Struggling to get OpenVPN working

[FullyBorked]

Followed this guide https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

Everything seemed to setup without error.  But when I try and connect from my android phone it appears to connect for a few seconds.  Shows connected in the app, shows data etc.  But then it will say the connection was interrupted then show auth failed.  The only error I see is the "Network unreachable" not sure what that references since it clearly reached the network and pulled an IP config.  It's really stumping me.  I'll admit as well my only OpenVPN background is OpenVPN access server.  Here is the log file, hopefully I redacted anything sensitive. 

Addition info:  I am able to ping my internal OpenVPN gateway for the short time I'm connected.  It's almost as though DNS doesn't work just like with Wireguard.  I feel like I'm running into a bug here.  No DNS for Wireguard or OpenVPN?  Does OpenVPN disconnect if DNS doesn't respond? 

Code Select Expand


23:51:22.777 -- ----- OpenVPN Start -----

23:51:22.777 -- EVENT: CORE_THREAD_ACTIVE

23:51:22.778 -- OpenVPN core 3.git:released:662eae9a:Release android arm64 64-bit PT_PROXY

23:51:22.778 -- Frame=512/2048/512 mssfix-ctrl=1250

23:51:22.779 -- UNUSED OPTIONS
1 [persist-tun]
2 [persist-key]
6 [resolv-retry] [infinite]
9 [lport] [0]

23:51:22.779 -- EVENT: RESOLVE

23:51:22.782 -- Contacting <My External IP>:1194 via UDP

23:51:22.782 -- EVENT: WAIT

23:51:22.787 -- Connecting to [<My OPNsense hostname>]:1194 (<My External IP>) via UDPv4

23:51:22.898 -- EVENT: CONNECTING

23:51:22.901 -- Tunnel Options:V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client

23:51:22.901 -- Creds: Username/Password

23:51:22.901 -- Peer Info:
IV_VER=3.git:released:662eae9a:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_GUI_VER=net.openvpn.connect.android_3.2.4-5891
IV_SSO=openurl


23:51:22.986 -- VERIFY OK: depth=0, <certinfo>/CN=SSLVPN Server Certificate

23:51:23.357 -- SSL Handshake: CN=SSLVPN Server Certificate, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA

23:51:23.357 -- Session is ACTIVE

23:51:23.358 -- EVENT: GET_CONFIG

23:51:23.360 -- Sending PUSH_REQUEST to server...

23:51:23.422 -- OPTIONS:
0 [dhcp-option] [DNS] [10.1.1.1]
1 [route] [10.1.1.1]
2 [topology] [net30]
3 [ping] [10]
4 [ping-restart] [60]
5 [ifconfig] [10.1.1.6] [10.1.1.5]
6 [peer-id] [1]
7 [cipher] [AES-256-GCM]


23:51:23.423 -- PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: NONE
  compress: NONE
  peer ID: 1

23:51:23.423 -- EVENT: ASSIGN_IP

23:51:23.436 -- Connected via tun

23:51:23.438 -- EVENT: CONNECTED info='<user>@<My OPNsense hostname>:1194 (<My External IP>) via /UDPv4 on tun/10.1.1.6/ gw=[10.1.1.5/]'

23:52:07.562 -- UDP send exception: send: Network is unreachable

23:52:07.624 -- EVENT: PAUSE

23:52:09.680 -- EVENT: RESUME

23:52:09.682 -- EVENT: RECONNECTING

23:52:09.702 -- EVENT: RESOLVE

23:52:09.758 -- Contacting <My External IP>:1194 via UDP

23:52:09.758 -- EVENT: WAIT

23:52:09.759 -- Connecting to [<My OPNsense hostname>]:1194 (<My External IP>) via UDPv4

23:52:09.830 -- EVENT: CONNECTING

23:52:09.833 -- Tunnel Options:V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client

23:52:09.834 -- Creds: Username/Password

23:52:09.834 -- Peer Info:
IV_VER=3.git:released:662eae9a:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_GUI_VER=net.openvpn.connect.android_3.2.4-5891
IV_SSO=openurl


23:52:09.914 -- VERIFY OK: depth=0, <certinfo>/CN=SSLVPN Server Certificate

23:52:10.156 -- SSL Handshake: CN=SSLVPN Server Certificate, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA

23:52:10.157 -- Session is ACTIVE

23:52:10.157 -- EVENT: GET_CONFIG

23:52:10.168 -- Sending PUSH_REQUEST to server...

