Solution to Tethering + OpenVPN issues on KitKat/4.4
I was previously using a stock rooted Nexus 4 (with 4.3) with "OpenVPN Connect" (net.openvpn.openvpn) and android built-in wifi tethering to tunnel tethered clients through the OpenVPN connection. This required some iptables modifications but worked fine.
With a stock rooted Nexus 5 (with 4.4.0) and OpenVPN Connect 1.1.12, this stopped working and that was really annoying.
Part of the issue was the one described here
But it was more complicated. It seems that there are routing table issues that I had to research a bunch.
Here are the iptables commands that I already had to run even on the Nexus 4 (with 4.3), which I got from here
iptables -t filter -F FORWARD
iptables -t nat -F POSTROUTING
iptables -t filter -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -j MASQUERADE
These (above) are somewhat liberal firewall rules that you may what to refine for more security.
But below are additional routing entries that I needed to add specifically for the Nexus 5 (with 4.4.0). They force tethered clients to route through the VPN, unless their traffic is a broadcast or designated for the wifi LAN. Those exceptions are required for DHCP to work on the tethered client. They assume the tethered LAN is 192.168.43.XYZ and the OpenVPN interface is tun0.
ip rule add from 192.168.43.0/24 lookup 61
ip route add default dev tun0 scope link table 61
ip route add 192.168.43.0/24 dev wlan0 scope link table 61
ip route add broadcast 255.255.255.255 dev wlan0 scope link table 61
This seems to all work best if I start OpenVPN after activating tethering, not before.
I'm not entirely clear whether this is a result of some change/bug in KitKat, or an incompatibility in "OpenVPN Connect", or both. I wonder if it would work ok with other OpenVPN clients like "OpenVPN for Android" (de.blinkt.openvpn)
* Server is OpenVPN 2.3.2
* Server has this line set in its config:
push "redirect-gateway autolocal def1"