[Android 13] VPN connection is not working with 4G data network

[arnor2000]

General information

1. Android Version
   Android 13
   Kernel version: 4.14.276-g8ae7b4ca8564-ab8715030
   Build number: TP1A.220624.014
2. Android Vendor/Custom ROM
   Google
3. Device
   Google Pixel 4a
4. Version of the app (version number/play store version/self-built)
   F-Droid built and signed version 0.7.39

Description of the issue

Hello,

Since upgrade to Android 13 on my Google Nexus 4a, OpenVPN is not able to connect to 4G data network anymore.

Connections with WIFI are still working as usual.

Of course if I disable "Block connection without VPN" and "Permanent VPN" in Android VPN settings, my 4G data network is working without VPN.

Log (if applicable)

Logs of a working Wifi connection, then 2 minutes later switch off wifi to try to switch to 4G data network:

2022-08-27 23:46:33 F-Droid built and signed version 0.7.39 running on google Pixel 4a (sunfish), Android 13 (TP1A.220624.014) API 33, ABI arm64-v8a, (google/sunfish/sunfish:13/TP1A.220624.014/8819323:user/release-keys)
2022-08-27 23:46:33 Building configuration…
2022-08-27 23:46:33 started Socket Thread
2022-08-27 23:46:33 P:WARNING: linker: Warning: "/data/app/~~smrBmc2pv7Rjsnjs5DXRNA==/de.blinkt.openvpn-dQPyyDwTr5AzpLyjX2ZUOg==/lib/arm64/libovpnexec.so" is not a directory (ignoring)
2022-08-27 23:46:33 Network Status: CONNECTED  to WIFI 
2022-08-27 23:46:33 Debug state info: CONNECTED  to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2022-08-27 23:46:33 Debug state info: CONNECTED  to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2022-08-27 23:46:33 Current Parameter Settings:
2022-08-27 23:46:33   config = 'stdin'
2022-08-27 23:46:33   mode = 0
2022-08-27 23:46:33   show_ciphers = DISABLED
2022-08-27 23:46:33   show_digests = DISABLED
2022-08-27 23:46:33   show_engines = DISABLED
2022-08-27 23:46:33   genkey = DISABLED
2022-08-27 23:46:33   genkey_filename = '[UNDEF]'
2022-08-27 23:46:33   key_pass_file = '[UNDEF]'
2022-08-27 23:46:33   show_tls_ciphers = DISABLED
2022-08-27 23:46:33   connect_retry_max = 0
2022-08-27 23:46:33 Connection profiles [0]:
2022-08-27 23:46:33   proto = udp
2022-08-27 23:46:33   local = '[UNDEF]'
2022-08-27 23:46:33   local_port = '[UNDEF]'
2022-08-27 23:46:33   remote = 'ch.vpn.airdns.org'
2022-08-27 23:46:33   remote_port = '443'
2022-08-27 23:46:33   remote_float = DISABLED
2022-08-27 23:46:33   bind_defined = DISABLED
2022-08-27 23:46:33   bind_local = DISABLED
2022-08-27 23:46:33   bind_ipv6_only = DISABLED
2022-08-27 23:46:33   connect_retry_seconds = 2
2022-08-27 23:46:33   connect_timeout = 120
2022-08-27 23:46:33   socks_proxy_server = '[UNDEF]'
2022-08-27 23:46:33   socks_proxy_port = '[UNDEF]'
2022-08-27 23:46:33   tun_mtu = 1500
2022-08-27 23:46:33   tun_mtu_defined = ENABLED
2022-08-27 23:46:33   link_mtu = 1500
2022-08-27 23:46:33   link_mtu_defined = DISABLED
2022-08-27 23:46:33   tun_mtu_extra = 0
2022-08-27 23:46:33   tun_mtu_extra_defined = DISABLED
2022-08-27 23:46:33   tls_mtu = 1250
2022-08-27 23:46:33   mtu_discover_type = -1
2022-08-27 23:46:33   fragment = 0
2022-08-27 23:46:33   mssfix = 1492
2022-08-27 23:46:33   mssfix_encap = ENABLED
2022-08-27 23:46:33   mssfix_fixed = DISABLED
