After starting up F-Secure's Freedome (my nomination for Android app of the year) on my new Samsung Galaxy S5 I noticed that webpages stopped loading. In fact, I seemed to have lost all internet connectivity even though Freedome's notification icon indicated it was connected and the 4G/LTE data icon was present. What gives?
At first I thought it was a problem with how Android 4.4.2 handles VPNs, but following that hunch didn't pan out. After way too much searching I finally came across the key to my solution provided by John Navas:
The Symptoms: You are able to do things on your mobile device over T-Mobile data (browse the Internet, send and receive email, etc), and you are able to make VPN connections over Wi-Fi wireless, but you are not able to make VPN connections over T-Mobile wireless data.The Cause: T-Mobile apparently pushed out a data configuration in late 2013 that set APN Protocol to IPv6. That works properly for most things on mobile devices, but it prevents PPTP (built into Android) and OpenVPN (OpenVPN Connect) clients from making VPN connections.The Cure: Open Settings > Wireless & Networks > More... > Mobile networks > Access Point Names > T-Mobile GPRS (fast.t-mobile.com) >APN protocol, and change the selection from IPv6 toIPv4/IPv6IPv4(see update below).
Further searching led me to someone else who experienced my pain:
Apparently T-Mobile decided that "users with Android 4.4 KitKat will default to IPv6 only for connecting to the mobile network". There's some relevant discussion towards the bottom of that page:
broccoli: "...when I try to connect to VPN endpoints that do not have IPv6 addresses, T-Mobile's DNS server hands out fake IPv6 addresses that go nowhere."
34764170 "They're not fake IPv6 addresses that go nowhere. They're synthesized DNS records provided via DNS64. The traffic sent towards these addresses is translated via NAT64 and sent towards the IPv4 address at the other end."
broccoli: "A hostname resolves to something other than its official A record or AAAA record. To me that's a fake address. The end result is the VPN session fails to be established. That's what I mean by 'going nowhere'."
broccoli: "Until now I haven't taken the effort to look into the root cause of my difficulties using VPN under NAT64, but it seems that there is no provision for it to work at all, at least for now."
I'm not near enough educated on IPv6 to know if those statements are 100% correct but they sure do seem to explain what I'm experiencing. DSLreports.com also states "T-Mobile’s Cameron Byrne co-authored a new standard known as 464XLAT. 464XLAT calls for a CLAT daemon to provide local IPv4 connectivity to the smartphone. In Android 4.3 464XLAT was added, enabling T-Mobile to go IPv6 only in Android 4.4."
It seems that Mr. Byrne has been instrumental in rolling out IPv6 across T-Mobile and pushing for it's widespread acceptance, which is some pretty awesome IT cred to have. However, in the websites that mentioned this change I find no mention of problems associated with VPNs:
- T-Mobile Completes IPv6 Deployment on US Network: "Folks, The IPv6 network deployment is now complete, with a few outstanding service caveats (MMS is still an issue, …) that we will continue to work on."
- IPv6 now deployed across entire T-Mobile US network
- Video: 464XLAT Live Demo at World IPv6 Congress in Paris: "The trick is behind the curtains, where the IPv4-to-IPv6 translation engine resides, translating IPv4 packets and sending them over an IPv6-only mobile network to a NAT64 device in the core that translates the IPv6 packets back to IPv4 and sends them to the destination."
- Video: T-Mobile’s Cameron Byrne Explains Challenges (And Success) Around Enabling IPv6 For Mobile Networks
- T-Mobile IPv6 is Here and Now - see the FAQ for an absence of anything substantial.
I'll have to save reading up on Mr. Byrne's 464XLAT standard for another night. I can't say if it was designed to carry VPN traffic. Maybe it was and T-Mobile just hasn't fully implemented it yet, or maybe there are other infrastructure challenges keeping VPNs from working. Maybe it's the responsibility of the VPN providers to offer IPv6 connectivity, but it's not a feature I've seen many of them advertising.
Let's go edit our APN settings. Go to Settings > Network Connections > More networks > Mobile networks > Access Point Names
When I opened the APN settings on my S5 I found that either T-Mobile or Samsung had disabled the ability to edit the default configuration - all the settings are grayed out. An option to clone an existing APN would have been nice. Instead we must manually create a new APN. We'll only need to edit a few of the settings.
Here's what to add if you're connecting to an LTE network:
Name: whatever floats your boat
APN: fast.t-mobile.com
MMSC: http://mms.msg.eng.t-mobile.com/mms/wapenc
APN type: default,mms,supl
APN protocol (choose one): IPv4 or IPv4/IPv6
I ended up using the IPv4/IPv6 option. I tested with just IPv4 but the VPN and/or data connection kept dropping. That might have been a fluke or some other app causing problems, though. Try both, use whichever works.
With my new IPv4/IPv6 APN selected I verified that Freedome was working on my phone:
After that I tethered my laptop to further test the new APN setting. The Internet worked fine... until I try to start up the OpenVPN-based service I use. Surprise surprsise, the client fails to connect.
VPN over tether isn't working. I'll tackle that problem another day.
Conclusion
Seriously, T-Mobile? Your default settings seem to break the ability to use the two most common VPN protocols on at least five devices - the new S5 plus the four listed here. That's not very UNcarrier now, is it?
Yes, there's a workaround, but it's not very customer friendly or well-documented. There's no visual indication on the phone that it's the IPv6 APN that's keeping the VPN from working. Maybe T-Mobile support knows about, but I did all this on a Sunday when they were closed. Unless I'm misdiagnosing the problem (which is certainly possible), having IPv6 as the default APN prevents the user from accessing the Internet securely and anonymously over their VPN of choice.
Maybe a fix is already in the works. I should try to get in touch with Mr. Byrne to get his expert opinion.
Other than this annoying problem I've been an extremely satisfied customer of T-Mobile's for a number of years. Hopefully they'll figure out some kind of resolution.
I came across your article and wanted to add, if your VPN only has IPv4, leaving the APN set to IPv4/IPv6 will still let IPv6 addresses bypass the tunnel and show up as a T-mobile IPv6 address. I setup up a simple PPTP VPN that is v4 only. When testing with http://ip6.me, the v6 test bypassed the tunnel if I didn't set the APN to v4 only. The the v4 only test connection on this site showed the tunneled address.
ReplyDeleteThanks for the tip about creating a copy of the APN. I have a Nexus 5 and can change the default. My wife just got a GS5 and it won't let you change it as you said.
Hello,
ReplyDeleteMany months later, I have a follow up question. I just purchased the Galaxy S5, and quickly ran into the same problem, but your fix did seem to work. However, this particular device has a lot of other issues, (the "android.process.acore" bug would not go away after factory reset) and I'm returning it.
What I want to know is this: does this same IPv6-only problem come up with all other new T-Moblie devices? I might exchange this for a LG G3. But I have no idea if the LG will have the same issues, let alone a fix! I asked T-mobile and of course they gave me the run-around, saying that the problem is my VPN and "the phone works fine," clearly without understanding the problem.
So do you know if this will be an issue with all new T-mobile phones?
(Apologies if you've answered above and I didn't get it- I'm sort of a VPN newb.)
Thanks!
Nicole
Even well into 2015 and on Lollipop OS on LG G4, i have experienced the exact same issues. Your workaround solves my problem after setting the APN to IPV4. Thank you so much with your article, I was beginning to blame LG because i did not have this problem on my Samsung Note 4 with Open VPN on Tmobile.
ReplyDelete