A while after I got a new smartphone, I noticed that when my MacBook was connected over Wi-Fi to the mobile hotspot of my Android phone, the Tunnelblick connections over OpenVPN to my family members would not work. A telnet from the Android phone to the OpenVPN TCP port 1194 woud succeed, but not from the MacBook. Connecting from the phone using JuiceSSH to the OpenSSH endpoints at those family members would work too, so I was a bit flabbergasted.
In the end this seems to be a set of coincidences that fails in this particular setup, but I am not totally aware why.
The solution was to both re-configure the APN (Access Point Name) the smartphone uses to connect to the internet from ipv4/ipv6 to ipv4, and to reboot the phone.
For Dutch provider KPN Mobile, the APN is named internet and apparently changed default to ipv4/ipv6 without properly supporting ipv4. Note the configuration parameters are all lowercase, although they should be written IPv4 and IPv6.
Here are a few posts that got me on the right track (all via [Wayback/Archive] openvpn fails over android hotspot – Google Search):
- [Wayback/Archive] wireless networking – VPN Issues While Using Phone’s Hotspot – Super User (thanks [Wayback/Archive] Nicolas Roux)
Solved me, I had to change APN setting from IPv6 to IPv4.
- [Wayback/Archive] OpenVPN problemen | KPN Community
Probleem gevonden…. APN van KPN staat op ipv4/ipv6Ik krijg dus alleen een ipv6 ip nummer, dat verbindt geen ipv4 vpn server.APN van KPN veranderd in ipv4 en hij doet het weer - [Wayback/Archive] OpenVPN via mobiel internet van KPN ( 4G / 5G ) – Dit is wat Stijn ziet
Dit is eenvoud op te lossen door je Android in te stellen op IPv4 only. Standaard staat dit op IPv4/IPv6 en kiest je telefoon automatisch IPv6.
Note that sometimes the MTU can cause similar failures:
- [Wayback/Archive] [Solved] OpenVPN works over mobile tethering, but not on home router – MTU Problem – OpenVPN Support Forum
For posterity, would like to post that the error was on account of incorrect MTU size setting on the TCP packet in the router. The size was set to 1452 bytes instead of 1492 bytes. Because of that the SSL/TLS packet was fragmented and the server ACK was not received. On changing the MTU size, everything works perfectly!
Note too: some links to check for OpenVPN responding are below.
- [Wayback/Archive] GitHub – liquidat/nagios-icinga-openvpn: Nagios/Icinga check for OpenVPN availability monitoring
- [Wayback/Archive] security – How to check that an OpenVPN server is listening on a remote port without using OpenVPN client? – Server Fault (thanks [Wayback/Archive] Loic Dachary)
- [Wayback/Archive] OpenVPN connection test | It’s full of stars!
Various sites with (often different) APNs that KPN mobile supports:
- [Wayback/Archive] Can’t connect to VPN throught 4G mobile internet | KPN Community
- [Wayback/Archive] Uitleg over het gebruik van APN’s
- [Wayback/Archive] KPN Mobile Netherlands APN Configuration Settings – APN Settings Search Engine
- [Wayback/Archive] VPN via 4G/ipv4 | KPN Community (mentioning the
advancedinternetAPN without mentioning the firewall you need) - [Wayback/Archive] Werkt je mobiele data niet? Check je APN instellingen. Dit moet je doen.
There are quite a few APNs, some with firewall and/or proxy and/or compression, some with external IP address (which means your smartphone really needs a firewall).
–jeroen
The Wiert Corner - irregular stream of stuff 