2022-08-27 23:46:33   explicit_exit_notification = 5
2022-08-27 23:46:33   tls_auth_file = '[INLINE]'
2022-08-27 23:46:33   key_direction = 1
2022-08-27 23:46:33   tls_crypt_file = '[UNDEF]'
2022-08-27 23:46:33   tls_crypt_v2_file = '[UNDEF]'
2022-08-27 23:46:33 Connection profiles END
2022-08-27 23:46:33   remote_random = DISABLED
2022-08-27 23:46:33   ipchange = '[UNDEF]'
2022-08-27 23:46:33   dev = 'tun'
2022-08-27 23:46:33   dev_type = '[UNDEF]'
2022-08-27 23:46:33   dev_node = '[UNDEF]'
2022-08-27 23:46:33   lladdr = '[UNDEF]'
2022-08-27 23:46:33   topology = 1
2022-08-27 23:46:33   ifconfig_local = '[UNDEF]'
2022-08-27 23:46:33   ifconfig_remote_netmask = '[UNDEF]'
2022-08-27 23:46:33   ifconfig_noexec = DISABLED
2022-08-27 23:46:33   ifconfig_nowarn = ENABLED
2022-08-27 23:46:33 Waiting 0s seconds between connection attempt
2022-08-27 23:46:33   ifconfig_ipv6_local = '[UNDEF]'
2022-08-27 23:46:33   ifconfig_ipv6_netbits = 0
2022-08-27 23:46:33   ifconfig_ipv6_remote = '[UNDEF]'
2022-08-27 23:46:33   shaper = 0
2022-08-27 23:46:33   mtu_test = 0
2022-08-27 23:46:33   mlock = DISABLED
2022-08-27 23:46:33   keepalive_ping = 50
2022-08-27 23:46:33   keepalive_timeout = 100
2022-08-27 23:46:33   inactivity_timeout = 0
2022-08-27 23:46:33   inactivity_minimum_bytes = 0
2022-08-27 23:46:33   ping_send_timeout = 50
2022-08-27 23:46:33   ping_rec_timeout = 100
2022-08-27 23:46:33   ping_rec_timeout_action = 2
2022-08-27 23:46:33   ping_timer_remote = DISABLED
2022-08-27 23:46:33   remap_sigusr1 = 0
2022-08-27 23:46:33   persist_tun = ENABLED
2022-08-27 23:46:33   persist_local_ip = DISABLED
2022-08-27 23:46:33   persist_remote_ip = DISABLED
2022-08-27 23:46:33   persist_key = DISABLED
2022-08-27 23:46:33   passtos = DISABLED
2022-08-27 23:46:33   resolve_retry_seconds = 1000000000
2022-08-27 23:46:33   resolve_in_advance = ENABLED
2022-08-27 23:46:33   username = '[UNDEF]'
2022-08-27 23:46:33   groupname = '[UNDEF]'
2022-08-27 23:46:33   chroot_dir = '[UNDEF]'
2022-08-27 23:46:33   cd_dir = '[UNDEF]'
2022-08-27 23:46:33   writepid = '[UNDEF]'
2022-08-27 23:46:33   up_script = '[UNDEF]'
2022-08-27 23:46:33   down_script = '[UNDEF]'
2022-08-27 23:46:33   down_pre = DISABLED
2022-08-27 23:46:33   up_restart = DISABLED
2022-08-27 23:46:33   up_delay = DISABLED
2022-08-27 23:46:33   daemon = DISABLED
2022-08-27 23:46:33   log = DISABLED
2022-08-27 23:46:33   suppress_timestamps = DISABLED
2022-08-27 23:46:33   machine_readable_output = ENABLED
2022-08-27 23:46:33   nice = 0
2022-08-27 23:46:33   verbosity = 4
2022-08-27 23:46:33   mute = 0
2022-08-27 23:46:33   gremlin = 0
2022-08-27 23:46:33   status_file = '[UNDEF]'
2022-08-27 23:46:33   status_file_version = 1
2022-08-27 23:46:33   status_file_update_freq = 60
2022-08-27 23:46:33   occ = ENABLED
2022-08-27 23:46:33   rcvbuf = 0
2022-08-27 23:46:33   sndbuf = 0
2022-08-27 23:46:33   sockflags = 0
2022-08-27 23:46:33   fast_io = DISABLED
2022-08-27 23:46:33   comp.alg = 0
2022-08-27 23:46:33   comp.flags = 24
2022-08-27 23:46:33   route_script = '[UNDEF]'
2022-08-27 23:46:33   route_default_gateway = '[UNDEF]'
2022-08-27 23:46:33   route_default_metric = 0
2022-08-27 23:46:33   route_noexec = DISABLED
2022-08-27 23:46:33   route_delay = 0
