Nginx sees OpenVPN linux client with its public IP address while android client is seen with private VPN IP address

Yiannis128

10/2/23, 9:40 PM

I've set up the following virtual server in my NGINX conf:

server {
   listen 80;
   listen [::]:80;   
   server_name ip.myserver.com; 
   location / {
     default_type text/plain;
     return 200 "$remote_addr\n";
   }
}

The idea is that I have some other virtual servers that I want to access only using the OpenVPN connection which is on the same machine. Using this test site, it should display the private IP address (or public if not connected to the VPN).

My Android phone works perfectly:

While connecting to the site without VPN connection it displays the following: 192.0.2.222. (It has another address in reality, of course.)

When connecting to the site using the VPN connection, the following is displayed 10.8.0.3, this is the correct result as it is showing that the device is using the VPN connection and since the VPN service and Nginx server are on the same machine, Nginx sees the private IP of the VPN.

When doing this on my Linux machine, it displays the Linux machine's public IP address when connecting to the server without a VPN connection, and when connecting with a VPN connection it displays the server's public IP address, which is not what I expected.

I suspect there's something wrong with the way OpenVPN is configured on my Linux laptop, as the Android phone is working fine.

OpenVPN Server Config:

port 1194
proto udp6
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 94.140.14.14"
push "dhcp-option DNS 94.140.15.15"
push "redirect-gateway def1 bypass-dhcp"
server-ipv6 fd42:42:42:42::/112
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"
dh none
ecdh-curve prime256v1
tls-crypt /etc/openvpn/tls-crypt.key
crl-verify /etc/openvpn/crl.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server_key.crt
key /etc/openvpn/server_key.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 4

OpenVPN Client File (Without keys):

client
proto udp
explicit-exit-notify
remote 192.0.2.222 1194 # Changed this  for display.
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_key name # Changed this because not sure if private info
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3

0 + 0

nginx

openvpn

Nikita Kipriyanov

10/3/23, 5:16 AM

Actually, we don't need your Nginx config, but OpenVPN ones. Please, [attach](https://serverfault.com/posts/1102361/edit) them to the question. Also notice, that it if you mask public IP address, don't use any random ones, but choose one from [RFC5737](https://www.rfc-editor.org/rfc/rfc5737.html)

Yiannis128

10/3/23, 10:28 AM

I would assume that my OpenVPN configs would be fine and the fault would be with my Linux laptop but I will post them for clarity sake. Please see amended description...

Nikita Kipriyanov

10/3/23, 1:01 PM

I suspect different clients process *push*-ed dual `redirect-gateway` options differently. For instance, the second option may override the first or not. Wouldn't you try to combine them into single option? Also, if it is possible, attach `ip route` from connected Linux client just after the VPN was connected.

Yiannis128

10/3/23, 4:53 PM

How would I need to modify it to include everything in one push statement? I apologize for my lack of knowledge in this regard.

Nikita Kipriyanov

10/3/23, 6:10 PM

I mean, instead of two `push "redirect-gateway ..."`, use just one `push "redirect-gateway def1 bypass-dhcp ipv6"`.

Yiannis128

10/3/23, 7:07 PM

Here's what IP ROUTE shows: `0.0.0.0/1 via 10.8.0.1 dev tun0 default via 198.51.100.1 dev wlo1 proto dhcp src 10.51.205.131 metric 600 10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.2 10.51.192.0/20 dev wlo1 proto kernel scope link src 10.51.205.131 metric 600 128.0.0.0/1 via 10.8.0.1 dev tun0 198.51.100.0/24 dev virbr0 proto kernel scope link src 198.51.100.122 linkdown 198.51.100.32 via 198.51.100.1dev wlo1 ` I swapped the IP address for privacy :)

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Nginx sees OpenVPN linux client with its public IP address while android client is seen with private VPN IP address

TH: Nginx เห็นไคลเอนต์ OpenVPN linux ด้วยที่อยู่ IP สาธารณะในขณะที่ไคลเอ็นต์ android เห็นด้วยที่อยู่ IP VPN ส่วนตัว

RO: Nginx vede clientul Linux OpenVPN cu adresa IP publică, în timp ce clientul Android este văzut cu adresa IP VPN privată

RU: Nginx видит Linux-клиент OpenVPN с его общедоступным IP-адресом, в то время как Android-клиент видит частный VPN-IP-адрес.

VI: Nginx sees OpenVPN linux client with its public IP address while android client is seen with private VPN IP address

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.