23:52:10.222 -- AUTH_FAILED

23:52:10.223 -- EVENT: AUTH_FAILED

23:52:10.253 -- EVENT: DISCONNECTED

23:52:10.254 -- Tunnel bytes per CPU second: 0

23:52:10.254 -- ----- OpenVPN Stop -----

10:56:25.525 -- ----- OpenVPN Start -----

10:56:25.525 -- EVENT: CORE_THREAD_ACTIVE

10:56:25.526 -- OpenVPN core 3.git:released:662eae9a:Release android arm64 64-bit PT_PROXY

10:56:25.526 -- Frame=512/2048/512 mssfix-ctrl=1250

10:56:25.527 -- UNUSED OPTIONS
1 [persist-tun]
2 [persist-key]
6 [resolv-retry] [infinite]
9 [lport] [0]

10:56:25.528 -- EVENT: RESOLVE

10:56:25.635 -- Contacting <My External IP>:1194 via UDP

10:56:25.636 -- EVENT: WAIT

10:56:25.639 -- Connecting to [<My OPNsense hostname>]:1194 (<My External IP>) via UDPv4

10:56:25.748 -- EVENT: CONNECTING

10:56:25.751 -- Tunnel Options:V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client

10:56:25.752 -- Creds: Username/Password

10:56:25.752 -- Peer Info:
IV_VER=3.git:released:662eae9a:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_GUI_VER=net.openvpn.connect.android_3.2.4-5891
IV_SSO=openurl


10:56:25.858 -- VERIFY OK: depth=0, <certinfo>/CN=SSLVPN Server Certificate

10:56:26.213 -- SSL Handshake: CN=SSLVPN Server Certificate, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA

10:56:26.216 -- Session is ACTIVE

10:56:26.216 -- EVENT: GET_CONFIG

10:56:26.219 -- Sending PUSH_REQUEST to server...

10:56:26.303 -- OPTIONS:
0 [dhcp-option] [DNS] [10.1.1.1]
1 [route] [10.1.1.1]
2 [topology] [net30]
3 [ping] [10]
4 [ping-restart] [60]
5 [ifconfig] [10.1.1.6] [10.1.1.5]
6 [peer-id] [0]
7 [cipher] [AES-256-GCM]


10:56:26.304 -- PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: NONE
  compress: NONE
  peer ID: 0

10:56:26.304 -- EVENT: ASSIGN_IP

10:56:26.316 -- Connected via tun

10:56:26.316 -- EVENT: CONNECTED info='<user>@<My OPNsense hostname>:1194 (<My External IP>) via /UDPv4 on tun/10.1.1.6/ gw=[10.1.1.5/]'

10:57:32.176 -- UDP send exception: send: Network is unreachable

10:57:32.221 -- EVENT: PAUSE trans=TO_DISCONNECTED

10:57:34.145 -- EVENT: RESUME

10:57:34.148 -- EVENT: RECONNECTING

10:57:34.152 -- EVENT: RESOLVE

10:57:34.234 -- Contacting <My External IP>:1194 via UDP

10:57:34.235 -- EVENT: WAIT

10:57:34.236 -- Connecting to [<My OPNsense hostname>]:1194 (<My External IP>) via UDPv4

10:57:34.342 -- EVENT: CONNECTING

10:57:34.369 -- Tunnel Options:V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client

10:57:34.369 -- Creds: Username/Password

10:57:34.369 -- Peer Info:
IV_VER=3.git:released:662eae9a:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_GUI_VER=net.openvpn.connect.android_3.2.4-5891
IV_SSO=openurl


10:57:34.447 -- VERIFY OK: depth=0, <certinfo>/CN=SSLVPN Server Certificate

10:57:34.810 -- SSL Handshake: CN=SSLVPN Server Certificate, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA

10:57:34.811 -- Session is ACTIVE

10:57:34.811 -- EVENT: GET_CONFIG

10:57:34.813 -- Sending PUSH_REQUEST to server...

10:57:34.893 -- AUTH_FAILED

10:57:34.893 -- EVENT: AUTH_FAILED

10:57:34.906 -- EVENT: DISCONNECTED

10:57:34.906 -- Tunnel bytes per CPU second: 0

10:57:34.907 -- ----- OpenVPN Stop -----


[FullyBorked]

I seem to have this working, I set unbound to individual interfaces instead of 'All' then rebooted and it seems stable now.  I guess to answer my own question if OpenVPN can't hit DNS it just blows up and attempts to reconnect which breaks because of TOTP and gives the authentication error.  Feels very janky but it'll do for now.  Could never get Wireguard DNS working but I didn't try this same approach may revisit that since it can be equally secure without the need for the TOTP login pain.

I ultimately think this is an Unbound bug, I've seen others with this exact issue, and that's what led me to my solution.  I'd open a bug report but looks like it's been done a few times and closed out without a fix.  Oh well.