OpenVPN Connection to iOS not working since update from 2.4.5p1 to 2.5.2
-
I know that pfSense 2.5.x comes with OpenVPN 2.5, and that OpenVPN 2.5 has updated some things since version 2.4 (as available from here.
However, having just updated from pfSense 2.4.5p1 to 2.5.2, I cannot figure out what the problem is. I am trying to connect with an iPhone (current iOS, current OpenVPN Connect) to pfSense. For simplicity purposes, I have exported a new inline configuration for OpenVPN Connect and imported that into OpenVPN Connect. Connection works, but IP routing is broken. OpenVPN assigns IPs in 10.0.10.x range, pinging my main LAN 192.168.1 doesn't work.
Server log:
Nov 28 22:27:12 firewall openvpn[81118]: 80.187.66.119:23415 peer info: IV_VER=3.git::58b92569 Nov 28 22:27:12 firewall openvpn[81118]: 80.187.66.119:23415 peer info: IV_PLAT=ios Nov 28 22:27:12 firewall openvpn[81118]: 80.187.66.119:23415 peer info: IV_NCP=2 Nov 28 22:27:12 firewall openvpn[81118]: 80.187.66.119:23415 peer info: IV_TCPNL=1 Nov 28 22:27:12 firewall openvpn[81118]: 80.187.66.119:23415 peer info: IV_PROTO=2 Nov 28 22:27:12 firewall openvpn[81118]: 80.187.66.119:23415 peer info: IV_AUTO_SESS=1 Nov 28 22:27:12 firewall openvpn[81118]: 80.187.66.119:23415 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760 Nov 28 22:27:12 firewall openvpn[81118]: 80.187.66.119:23415 peer info: IV_SSO=openurl Nov 28 22:27:12 firewall openvpn[81118]: 80.187.66.119:23415 [User] Peer Connection Initiated with [AF_INET]80.187.66.119:23415 Nov 28 22:27:12 firewall openvpn[81118]: User/80.187.66.119:23415 MULTI_sva: pool returned IPv4=10.0.10.2, IPv6=(Not enabled)
Client log:
2021-11-28 22:27:11 1 2021-11-28 22:27:11 ----- OpenVPN Start ----- OpenVPN core 3.git::58b92569 ios arm64 64-bit 2021-11-28 22:27:11 OpenVPN core 3.git::58b92569 ios arm64 64-bit 2021-11-28 22:27:11 Frame=512/2048/512 mssfix-ctrl=1250 2021-11-28 22:27:11 UNUSED OPTIONS 0 [persist-tun] 1 [persist-key] 2 [ncp-ciphers] [AES-256-GCM:AES-128-GCM:AES-256-CBC] 5 [tls-client] 8 [verify-x509-name] [pfSenseOpenVPNServer] [name] 10 [explicit-exit-notify] 2021-11-28 22:27:11 EVENT: RESOLVE 2021-11-28 22:27:11 Contacting [64:ff9b::5b17:515d]:31194/UDP via UDP 2021-11-28 22:27:11 EVENT: WAIT 2021-11-28 22:27:11 Connecting to [domain.com]:1194 (64:ff9b::5b17:515d) via UDPv6 2021-11-28 22:27:11 EVENT: CONNECTING 2021-11-28 22:27:11 Tunnel Options:V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client 2021-11-28 22:27:11 Creds: UsernameEmpty/PasswordEmpty 2021-11-28 22:27:11 Peer Info: IV_VER=3.git::58b92569 IV_PLAT=ios IV_NCP=2 IV_TCPNL=1 IV_PROTO=2 IV_AUTO_SESS=1 IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760 IV_SSO=openurl 2021-11-28 22:27:11 VERIFY OK: depth=1, /C=XX/ST=state/L=loc/O=org/emailAddress=postmaster@domain.com/CN=pfSenseOpenVPNCA 2021-11-28 22:27:11 VERIFY OK: depth=0, /C=XX/ST=state/L=loc/O=org/emailAddress=postmaster@domain.com/CN=pfSenseOpenVPNServer 2021-11-28 22:27:12 SSL Handshake: CN=pfSenseOpenVPNServer, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA 2021-11-28 22:27:12 Session is ACTIVE 2021-11-28 22:27:12 EVENT: GET_CONFIG 2021-11-28 22:27:12 Sending PUSH_REQUEST to server... 2021-11-28 22:27:12 OPTIONS: 0 [dhcp-option] [DOMAIN] [domain.com] 1 [dhcp-option] [DNS] [192.168.1.102] 2 [dhcp-option] [NTP] [192.168.1.100] 3 [redirect-gateway] [def1] 4 [route] [192.168.1.0] [255.255.255.0] 5 [route] [192.168.2.0] [255.255.255.0] 6 [route] [192.168.2.0] [255.255.255.0] 7 [route] [192.168.3.0] [255.255.255.0] 8 [route-gateway] [10.0.10.1] 9 [topology] [subnet] 10 [ping] [10] 11 [ping-restart] [60] 12 [ifconfig] [10.0.10.2] [255.255.255.0] 13 [peer-id] [0] 14 [cipher] [AES-256-GCM] 2021-11-28 22:27:12 PROTOCOL OPTIONS: cipher: AES-256-GCM digest: NONE compress: NONE peer ID: 0 2021-11-28 22:27:12 EVENT: ASSIGN_IP 2021-11-28 22:27:12 NIP: preparing TUN network settings 2021-11-28 22:27:12 NIP: init TUN network settings with endpoint: x:x::x:x 2021-11-28 22:27:12 NIP: adding IPv4 address to network settings 10.0.10.2/255.255.255.0 