2022-08-27 23:46:33   route_delay_window = 30
2022-08-27 23:46:33   route_delay_defined = DISABLED
2022-08-27 23:46:33   route_nopull = DISABLED
2022-08-27 23:46:33   route_gateway_via_dhcp = DISABLED
2022-08-27 23:46:33   allow_pull_fqdn = DISABLED
2022-08-27 23:46:33   route 0.0.0.0/0.0.0.0/vpn_gateway/default (not set)
2022-08-27 23:46:33   management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2022-08-27 23:46:33   management_port = 'unix'
2022-08-27 23:46:33   management_user_pass = '[UNDEF]'
2022-08-27 23:46:33   management_log_history_cache = 250
2022-08-27 23:46:33   management_echo_buffer_size = 100
2022-08-27 23:46:33   management_client_user = '[UNDEF]'
2022-08-27 23:46:33   management_client_group = '[UNDEF]'
2022-08-27 23:46:33   management_flags = 16678
2022-08-27 23:46:33   shared_secret_file = '[UNDEF]'
2022-08-27 23:46:33   key_direction = 1
2022-08-27 23:46:33   ciphername = 'AES-256-CBC'
2022-08-27 23:46:33   ncp_ciphers = 'CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC'
2022-08-27 23:46:33   authname = 'SHA1'
2022-08-27 23:46:33   engine = DISABLED
2022-08-27 23:46:33   replay = ENABLED
2022-08-27 23:46:33   mute_replay_warnings = DISABLED
2022-08-27 23:46:33   replay_window = 64
2022-08-27 23:46:33   replay_time = 15
2022-08-27 23:46:33   packet_id_file = '[UNDEF]'
2022-08-27 23:46:33   test_crypto = DISABLED
2022-08-27 23:46:33   tls_server = DISABLED
2022-08-27 23:46:33   tls_client = ENABLED
2022-08-27 23:46:33   ca_file = '[INLINE]'
2022-08-27 23:46:33   ca_path = '[UNDEF]'
2022-08-27 23:46:33   dh_file = '[UNDEF]'
2022-08-27 23:46:33   cert_file = '[INLINE]'
2022-08-27 23:46:33   extra_certs_file = '[UNDEF]'
2022-08-27 23:46:33   priv_key_file = '[INLINE]'
2022-08-27 23:46:33   pkcs12_file = '[UNDEF]'
2022-08-27 23:46:33   cipher_list = 'DEFAULT:@SECLEVEL=0'
2022-08-27 23:46:33   cipher_list_tls13 = '[UNDEF]'
2022-08-27 23:46:33   tls_cert_profile = 'preferred'
2022-08-27 23:46:33   tls_verify = '[UNDEF]'
2022-08-27 23:46:33   tls_export_cert = '[UNDEF]'
2022-08-27 23:46:33   verify_x509_type = 0
2022-08-27 23:46:33   verify_x509_name = '[UNDEF]'
2022-08-27 23:46:33   crl_file = '[UNDEF]'
2022-08-27 23:46:33   ns_cert_type = 0
2022-08-27 23:46:33   remote_cert_ku[i] = 65535
2022-08-27 23:46:33   remote_cert_ku[i] = 0
2022-08-27 23:46:33   remote_cert_ku[i] = 0
2022-08-27 23:46:33   remote_cert_ku[i] = 0
2022-08-27 23:46:33   remote_cert_ku[i] = 0
2022-08-27 23:46:33   remote_cert_ku[i] = 0
2022-08-27 23:46:33   remote_cert_ku[i] = 0
2022-08-27 23:46:33   remote_cert_ku[i] = 0
2022-08-27 23:46:33   remote_cert_ku[i] = 0
2022-08-27 23:46:33   remote_cert_ku[i] = 0
2022-08-27 23:46:33   remote_cert_ku[i] = 0
2022-08-27 23:46:33   remote_cert_ku[i] = 0
2022-08-27 23:46:33   remote_cert_ku[i] = 0
2022-08-27 23:46:33   remote_cert_ku[i] = 0
2022-08-27 23:46:33   remote_cert_ku[i] = 0
2022-08-27 23:46:33   remote_cert_ku[i] = 0
2022-08-27 23:46:33   remote_cert_eku = 'TLS Web Server Authentication'
2022-08-27 23:46:33   ssl_flags = 192
2022-08-27 23:46:33   tls_timeout = 2
2022-08-27 23:46:33   renegotiate_bytes = -1
2022-08-27 23:46:33   renegotiate_packets = 0
2022-08-27 23:46:33   renegotiate_seconds = 3600
2022-08-27 23:46:33   handshake_window = 60
