Android OpenVPN connection issues

[Fliu777]

Having trouble getting this to work with Android after getting it to work with my desktop - Any help would be appreciated! Logs below

Device Logs

2019-06-21 19:37:54 official build 0.7.8 running on [REDACTED]
2019-06-21 19:37:54 Building configuration…
2019-06-21 19:37:54 OpenVPN core 3.2 (qa:d87f5bbc04)(icsopenvpn/v0.7.8-0-ga8d2d82c) android arm64 64-bit built on Feb 22 2019 13:59:24
2019-06-21 19:37:54 Copyright (C) 2012-2017 OpenVPN Inc. All rights reserved.
2019-06-21 19:37:54 Frame=512/2048/512 mssfix-ctrl=1250
2019-06-21 19:37:54 UNUSED OPTIONS
1 [verb] [4]
2 [connect-retry] [2] [300]
3 [resolv-retry] [60]
6 [connect-timeout] [60]
15 [nobind]
16 [verify-x509-name] [REDACTED][name]
20 [persist-tun]
21 [preresolve]
22 [resolv-retry] [infinite]
2019-06-21 19:37:54 Network Status: CONNECTED to WIFI [REDACTED]
2019-06-21 19:37:54 Debug state info: CONNECTED to WIFI [REDACTED] pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2019-06-21 19:37:54 Contacting [REDACTED] via UDP
2019-06-21 19:37:54 Debug state info: CONNECTED to WIFI [REDACTED] pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2019-06-21 19:37:54 Connecting to [REDACTED] ([REDACTED]) via UDPv4
2019-06-21 19:37:54 Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth SHA256,keysize 128,key-method 2,tls-client
2019-06-21 19:37:54 Creds: UsernameEmpty/PasswordEmpty
2019-06-21 19:37:54 Peer Info:
IV_GUI_VER=de.blinkt.openvpn 0.7.8
IV_VER=3.2 (qa:d87f5bbc04)
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1
2019-06-21 19:37:54 VERIFY OK: depth=1, /CN=ChangeMe
2019-06-21 19:37:54 VERIFY OK: depth=0, /CN=server_[REDACTED]
2019-06-21 19:37:55 SSL Handshake: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
2019-06-21 19:37:55 Session is ACTIVE
2019-06-21 19:37:55 Sending PUSH_REQUEST to server...
2019-06-21 19:37:55 OPTIONS:
0 [route] [10.0.0.8] [255.0.0.0] [net_gateway]
1 [route] [172.16.0.0] [255.240.0.0] [net_gateway]
2 [route] [192.168.0.0] [255.255.0.0] [net_gateway]
3 [dhcp-option] [DNS] [10.8.0.1]
4 [dhcp-option] [DNS] [10.8.0.1]
5 [block-outside-dns]
6 [compress] [lz4-v2]
7 [route-gateway] [10.8.0.1]
8 [topology] [subnet]
9 [ping] [10]
10 [ping-restart] [60]
11 [ifconfig] [10.8.0.3] [255.255.255.0]
12 [peer-id] [0]
13 [cipher] [AES-256-GCM]
2019-06-21 19:37:55 PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: SHA256
compress: LZ4v2
peer ID: 0
2019-06-21 19:37:55 exception parsing IPv4 route: [route] [10.0.0.8] [255.0.0.0] [net_gateway] : tun_prop_error: route is not canonical
2019-06-21 19:37:55 exception parsing IPv4 route: [route] [192.168.0.14/24] [] [vpn_gateway] : tun_prop_error: route is not canonical
2019-06-21 19:37:55 We should call this session [REDACTED]
2019-06-21 19:37:55 Opening tun interface:
2019-06-21 19:37:55 Local IPv4: 10.8.0.3/24 IPv6: (not set) MTU: 1500
2019-06-21 19:37:55 DNS Server: 10.8.0.1, 10.8.0.1, Domain: null
2019-06-21 19:37:55 Routes:
2019-06-21 19:37:55 Routes excluded: 172.16.0.0/12, 192.168.0.0/16
2019-06-21 19:37:55 VpnService routes installed:
2019-06-21 19:37:55 Disallowed VPN apps: com.google.android.gm, com.android.mms, com.android.providers.telephony, com.android.phone, com.google.android.apps.docs, com.google.android.gms, com.android.vending
2019-06-21 19:37:55 TunPersist: saving tun context:
Session Name: [REDACTED]
Layer: OSI_LAYER_3
Remote Address: [REDACTED]
Tunnel Addresses:
10.8.0.3/24 -> 10.8.0.1
Reroute Gateway: IPv4=0 IPv6=0 flags=[ IPv4 ]
Block IPv6: no
Add Routes:
Exclude Routes:
172.16.0.0/12
192.168.0.0/16
DNS Servers:
10.8.0.1
10.8.0.1
Search Domains:
2019-06-21 19:37:55 Connected via tun
2019-06-21 19:37:55 LZ4v2 init asym=1
2019-06-21 19:37:55 Debug state info: CONNECTED to WIFI "[REDACTED]", pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED

Open VPN profile for Android (tested it with Desktop briefly and it worked)

client
dev tun
proto tcp
remote [REDACTED] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_[REDACTED] name
cipher AES-128-GCM
auth SHA256
auth-nocache
verb 3

-----BEGIN CERTIFICATE----- ...

[rajannpatel]

Does the .ovpn file on your Android phone have this line in it:

cipher AES-128-GCM

[Fliu777]

Yes, the ovpn file is attached in the previous message below.
Do you think it was anything to do with the

2019-06-21 19:37:55 exception parsing IPv4 route: [route] [10.0.0.8] [255.0.0.0] [net_gateway] : tun_prop_error: route is not canonical

I saw a previous issue where someone hit that too:
#5

[rajannpatel]

can you share your server_tcp443.conf file with any sensitive bits redacted? you say the TCP OpenVPN connection worked from Desktop but fails on Android? Can you share details about what version of Android you're on?

[Fliu777]

Both the TCP and UDP profiles work on my Desktop, but when generating new ones on Android they do not work. I'm on Android 6.0.1. What I meant before was that I temporarily used the generated profiles for Android on my desktop, and found that they worked.

[rajannpatel]

I put together a preliminary COMPATIBILITY.md document, and I have included information about the failure your have reported on that document.

I will try to get to the bottom of it, but hopefully tracking this information in 1 place and calling out folks for performing these tests may inspire others to participate in solving this problem.

[rajannpatel]

https://github.com/rajannpatel/Pi-Hole-on-Google-Compute-Engine-Free-Tier-with-Full-Tunnel-and-Split-Tunnel-Wireguard-VPN-Configs

This guide walks you through running a script which will configure a Split Tunnel IPv6 Wireguard connection for your Android, iOS, Linux, macOS, & Windows devices. All you need to do is run a script, scan a QR code, and you're blocking ads with the current Pi-Hole version.

This should resolve your OpenVPN related connectivity issues, by removing OpenVPN from the arrangement.