longzuyuan / ics-openvpn

Automatically exported from code.google.com/p/ics-openvpn
0 stars 0 forks source link

HTTP Proxy connection gets lost when OpenVPN is connected #70

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Thanks for supporting system wide http proxy settings, much appreciated!
Now however there's another issue arising:

When connecting to an OpenVPN server through the system's http proxy server, 
the connection can be established successfully (sometimes even some data goes 
through), but then suddenly the connection gets lost.

In the log we see
"P:Initialization Sequence Completed"
"P:MANAGEMENT: >STATE:<some_number>,CONNECTED,SUCCESS,<new vpn local IP>,<proxy 
IP>"

and then, about 2 or 3 seconds later:
"P:WWConnection reset, restarting [0]"

and the connection will get lost and re-established. This runs in an endless 
loop.

From my Desktop PC experience with OpenVPN I know that there's an issue 
regarding client side http proxies and the routing table.
Apparently it's hard to teach OpenVPN to _not_ route traffic to the proxy IP 
through the VPN tunnel. I never succeeded in solving this issue within OpenVPN 
itself and on Desktop PCs eventually ended up with running a cmd script on 
connect, where the cmd will delete one routing table entry (local IP address to 
VPN gateway) and modify a second one (route proxy IP address through local 
interface).

Unfortunately this workaround isn't possible on android, so the question is how 
to keep OpenVPN from trying to route the proxy IP traffic through the just 
recently established VPN?

What I've tried so far:
* Check/uncheck "ignore pushed routes"
* Check/uncheck "use default route"
* Add own route for subnets out of local network IP range
* Add custom configuration line entry for local proxy server

each to no avail.

Any advice how to get this running with a local network proxy internet 
connection is much appreciated!

Thanks and best regards - Mike

Original issue reported on code.google.com by stief...@wtnet.de on 14 Aug 2012 at 3:19

GoogleCodeExporter commented 9 years ago
So even you have no routes configured on the openvpn client (check with show 
connection information) the connection gehts dropped?

The https proxy *might* detect that this is no http connection a drop/reset the 
connection. A tcpdump showing the traffic of the android client might be 
helpful.

There are other users who reported the http proxy support working. 

Original comment by arne@rfc2549.org on 14 Aug 2012 at 8:36

GoogleCodeExporter commented 9 years ago
Thanks again for your quick reply.
It seems I got my issue sorted.
Actually it was an option ticket on OpenVPN server side which caused the issue.
I used a router with "TomatoUSB" firmware on it, providing built-in OpenVPN 
support.
There's an option in it's advanced OpenVPN server settings called "Direct 
clients to
redirect Internet traffic".
Apparently this causes "redirect-gateway" to be pushed to the clients, causing 
the http proxy to be considered as a transparent proxy with the OpenVPN server 
to be the default gateway.
This of course breaks the connection.

I unchecked that option and the connection remained stable.

Just as a sidenote for other users who intend to do the same thing I did:
If you still want all your internet traffic to go through the OpenVPN route, 
take care not to use 'push "route 0.0.0.0 0.0.0.0"' in your server config. 
While this works with Windows Desktop PC clients, it will still break the 
connection for ICS OpenVPN.
Instead configure the route on client side.
In ICS OpenVPN this is straightforward, just tick the "Use Default Route" 
checkbox on your IPV4 and/or IPV6 Routing setting tab.
On Windows Desktop PCs you'll have to add the following line to your client's 
.ovpn config file:

route 0.0.0.0 0.0.0.0 vpn_gateway

That way it works fine for me and I can connect both a Windows PC and my ICS 
tablet in parallel to the same OpenVPN server.

Thanks again for all your work/efforts/support!

Best regards - Mike

Original comment by stief...@wtnet.de on 15 Aug 2012 at 8:11

GoogleCodeExporter commented 9 years ago
This is strange. It should work. The default route settings also does "route 
0.0.0.0 0.0.0.0" and getting redirect-gateway pushed from the server usually 
also works. It could be something in the http proxy support that causes things 
to break but I am at loss here what happens.

Original comment by arne@rfc2549.org on 15 Aug 2012 at 8:16

GoogleCodeExporter commented 9 years ago
It's strange indeed but now that there's a way to circumvent that issue I feel 
we can close this case.
I get that the "route 0.0.0.0 0.0.0.0" command should be nothing different from 
pushing redirect-gateway, however I feel that OpenVPN has it's issues when 
there are multiple routes available for the same address. I've read threads in 
the OpenVPN support area where people claim that OpenVPN sometimes doesn't 
route traffic according to the metric of the route, but according to it's 
"position" in the list of possible routes instead, whatever "position" means in 
the end.

Anyway, that's nothing special dedicated to your ICS OpenVPN client since the 
very same thing happens on Windows PCs as well when choosing "redirect-gateway" 
in server config and the client has to use a http proxy to connect.

Thanks again and best regards - Mike

Original comment by stief...@wtnet.de on 15 Aug 2012 at 8:45

GoogleCodeExporter commented 9 years ago
Yes I will close the issue. But for routes the ICS Openvpn client is special :) 
It uses the VPNService API and things are done a bit different there.  For 
reference the routes you see under show information are given to the Android OS 
and nothing more is done. 

Original comment by arne@rfc2549.org on 15 Aug 2012 at 8:54