[solved] Transparent Proxy and WLAN on Android: No Internet

Started by ruggerio, March 20, 2018, 10:33:07 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 20, 2018, 10:33:07 PM Last Edit: April 02, 2018, 09:12:27 AM by ruggerio
Hi,

i changed today to opnsense. Everything works fine, except connections from Android-Devices. There i always get "no internet". But i can connect to internet, it works. On Windows, it works without any error.

Why do i get this message, that there is no internet connection? Anybody else having this issue? Btw. connection passes by transparent proxy. If i change to not use the proxy, it works fine.

Roger
March 22, 2018, 09:33:00 PM #1
i am a little bit @the end...

The problem is:

- all Android-Devices warn "no Internet Connection" when connecting to an AP which ist connected to LAN
- all other devices (Windows-Tabs) connect via WLAN with no warning
- Devices connected by cable connect without any problem

So, the problem seems to be Android-related (Android Oreo?)

- If the Android connects via Proxy...error
- If the Android connects directly...works

*grummel*

So, after googling, i found that all Android-Devices connect to a specific URL, depending on its version. So for oreo, its something like http://play.googleapis.com/generate_204

I tried to insert rules, that play.googleapis.com is not redirected to proxy, but it did not help.

Is somebody else having this issue? Am i alone with that?

Thx,
Roger
March 24, 2018, 02:14:16 PM #2
Next step: its not forwarding in general, the problem is on forwarding SSL-Sites to Squid on port 3129. 3128 for normal HTTP works.
April 02, 2018, 09:14:42 AM #3
for the interested ones:

you need a bunch of entries in the no ssl bump list as exceptions:

google.[your country, seems important]
.google.com
.googleapis.com
.gstatic.com
.1e100.net

Your CA needs to be installed as "VPN and Apps".

This did it for me.

Roger
April 02, 2018, 10:20:31 AM #4
Well, what else should/ can we say, other than a big THANK YOU?!?! :)
April 02, 2018, 11:46:48 AM #5
I made a PR to add this to the docs too.
April 04, 2018, 08:30:19 AM #6
Good stuff! Thank you, Roger.  :)
October 13, 2018, 04:43:47 PM #7
I did al this but it's still not working for me.
November 01, 2018, 08:41:44 PM #8 Last Edit: November 01, 2018, 10:44:29 PM by jds
Same with me.  I performed all the steps in the howto.  This part worked, because bumped sites gave no error notice when I browsed to them, but the others complained about the certificate.  I imported the certificate to my browser, and everything was working on my laptop.
I bumped the google sites mentioned above, and imported the certificate to android twice.  Once as WiFi and onces as VPN and apps. But I cannot reach the google play store.  This is a .ewer version, BTW.

Never mind, it eventually started working on its own.  Maybe some old cached info.

Another update: and then stopped workings again. Why so flaky?
November 09, 2018, 04:39:09 PM #9
@Pimb/Jdb:

What are your squid-logs saying? What Android-Version are you using? I am now on pie and it's still working.

Check the squidlogs for bumps while connecting to the wlan. this will give you some ip's back, which can be resolved. Eventually, Goo changed again some hosts...
November 13, 2018, 09:44:57 PM #10
The problem was with pihole blocking the domain: android.clients.google.com at the same time (coincidentally) that I set up the transparent proxy.  I wonder if this domain should be added to the bump list.  I found the list of play store urls from here:
https://community.arubanetworks.com/t5/Security/2017-Google-Play-Store-URL-whitelist/td-p/284663
November 14, 2018, 09:19:10 AM #11
have you added it to your ssl bump list or just excluded it in pihole?
November 16, 2018, 04:22:47 PM #12
I do not have transparent proxy enabled right now.  I would indeed add that to the list if I did.
For the moment, I have whitelisted it in pihole, and mentioned the problem to the maintainer of the list.
Print
Go Up Pages1
User actions