2022-08-27 23:46:33   transition_window = 3600
2022-08-27 23:46:33   single_session = DISABLED
2022-08-27 23:46:33   push_peer_info = DISABLED
2022-08-27 23:46:33   tls_exit = DISABLED
2022-08-27 23:46:33   tls_crypt_v2_metadata = '[UNDEF]'
2022-08-27 23:46:33   server_network = 0.0.0.0
2022-08-27 23:46:33   server_netmask = 0.0.0.0
2022-08-27 23:46:33   server_network_ipv6 = ::
2022-08-27 23:46:33   server_netbits_ipv6 = 0
2022-08-27 23:46:33   server_bridge_ip = 0.0.0.0
2022-08-27 23:46:33   server_bridge_netmask = 0.0.0.0
2022-08-27 23:46:33   server_bridge_pool_start = 0.0.0.0
2022-08-27 23:46:33   server_bridge_pool_end = 0.0.0.0
2022-08-27 23:46:33   ifconfig_pool_defined = DISABLED
2022-08-27 23:46:33   ifconfig_pool_start = 0.0.0.0
2022-08-27 23:46:33   ifconfig_pool_end = 0.0.0.0
2022-08-27 23:46:33   ifconfig_pool_netmask = 0.0.0.0
2022-08-27 23:46:33   ifconfig_pool_persist_filename = '[UNDEF]'
2022-08-27 23:46:33   ifconfig_pool_persist_refresh_freq = 600
2022-08-27 23:46:33   ifconfig_ipv6_pool_defined = DISABLED
2022-08-27 23:46:33   ifconfig_ipv6_pool_base = ::
2022-08-27 23:46:33   ifconfig_ipv6_pool_netbits = 0
2022-08-27 23:46:33   n_bcast_buf = 256
2022-08-27 23:46:33   tcp_queue_limit = 64
2022-08-27 23:46:33   real_hash_size = 256
2022-08-27 23:46:33   virtual_hash_size = 256
2022-08-27 23:46:33   client_connect_script = '[UNDEF]'
2022-08-27 23:46:33   learn_address_script = '[UNDEF]'
2022-08-27 23:46:33   client_disconnect_script = '[UNDEF]'
2022-08-27 23:46:33   client_config_dir = '[UNDEF]'
2022-08-27 23:46:33   ccd_exclusive = DISABLED
2022-08-27 23:46:33   tmp_dir = '/data/data/de.blinkt.openvpn/cache'
2022-08-27 23:46:33   push_ifconfig_defined = DISABLED
2022-08-27 23:46:33   push_ifconfig_local = 0.0.0.0
2022-08-27 23:46:33   push_ifconfig_remote_netmask = 0.0.0.0
2022-08-27 23:46:33   push_ifconfig_ipv6_defined = DISABLED
2022-08-27 23:46:33   push_ifconfig_ipv6_local = ::/0
2022-08-27 23:46:33   push_ifconfig_ipv6_remote = ::
2022-08-27 23:46:33   enable_c2c = DISABLED
2022-08-27 23:46:33   duplicate_cn = DISABLED
2022-08-27 23:46:33   cf_max = 0
2022-08-27 23:46:33   cf_per = 0
2022-08-27 23:46:33   max_clients = 1024
2022-08-27 23:46:33   max_routes_per_client = 256
2022-08-27 23:46:33   auth_user_pass_verify_script = '[UNDEF]'
2022-08-27 23:46:33   auth_user_pass_verify_script_via_file = DISABLED
2022-08-27 23:46:33   auth_token_generate = DISABLED
2022-08-27 23:46:33   auth_token_lifetime = 0
2022-08-27 23:46:33   auth_token_secret_file = '[UNDEF]'
2022-08-27 23:46:33   port_share_host = '[UNDEF]'
2022-08-27 23:46:33   port_share_port = '[UNDEF]'
2022-08-27 23:46:33   vlan_tagging = DISABLED
2022-08-27 23:46:33   vlan_accept = all
2022-08-27 23:46:33   vlan_pvid = 1
2022-08-27 23:46:33   client = ENABLED
2022-08-27 23:46:33   pull = ENABLED
2022-08-27 23:46:33   auth_user_pass_file = '[UNDEF]'
2022-08-27 23:46:33 OpenVPN 2.6-icsopenvpn [git:icsopenvpn/v0.7.39-0-gb1ae5974] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 15 2022
2022-08-27 23:46:33 library versions: OpenSSL 3.0.5 5 Jul 2022, LZO 2.10
2022-08-27 23:46:33 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2022-08-27 23:46:33 MANAGEMENT: CMD 'version 3'
2022-08-27 23:46:33 MANAGEMENT: CMD 'hold release'
