So, some background - I have a remote access VPN setup using OpenVPN on my router. It works perfectly apart from accessing one of my Ubuntu Server VMs which is permanently behind a private internet access VPN. (Using openvpn with one of PIA’s provided ovpn files.)
It seems to be an issue with OpenVPNs limitations on Android, because I can connect fine from Windows endpoints.
The only difference between the 2 ovpn configuration files is that the Windows version uses TAP, and the Android one is forced into using TUN.
I got around this previously on a desktop OS by using the split tunneling feature in PIA’s official app, but I’m having a lot of issues figuring out how to set it up in the configuration file so that ONLY the local subnet is excluded from the VPN connection. I want all other traffic to go through the VPN.
Updating for anyone who comes across this thread down the line.
I started completely over and followed this guide
and was able to get things mostly up and working, though it required a few tweaks since I’m using 22.04 and not 16.04.
For one thing, 18.10 and up use systemd-resolve instead of resolv.conf, so verifying that DNS was not leaking was more difficult.
For another, you can no longer use sudo -u vpn -i -- curl ipinfo.io with an account that’s disabled from logging in. I’d recommend creating the account as a normal user, then editing /etc/passwd at the END rather than the beginning to save yourself this headache.
Next, remove or comment out this line from your config file for OpenVPN:
down /etc/openvpn/update-resolv-conf
Then add the following lines under script-security 2
up /etc/openvpn/update-systemd-resolved down /etc/openvpn/update-systemd-resolved down-pre
and at the end of the file add
dhcp-option DOMAIN-ROUTE
This setup is working for me as far as I can tell, none of the testing I’ve done shows any IP leakage.
Hopefully, this helps the next person who comes along with a weird use case like mine.
Feel free to correct any mistakes in this because I’m sure there are many.