OpenVPN

OpenVPN Tunnel between Android and pfSense via T-Mobile Network and residential Verizon FIOS Service

For years I had been trying to get a VPN tunnel working between a public network and my home, for access to security cameras, my NAS, and other local network resources that I prefer to keep cordoned off by my Internet firewall.

Years ago, I had OpenVPN set up successfully at our office and it worked well for a small number of users with different devices, but for some reason it never worked at home. Every once in a while I tinkered with it a bit and gave up again.

Enter Home Assistant. I recently got myself entangled by the endless number of integrations that are possible with this system, and I am not done adding new things to it. Just today, I added integration with my Ubiquity WLAN controller.

The Home Assistant home automation application is neat when you can access it while at home, but it really shines when you can control things from away, even from abroad. Alas, I did not want to expose it directly and open up a port for it.

With some extra time on my hands, I was determined to get the VPN working this time. Because I spent so much time reading through forum posts from people having issues with this particular scenario but not one that pointed to a working solution, another blog post is due that provides an actual blueprint.

I cleared out all entries from prior attempts in the OpenVPN server settings and generated a new server with the Wizard. I opted for a local user without a client certificate and exported a client OpenVPN Connect.
I removed all pre-existing client profiled on my phone and imported the newly generated .ovpn file.

I did not work. There was nothing in the pfSense logs, neither for the firewall nor in the OpenVPN log. The client log did not reveal much, either, all I had to go with was the ominous endpoint address family (IPv6) is incompatible with transport protocol (tcp4) error.

Things I tried that didn’t work:

• Set the MTU to 1300
• Forcing proto tcp4 on the client and the server
• Switching ports to other UDP and TCP ports, using various non-standard ports that I knew Verizon does not block
• Checked and re-checked the firewall rules
• Ping the server (worked but didn’t help)
• Netcat connection test nc -v yourvpn.example.com 1194 (didn’t work with 1194 but worked with TCP port 8080)
• ChatGPT suggested added settings for mssfix and fragment to the .ovpn file, resulted in different client errors
• Adding values for sndbuf and rcvbuf to the .ovpn file
• Forcing IPv4 in APN settings on the phone (at least I thought that I tried that – it turned out, though, that I made this change for my 2nd SIM that I do not use in the US and that the APN settings for the T-Mobile SIM are not editable for me, they are greyed out)
• Connecting my phone to an open WLAN outside of my house, as opposed to the mobile network

After reading dozens of forum threads about this and similar issues with OpenVPN over T-Mobile and Verizon networks, it became somewhat clear that the issue was what the original error said: the phone was trying to send IPv6 packets to my firewall, but I had always had IPv6 disabled in pfSense and I had also set the OpenVPN Server to only create an IPv4 gateway.

I even discovered what I though was a mistake in a firewall rule – the UPN port 8080 was open for the WAN network destination and not for traffic from the WAN network to the firewall, but it did not help.

I saw no other options left but to try turning IPv6 on in pfSense. With the server set to port 8080/UDP and some of the other settings still in place (proto udp4 and tun-mtu 1300, for instance), I did just that: I enabled IPv6 in the General network settings and also for the VPN gateway.

Et voilà, my first connection attempt was a success. I was in business.

I am not sure if the standard UDP port 1194 would work now, I did not try that. After all, netcat was not able to establish a connection on that port.

The first thing I did was run several external IPv6 port scans against my firewall. They all found no open ports, oddly not even on port 8080. The firewall is supposed to block everything by default, so I think I did not expose my network to new vulnerabilities.

The second thing I did was adding a client certificate and using a domain account for my remote connection.

Bottom line, it is possible to use OpenVPN in my scenario, but you need to have IPv6 enabled, even though the VPN server is set to force IPv4. All the other things that people posted that supposedly might fix the protocol errors did nothing.

Here the .ovpn file that I use, minus any secrets or sensitive information:

persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA256
tls-client
proto udp4
tun-mtu 1300
client
remote <mydomain>.com 8080 udp4
nobind
auth-user-pass
remote-cert-tls server
auth-nocache
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
setenv CLIENT_CERT 0
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>

The Firewall rule:

Update:

While the above works well when I am on the T-Mobile wireless network, it did not work when connected to other WIFIs, like the open WIFI at my local hospital’s waiting room. After a bit of googling, I found a solution and I created a 1-off configuration for WIFI connections by changing one line:

proto udp (instead of proto udp4)