2022-08-27 23:46:33 MANAGEMENT: CMD 'bytecount 2'
2022-08-27 23:46:33 MANAGEMENT: CMD 'state on'
2022-08-27 23:46:33 MANAGEMENT: >STATE:1661636793,RESOLVE,,,,,,
2022-08-27 23:46:34 MANAGEMENT: CMD 'proxy NONE'
2022-08-27 23:46:35 No valid translation found for TLS cipher '@SECLEVEL=0'
2022-08-27 23:46:35 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-08-27 23:46:35 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-08-27 23:46:35 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
2022-08-27 23:46:35 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2022-08-27 23:46:35 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
2022-08-27 23:46:35 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
2022-08-27 23:46:35 TCP/UDP: Preserving recently used remote address: [AF_INET]79.142.69.159:443
2022-08-27 23:46:35 Socket Buffers: R=[229376->229376] S=[229376->229376]
2022-08-27 23:46:35 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2022-08-27 23:46:35 UDPv4 link local: (not bound)
2022-08-27 23:46:35 UDPv4 link remote: [AF_INET]79.142.69.159:443
2022-08-27 23:46:35 MANAGEMENT: >STATE:1661636795,WAIT,,,,,,
2022-08-27 23:46:36 MANAGEMENT: >STATE:1661636796,AUTH,,,,,,
2022-08-27 23:46:36 TLS: Initial packet from [AF_INET]79.142.69.159:443, sid=ed651d8a 42dd5431
2022-08-27 23:46:36 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, [email protected]
2022-08-27 23:46:36 VERIFY KU OK
2022-08-27 23:46:36 Validating certificate extended key usage
2022-08-27 23:46:36 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-08-27 23:46:36 VERIFY EKU OK
2022-08-27 23:46:36 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Xuange, [email protected]
2022-08-27 23:46:36 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'
2022-08-27 23:46:36 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2022-08-27 23:46:36 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2022-08-27 23:46:36 [Xuange] Peer Connection Initiated with [AF_INET]79.142.69.159:443
2022-08-27 23:46:36 PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway  def1 bypass-dhcp,dhcp-option DNS 10.9.208.1,route-gateway 10.9.208.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.9.208.190 255.255.255.0,peer-id 13,cipher CHACHA20-POLY1305'
2022-08-27 23:46:36 OPTIONS IMPORT: timers and/or timeouts modified
2022-08-27 23:46:36 OPTIONS IMPORT: compression parms modified
2022-08-27 23:46:36 OPTIONS IMPORT: --ifconfig/up options modified
2022-08-27 23:46:36 OPTIONS IMPORT: route options modified
2022-08-27 23:46:36 OPTIONS IMPORT: route-related options modified
2022-08-27 23:46:36 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-08-27 23:46:36 OPTIONS IMPORT: peer-id set
2022-08-27 23:46:36 OPTIONS IMPORT: data channel crypto options modified
2022-08-27 23:46:36 ROUTE_GATEWAY 127.100.103.119 IFACE=android-gw
2022-08-27 23:46:36 do_ifconfig, ipv4=1, ipv6=0
2022-08-27 23:46:36 MANAGEMENT: >STATE:1661636796,ASSIGN_IP,,10.9.208.190,,,,
2022-08-27 23:46:36 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2022-08-27 23:46:36 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2022-08-27 23:46:36 MANAGEMENT: >STATE:1661636796,ADD_ROUTES,,,,,,