2021-11-28 22:27:12 NIP: adding (included) IPv4 route 10.0.10.0/24 2021-11-28 22:27:12 NIP: adding (included) IPv4 route 192.168.1.0/24 2021-11-28 22:27:12 NIP: adding (included) IPv4 route 192.168.2.0/24 2021-11-28 22:27:12 NIP: adding (included) IPv4 route 192.168.2.0/24 2021-11-28 22:27:12 NIP: adding (included) IPv4 route 192.168.3.0/24 2021-11-28 22:27:12 NIP: redirecting all IPv4 traffic to TUN interface 2021-11-28 22:27:12 NIP: adding match domain domain.com 2021-11-28 22:27:12 NIP: adding DNS 192.168.1.102 2021-11-28 22:27:12 Connected via NetworkExtensionTUN 2021-11-28 22:27:12 EVENT: CONNECTED domain.com:31194 (x:x::x:x) via /UDPv6 on NetworkExtensionTUN/10.0.10.2/ gw=[/] 2021-11-28 22:28:06 EVENT: DISCONNECTED 2021-11-28 22:28:06 Raw stats on disconnect: BYTES_IN : 4694 BYTES_OUT : 13414 PACKETS_IN : 16 PACKETS_OUT : 116 TUN_BYTES_IN : 6709 TUN_PACKETS_IN : 104 2021-11-28 22:28:06 Performance stats on disconnect: CPU usage (microseconds): 100486 Tunnel compression ratio (downlink): inf Network bytes per CPU second: 180204 Tunnel bytes per CPU second: 66765
I can see from the client log that the target routes are pushed. But pinging 10.0.10.1 doesn't even work, let alone any host on any of the subnets for which routes are pushed.
OpenVPN config on pfSense (cat /var/etc/openvpn/server1/config.ovpn):
dev ovpns1 verb 1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 auth SHA1 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 91.23.81.93 tls-server server 10.0.10.0 255.255.255.0 client-config-dir /var/etc/openvpn/server1/csc tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'pfSenseOpenVPNServer' 1" lport 1194 management /var/etc/openvpn/server1/sock unix max-clients 2 push "dhcp-option DOMAIN domain.com" push "dhcp-option DNS 192.168.1.102" push "dhcp-option NTP 192.168.1.100" push "redirect-gateway def1" client-to-client duplicate-cn capath /var/etc/openvpn/server1/ca cert /var/etc/openvpn/server1/cert key /var/etc/openvpn/server1/key dh /etc/dh-parameters.2048 tls-auth /var/etc/openvpn/server1/tls-auth 0 data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC data-ciphers-fallback AES-256-CBC persist-remote-ip float topology subnet sndbuf 524288 rcvbuf 524288 push "route 192.168.1.0 255.255.255.0" push "route 192.168.2.0 255.255.255.0" push "route 192.168.2.0 255.255.255.0" push "route 192.168.3.0 255.255.255.0"
Any help you could provide would be highly appreciated. Thanks.
-
OpenVPN Connection to iOS
pfSense the client, and it connects to an iOS device ?
For me, it's the other way arround :
pfSense server Open log :OpenVPN 2.5.2 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 24 2021 library versions: OpenSSL 1.1.1k-freebsd 25 Mar 2021, LZO 2.10 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts WARNING: experimental option --capath /var/etc/openvpn/server1/ca TUN/TAP device ovpns1 exists previously, keep at program end TUN/TAP device /dev/tun1 opened /sbin/ifconfig ovpns1 192.168.3.1 192.168.3.2 mtu 1500 netmask 255.255.255.0 up /sbin/ifconfig ovpns1 inet6 2001:470:beaf:3::1/64 mtu 1500 up /sbin/ifconfig ovpns1 inet6 -ifdisabled /usr/local/sbin/ovpn-linkup ovpns1 1500 1621 192.168.3.1 255.255.255.0 init UDPv4 link local (bound): [AF_INET]192.168.10.3:1194 UDPv4 link remote: [AF_UNSPEC] NOTE: IPv4 pool size is 252, IPv6 pool size is 65536. IPv4 pool size limits the number of clients that can be served from the pool Initialization Sequence Completed
When I use the OpenVPN client on my iPhone, I see (pfSense openvpn server log) :
92.184.108.228:60084 peer info: IV_VER=3.git::58b92569 92.184.108.228:60084 peer info: IV_PLAT=ios 92.184.108.228:60084 peer info: IV_AUTO_SESS=1 92.184.108.228:60084 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760 92.184.108.228:60084 peer info: IV_SSO=openurl 92.184.108.228:60084 [MyPhone-iPhone] Peer Connection Initiated with [AF_INET]92.184.108.228:60084 MyPhone-iPhone/92.184.108.228:60084 MULTI_sva: pool returned IPv4=192.168.3.2, IPv6=2001:470:beaf:3::1000
92.184.108.228 is the IPv4 of my iPhone.
