that kind of behavior? I saw something on the OpenVPN forums that was a similar but not identical problem that solved it by adjusting the MTU size on Windows7. That’s a bit beyond me, but maybe it gives someone an idea of something i should check…