Openvpn with tap cannot ping anything, Securefishnet or openvpn from the terminal works

REPRODUCIBILITY: Always
OS VERSION: 4.4.0.64
HARDWARE: Xperia XA2
UI LANGUAGE: German
REGRESSION: Don’t know

DESCRIPTION:

After using standard GUI to connect to my openvpn server I cannot see any other addresses.

PRECONDITIONS:

.ovpn file is created on the server (which is a docker image) and downloaded to the Xperia XA2

client
nobind
dev tap
remote-cert-tls server

remote server.tld 1194 udp

<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>

redirect-gateway def1

Config on the server:

server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/domain.tld.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/domain.tld.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun
proto udp
port 1194
dev tap0
mode p2p
status /tmp/openvpn-status.log
user nobody
group nogroup
comp-lzo no
route 192.168.0.0 255.255.255.0
push "block-outside-dns"
push "dhcp-option DNS 172.21.0.2"
push "comp-lzo no"
push "redirect-gateway def1"
client-config-dir /etc/openvpn/ccd
client-to-client
ifconfig-pool-persist /etc/openvpn/ipp.txt
mssfix 1430
cipher AES-256-GCM

STEPS TO REPRODUCE:

  1. create .ovpn client as shown above
  2. connect via Sailfish VPN GUI

EXPECTED RESULT:

Connection established

ACTUAL RESULT:

Network device vpn0 is created and assigned correct address, but nothing can be pinged or accessed.

MODIFICATIONS:

None, fresh install

ADDITIONAL INFORMATION:

openvpn from command line (as devel-su) and Securefishnet both work with the .ovpn file. Looks like connman issue to me.

By nothing can be pinged you mean outside adresses, e.g. google?
Can you ping internal addresses, e.g. the router in the vpn?

By “nothing” i mean “anything but localhost”. Routes seem to be set correctly, but I can ping neither DNS server (which is a pihole in the VPN network) nor gateway.

Maybe a stupid question, but ICMP is allowed through the firewall?

I’d suggest broken routing. I remember having similar issues and I think I was able to solve them by adjusting routing settings.

Maybe you can find some additional info here:

No it isn’t, usually:

Some ICMP messages are required for proper networking. By default Linux e.g. has Path-MTU-Discovery enabled and that requires ICMP “Destination Unreachable Fragmentation Needed” messages to come through. That’s why only Echo Requests are blocked.