2022-08-27 23:46:36 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2022-08-27 23:46:36 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2022-08-27 23:46:36 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
2022-08-27 23:46:36 Opening tun interface:
2022-08-27 23:46:36 Local IPv4: 10.9.208.190/24 IPv6: (not set) MTU: 1500
2022-08-27 23:46:36 DNS Server: 10.9.208.1, Domain: null
2022-08-27 23:46:36 Routes: 0.0.0.0/0, 10.9.208.0/24 
2022-08-27 23:46:36 Routes excluded: 192.168.1.10/24 2a01:cb00:8626:4f00:4822:e4ff:fe79:192a/64, fe80:0:0:0:4822:e4ff:fe79:192a/64
2022-08-27 23:46:36 Disallowed VPN apps: 
2022-08-27 23:46:36 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2022-08-27 23:46:36 Data Channel: using negotiated cipher 'CHACHA20-POLY1305'
2022-08-27 23:46:36 Data Channel MTU parms [ mss_fix:1399 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2022-08-27 23:46:36 Outgoing Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key
2022-08-27 23:46:36 Incoming Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key
2022-08-27 23:46:36 Initialization Sequence Completed
2022-08-27 23:46:36 MANAGEMENT: >STATE:1661636796,CONNECTED,SUCCESS,10.9.208.190,79.142.69.159,443,,
2022-08-27 23:46:36 Debug state info: CONNECTED  to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2022-08-27 23:48:07 Network Status: not connected
2022-08-27 23:48:07 Debug state info: not connected, pause: userPause, shouldbeconnected: false, network: PENDINGDISCONNECT 
2022-08-27 23:48:07 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:07 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:07 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:07 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:07 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:07 Network Status: CONNECTED LTE to MOBILE orange
2022-08-27 23:48:07 Debug state info: CONNECTED LTE to MOBILE orange, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2022-08-27 23:48:07 MANAGEMENT: CMD 'network-change'
2022-08-27 23:48:08 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:08 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:08 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:09 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:09 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:10 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:11 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:11 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:14 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:15 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:15 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:22 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:23 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:24 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:33 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:34 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:36 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:40 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:41 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:48 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:49 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:48:58 [Xuange] Inactivity timeout (--ping-restart), restarting
2022-08-27 23:48:58 TCP/UDP: Closing socket
