Android VPN Settings - Help on understanding them! Weird problems

[RaiderJ]

I have an ASUS router on which I've enabled the VPN server and it's worked flawlessly when connecting from a Windows box. However, when connecting from my Android tablet, it doesn't work how I expect.

The following are "advanced" options I can configure in the VPN account settings, but I don't quite know what they mean:

1) DNS search domains - Currently left blank

2) DNS servers (e.g. 8.8.8.8) - If I use 8.8.8.8 (Google's DNS) I can get internet when connected via VPN. If set to my router's address (192.168.1.2) then I can't get internet access. Which is strange, since setting all my internal devices behind the router to that DNS works fine.

3) Forwarding routes (e.g. 10.0.0.0/8) - Set as the example, but not sure what this does


My biggest question is that when I'm connected to my VPN from outside, I'm unable to SSH into my server. On a Windows box this works just fine and I have no problems. But on the Android tablet I get an error, "No route to host". Why would this be? Shouldn't my Android tablet be able to navigate to 192.168.1.xxx once connected to the VPN?

 

[CubanlB]

It's telling you whats wrong, the route table on the android doesn't have a route to 192.168.1.0/24 (I'm assuming the mask here).

The reason DNS doesn't work pointed to 192.168.1.2 is also that it doesn't know how to get there.

The forwarding route is needed to tell the tablet to send traffic destined for 192.168.1.0/24 through the VPN interface.

that route can be just for your network(192.160.1.0/24) or for all traffic 0.0.0.0/0 (if you want all traffic from the tablet to go through the VPN).

EDIT:

A search domain would let you do hostname name resolution for a given domain name, which you most likely have no need of.

If you are trying to connect to a server at home with the hostname of ServerA and you have a domain setup called myhouse.local populating the search domain with myhouse.local would let you connect just using the hostname of ServerA. Without this you would need to give the fully qualified domain name of ServerA.myhouse.local for the DNS name to resolve to an IP.

Anyway, if you don't have a domain setup, don't worry about this.

 

[RaiderJ]

Thank you! Setting my "forwarding routes" to 192.168.1.0/24 solved my issues connecting to my home server via SSH. However, setting the forwarding route to 0.0.0.0/0 didn't work, which from what you've described seems like it should have? I don't need to have all my traffic forward through the VPN, but from a safety perspective it would be a nice option to have.

If I understand the forwarding routes setup correctly, ALL traffic to any address in the 192.168.1.xxx range would go through the VPN if I use 192.168.1.0/24? How does the "24" relate to the masking? Does that mean the first three octets, or 3x8bits are matched and sent through the VPN?

EDIT: To clarify, a forwarding route of 0.0.0.0/0 doesn't allow me to access my home server at 192.168.1.20, but a forwarding route of 192.168.1.0/24 does. Seems like I should be able to directly connect to the IP? Or, should that work, but since the local wifi network I'm connected to having a DHCP range of 192.168.1.xxx mean there would be a conflict?

 

[CubanlB]

I'm not sure if configuring the default route/default gateway is supported by the native android vpn. My guess is that would depend on the version.

the /24 denotes the subnetmask in CIDR notation. Just means a subnet mask of 255.255.255.0, defining the first 3 octets as network address and the last octet as host address.

Not sure if adding a 0.0.0.0/0 route (this just means all addresses, send through tunnel) will work for your setup, as I do not use the standard android vpn client. I know it is supported with OpenVPN, but that's another can of worms.


http://android.stackexchange.com/qu...a-vpn-without-rooting-using-forwarding-routes

Looks like that route should work in android 4.x, but I know there were a lot of changes to the android vpn software in 4.0 so older vpn client may not behave the same. (assuming you have an older version of android)

 

[CubanlB]

EDIT: To clarify, a forwarding route of 0.0.0.0/0 doesn't allow me to access my home server at 192.168.1.20, but a forwarding route of 192.168.1.0/24 does. Seems like I should be able to directly connect to the IP? Or, should that work, but since the local wifi network I'm connected to having a DHCP range of 192.168.1.xxx mean there would be a conflict?

This depends on your configuration, but yes, usually having the same local network addressing as the remote addressing doesn't work. If this was the issue though I would think that the 192.168.1.0/24 forwarding route should fail as well. The device would think that the local gateway (router) is reachable through the VPN tunnel.

Again, I do not have a lot of experience with the default android VPN software. Also, we don't quite have enough information on your setup to be able to give you extremely exact information.

Basically it depends on how the VPN interacts with the devices route table.

 

[RaiderJ]

I'm using a Samsung Galaxy Note 10.1 2014 Edition tablet, running Android 4.3. Just using the default Android VPN client.

I'll have to test the VPN client out on a network that doesn't use the 192.168.1.xxx network range to see if that's the problem. Very strange, I can't see any reason why 0.0.0.0/0 would work differently from 192.168.1.0/24 when connecting to my personal network.

Thanks again for your explanations, read up on CIDR notation and it makes much more sense now. I also have found various posts about issues with Android's VPN implementation - that's probably the source of my problems... but I wish I knew better why.

 

[CubanlB]

If you feel like a running a different VPN service at home OpenVPN has good support on pc, android, and others. It would be a lot more work to get configured than the VPN on a SOHO router though.

One of the thing I like is the ability to push configuration to connecting devices. (I setup my open VPN server to push default routes and DNS info to the clients)

I would change my home network addressing to something a little less common than 192.168.1.0/24

 

[RaiderJ]

My router (ASUS RT-AC68U) supports OpenVPN as well as PPTP. I've not tested it, but it looks pretty painless to set up initially. I'd have to download an app on the Android side, but that's simple enough.

Will give that a shot and see how it goes!