Nginx – Accessing OwnCloud over VPN doesn’t work on android and chromebook


Here is my setup. I've got a Cisco ASA 5505 (latest IOS). Behind it, I have a (Ubuntu 12.04) server running nginx, php-fpm, OwnCloud (all latest versions). My desktop also sits behind the ASA and is able to access OwnCloud just fine. If I connect my Android tablet to our wireless access point, then access the OwnCloud web interface, everything works just fine.

I've setup L2TP/IPSEC VPN on the ASA. I can disconnect my ethernet on my desktop, tether to my phone, and connect to the VPN. From there I am able to SSH into the nginx server, VNC into other desktop machines, and access the OwnCloud web interface. Everything works perfect.

I can connect the android tablet to the VPN (via hotspot tethering). From there I am able to SSH into the nginx server, VNC into desktop machines. The problem comes when I try to access the OwnCloud web interface. It doesn't work. It just sits there spinning. The strange thing is, I create a test.php file in the OwnCloud directory (with a simple echo('hello world');) and that page loads just fine.

I have captured traffic on the server using tcpdump, and I can see the GET request come in. The server responds. Then I see a couple of duplicate ACKS coming from the tablet and a few retransmissions coming from the server.

I should note that VPN clients are given IP addresses on a different subnet.

Here is my nginx config:

upstream php-handler {

# redirect http to https
server {
    listen 80;
    #return 301 https://$server_name$request_uri; # enforce https

    root /var/www/owncloud/;

    client_max_body_size 10G;
    client_body_timeout 600s;
    client_header_timeout 600s;

    rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
    rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
    rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;

    index index.php;
    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;

    location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
            deny all;

    location / {
        # The following 2 rules are only needed with webfinger
        rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
        rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

        rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
        rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;

        rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

        try_files $uri $uri/ index.php;

    location ~ ^(.+?\.php)(/.*)?$ {
        try_files $1 = 404;

        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$1;
        fastcgi_param PATH_INFO $2;
        fastcgi_param HTTPS off;
        fastcgi_pass php-handler;

    # Optional: set long EXPIRES header on static assets
    location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
        expires 30d;
        # Optional: Don't log access to assets
        access_log off;

In summary, all devices work fine when on the local LAN. Desktop clients (OS X) work fine when connected over VPN. VPN Mobile clients (Android tablet) can SSH and VNC into local machines. HTTP requests also work fine for VPN on my simple test page, but are not able to access OwnCloud. What can I do to further diagnose the problem? What is the problem?

Best Answer

You need a NAT box, with DNS records for your local network. This will seriously make your virtual hosts much easier to work with, more verbose, and more consistent between local and remote networks...

It's really nice to have a domain name dedicated to Owncloud. It's really nice to have the same domain name for your hidden Owncloud. And when you drop into VPN, it should just work, as long as your routes allow access to your local subnet.

All of my machines or VM sites, have their own unique DNS record, and static IP. It's an extra step, but way more professional to organize.