2022-08-27 23:48:58 SIGUSR1[soft,ping-restart] received, process restarting
2022-08-27 23:48:58 MANAGEMENT: >STATE:1661636938,RECONNECTING,ping-restart,,,,,
2022-08-27 23:48:58 Waiting 2s seconds between connection attempt
2022-08-27 23:49:00 MANAGEMENT: CMD 'hold release'
2022-08-27 23:49:00 MANAGEMENT: CMD 'bytecount 2'
2022-08-27 23:49:00 MANAGEMENT: CMD 'state on'
2022-08-27 23:49:00 MANAGEMENT: CMD 'proxy NONE'
2022-08-27 23:49:01 No valid translation found for TLS cipher '@SECLEVEL=0'
2022-08-27 23:49:01 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-08-27 23:49:01 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-08-27 23:49:01 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
2022-08-27 23:49:01 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2022-08-27 23:49:01 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
2022-08-27 23:49:01 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
2022-08-27 23:49:01 TCP/UDP: Preserving recently used remote address: [AF_INET]79.142.69.159:443
2022-08-27 23:49:01 Socket Buffers: R=[229376->229376] S=[229376->229376]
2022-08-27 23:49:01 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2022-08-27 23:49:01 UDPv4 link local: (not bound)
2022-08-27 23:49:01 UDPv4 link remote: [AF_INET]79.142.69.159:443
2022-08-27 23:49:01 MANAGEMENT: >STATE:1661636941,WAIT,,,,,,
2022-08-27 23:49:01 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:49:01 Network unreachable, restarting
2022-08-27 23:49:01 TCP/UDP: Closing socket
2022-08-27 23:49:01 SIGUSR1[soft,network-unreachable] received, process restarting
2022-08-27 23:49:01 MANAGEMENT: >STATE:1661636941,RECONNECTING,network-unreachable,,,,,
2022-08-27 23:49:01 Waiting 2s seconds between connection attempt
2022-08-27 23:49:06 MANAGEMENT: CMD 'hold release'
2022-08-27 23:49:06 MANAGEMENT: CMD 'bytecount 2'
2022-08-27 23:49:06 MANAGEMENT: CMD 'state on'
2022-08-27 23:49:06 MANAGEMENT: CMD 'proxy NONE'
2022-08-27 23:49:07 No valid translation found for TLS cipher '@SECLEVEL=0'
2022-08-27 23:49:08 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-08-27 23:49:08 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-08-27 23:49:08 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
2022-08-27 23:49:08 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2022-08-27 23:49:08 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
2022-08-27 23:49:08 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
2022-08-27 23:49:08 TCP/UDP: Preserving recently used remote address: [AF_INET]79.142.69.159:443
2022-08-27 23:49:08 Socket Buffers: R=[229376->229376] S=[229376->229376]
2022-08-27 23:49:08 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2022-08-27 23:49:08 UDPv4 link local: (not bound)
2022-08-27 23:49:08 UDPv4 link remote: [AF_INET]79.142.69.159:443
2022-08-27 23:49:08 MANAGEMENT: >STATE:1661636948,WAIT,,,,,,
2022-08-27 23:49:08 write UDPv4 []: Network is unreachable (fd=4,code=101)
2022-08-27 23:49:08 Network unreachable, restarting
2022-08-27 23:49:08 TCP/UDP: Closing socket
2022-08-27 23:49:08 SIGUSR1[soft,network-unreachable] received, process restarting
2022-08-27 23:49:08 MANAGEMENT: >STATE:1661636948,RECONNECTING,,,,,,
2022-08-27 23:49:08 Waiting 2s seconds between connection attempt

