Not able to access server remotely through OpenVPN on Android

Hi everyone,

So, some background - I have a remote access VPN setup using OpenVPN on my router. It works perfectly apart from accessing one of my Ubuntu Server VMs which is permanently behind a private internet access VPN. (Using openvpn with one of PIA’s provided ovpn files.)

It seems to be an issue with OpenVPNs limitations on Android, because I can connect fine from Windows endpoints.

The only difference between the 2 ovpn configuration files is that the Windows version uses TAP, and the Android one is forced into using TUN.

I got around this previously on a desktop OS by using the split tunneling feature in PIA’s official app, but I’m having a lot of issues figuring out how to set it up in the configuration file so that ONLY the local subnet is excluded from the VPN connection. I want all other traffic to go through the VPN.

I tried setting

route <localIP> 255.255.255.0 net_gateway
redirect-gateway def1

but that just seems to break networking entirely. I’m sure I’m using these options wrong…

I guess I could use the official app again, but I’m trying to keep things completely headless.

Any suggestions? Thanks!

Updating for anyone who comes across this thread down the line.

I started completely over and followed this guide

and was able to get things mostly up and working, though it required a few tweaks since I’m using 22.04 and not 16.04.

For one thing, 18.10 and up use systemd-resolve instead of resolv.conf, so verifying that DNS was not leaking was more difficult.

For another, you can no longer use sudo -u vpn -i -- curl ipinfo.io with an account that’s disabled from logging in. I’d recommend creating the account as a normal user, then editing /etc/passwd at the END rather than the beginning to save yourself this headache.

Next, remove or comment out this line from your config file for OpenVPN:

down /etc/openvpn/update-resolv-conf

Then add the following lines under script-security 2

up /etc/openvpn/update-systemd-resolved
down /etc/openvpn/update-systemd-resolved
down-pre

and at the end of the file add

dhcp-option DOMAIN-ROUTE

This setup is working for me as far as I can tell, none of the testing I’ve done shows any IP leakage.

Hopefully, this helps the next person who comes along with a weird use case like mine. :slight_smile:

Feel free to correct any mistakes in this because I’m sure there are many.