Configuration file

# --------------------------------------------------------
# Air VPN | https://airvpn.org | Friday 26th of August 2022 05:05:33 PM
# OpenVPN Client Configuration
# AirVPN_Switzerland_UDP-443
# --------------------------------------------------------

client
dev tun
remote ch.vpn.airdns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
verb 3
explicit-exit-notify 5
remote-cert-tls server
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-256-CBC
proto udp
key-direction 1
keepalive 50 100

Thank you for your work!

[schwabe]

You are probably on a NAT64 network. Try disabling the persist-tun option from the VPN itself. It disables lookup of DNS and that seems to be needed in your case.

[realbiz21]

This might also be because of an Android 13 bug too. See:

• No mobile data when connecting to a VPN GrapheneOS/os-issue-tracker#1411
• https://twitter.com/GrapheneOS/status/1563412965591633920

[schwabe]

According to that disucssion it seems to be NAT464 related, so disable persist-tun in my app and use a hostname instead of IP to connect the server and it should work.

[realbiz21]

In my limited opinion, being far from an expert on Android, the issue with Android 13 seems to be only with blocking the clatd daemon's network access when "Block connections"/lockdown mode is enabled.

Without clatd (and the tun interfaces it sets up), there are no IPv4 routes or interfaces for apps that are attempting to connect with IPv4 addresses.

I can use ics-openvpn as-is with a commercial VPN by specifying hostname because DNS64 returns a "fake" AAAA DNS record for upstream A records; the NAT64 prefix + IPv4 address is returned to the app as if it resolves to an IPv6 address, and the VPN connection succeeds. No need to specify persist-tun, though clatd is still in a broken state with no IPv4 connectivity without a DNS64 intercept.

However, in my case, I have a private VPN that is only accessible over IPv4 and no hostname. Network Unreachable is returned if I use the IPv4 address, but it does work if I create a duplicate OpenVPN profile with the destination host being the NAT64 prefix + IPv4 address.

Unfortunately there's not much to go on as a I scour the internet for people with similar issues, so sadly my own observations are the best I can offer.

[schwabe]

So basically clatd is a hack to workaround broken apps that do not properly use DNS and NAT64. And that breaks. So you are probably better off creating just some hostname for your static IP, so that works for you without having to resort to the clatd hack.

Not that iOS does not have this hack and will even reject apps from the app store if they do not work in a NAT64 environment rather than relying on something like clatd.

[dimitris-personal]

Thanks again for the great work here, being able to take back some control of how my mobile traffic is handled is really important.

Here for a 👍 and a question.

TL;DR:

• Specifying the server via DNS records (and adding mssfix) restores functionality when I move out of WiFi range.
• Should I be using separate hostnames per server (or even server v4 vs v6 address) or would a single hostname with all of the servers' A and AAAA records work?

Background:

I encountered this same problem after moving to Android 13 (Google official builds) on several devices. Currently the "fleet" consists of a Pixel 6A and a Pixel 7, both on the latest OEM OS builds.

Symptoms were that after leaving WiFi range, I would have no connectivity from the mobiles. VPN had, for years, been working without issues with Android always-on and "block without VPN" enabled, and with pesistent tun enabled, using static IPv4 server addresses. Servers are my own.

Mobile network is Google Fi (T-Mobile US MVNO) and from what I can tell (in a sideways manner using a data-only G Fi SIM and tethering so I can observe traffic easily) they are running an access network that relies on NAT64/DNS64 for IPv4 connectivity.

I finally managed to mostly fix this by adding DNS A records for my VPN servers. While at it, I also ensured that they're reachable over IPv6 and added AAAA records too.

This has fixed the "UDPv4 network unreachable" problem I was seeing in the client.

To fully restore app functionality when on mobile data though it also required setting mssfix to 1300. I assume that there's lots of extra encapsulation overhead in this environment, and that MTU discovery is a lost cause. Without mssfix I would often get the very slow and/or stalled "webpage load" effect. Other apps would also stall/fail to talk to their back ends and various errors about, generally speaking, "no network connection".

I have now also unchecked Persist tun in the client. Seeing the discussion above, would it make sense to combine all of the servers' A and AAAA records under a single hostname?

I'm asking this because in a scenario where I e.g. move from mobile only (IPv6 plus NAT64/DNS64) state, where the client has connected to the IPv6 server address, into a WiFi with IPv4 only, it would presumably require a fresh DNS lookup to maintain the connection. I'd like to confirm that it is in fact true that having one hostname per server, each with a pair of A and AAAA records, would mean that I'd still get a new DNS lookup and a float, instead of a ping-restart and reconnection that would take much longer to restore connectivity. Versus, say, a single hostname with a bag of A and AAAA records that span all the servers across both stacks, which would roll the dice every time.

I currently use the one hostname per server in the client config, each of which should be getting a pair of A and AAAA records from DNS. Based on client logs, seems to be "preferring" the IPv6 addresses, both on Google Fi's network and on my dual-stack WLAN, so far. But I haven't done any serious testing yet.

(edited for clarity/terminology).