Btw : I do not have thse :
sndbuf 524288 rcvbuf 524288 push "route 192.168.1.0 255.255.255.0" push "route 192.168.2.0 255.255.255.0" push "route 192.168.2.0 255.255.255.0" push "route 192.168.3.0 255.255.255.0"
"Compression" is set to disabled.
My "Custom options" is empty.
You have :
tls-auth /var/etc/openvpn/server1/tls-auth 0
I have (the newer ?)
tls-crypt /var/etc/openvpn/server1/tls-cryptProbably because I use :
(I'm not bothering with a user name password and unique certs ... - just the certs is fine to me) -
Thanks, @gertjan.
Our setup is similar in the sense that we're trying to get iOS devices connected to the OpenVPN server running on pfSense. I need to the push route statements, as my VPN connects to a different subnet in which alone the connected iOS device cannot do anything. I.e. it needs to connect to my other subnets.
I have
as well. I guess the difference in tls-statements is probably rather related to these aspects:
As I'm only using IPv4, I didn't bother with IPv6, but am also moving all traffic through the VPN, if connected:
Compression is disabled here as well.
As you can see from the logs, the connection as such appears to work, at least from pfSense's point of view. But pings (even to the 10.0.10.1 of pfSense itself) are not possible, nor is any meaningful use, as I cannot ping anything outside of 10.0.10.0/24, either.
-
Hummmm.
Just to be sure : you have a pas-all rule on the "OpenVPN" interface ?
Or, You have no rules on that 'OpenVPN' interface, but you've created yourself a OPENVPN (or whatever name you chose) interface with these rrules : -
@gertjan Yes, I have all-pass-through rules on the OpenVPN tab, and I have an individual all-pass-through rule on the interface that I created for OpenVPN as well.
Trying to drill down on the IP routing, I tried to drill into that a bit more. Pings from the iPhone don't work, so I'm trying to ping the iPhone from the pfSense:
t: ping 10.0.10.2 PING 10.0.10.2 (10.0.10.2): 56 data bytes 36 bytes from 62.155.245.93: Destination Net Unreachable Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 85d7 0 0000 40 01 345c 91.23.81.93 10.0.10.2
Tell me, if my approach is too simplistic. But I would have expected traffic for 10.0.10.0/24 to be routed to the VPN, but the fact that pfSense shows a response from 62.155.245.93 (my provider's gateway - NOT my phone's public IP) suggests to me that VPN routing within pfSense is broken...?
-
When I connect my iPhone using the OpenVPN app, it obtains a 192.168.3.2 (192.168.3.1/24 being the OpenVPN IPv4 network) :
From a PC on my LAN (192.168.1.1/24 ) I can ping my iPhone on 192.168.3.2.
-
Thx, so this confirms that routing is broken here since the update.
I just googled the command for showing the routing table, and it seems that there is something missing for the OpenVPN net 10.0.10.0/24:
netstat -r Routing tables Internet: Destination Gateway Flags Netif Expire default p3e9bf55d.dip0.t-i UGS pppoe0 10.0.11.0/24 link#16 U ovpns2 10.0.11.1 link#16 UHS lo0 10.8.0.0/24 gateway UGS lagg0 10.9.0.0/24 gateway UGS lagg0 p3e9bf55d.dip0.t-i link#14 UH pppoe0 p5b17515d.dip0.t-i link#14 UHS lo0 localhost link#6 UH lo0 192.168.1.0/24 link#9 U lagg0 firewall link#9 UHS lo0 192.168.2.0/24 gateway UGS lagg0 192.168.3.0/24 link#10 U lagg0.30 192.168.3.1 link#10 UHS lo0 192.168.4.0/24 link#3 U igb0 192.168.4.2 link#3 UHS lo0 192.168.5.0/24 link#11 U lagg0.50 192.168.5.1 link#11 UHS lo0 192.168.6.0/24 link#12 U lagg0.60 192.168.6.1 link#12 UHS lo0 192.168.7.0/24 link#13 U lagg0.70 192.168.7.1 link#13 UHS lo0
Would you happen to know how to fix this?
-
@highc said in OpenVPN Connection to iOS not working since update from 2.4.5p1 to 2.5.2:
Would you happen to know how to fix this?
Undo whatever you did, related to routing ?
( honstly, I don't know how to 'read' a routing table to see what needs to be done where ).My IPv4 routing table is pretty straight forward :
As I'm using :
a upstream ISP router using 192.168.10.1 - pfSense WAN is 192.168.1.3
pfPblockerNG uses 10.10.10.1
I consider my routes 'simple'.You can clearly see 192.168.3.0 being the "OpenVPN" interface.
What you could do :
Take a know, recent ( !! - as it needs to be OpenVPN 2.5.2, that is the openVPN version, not the pfSense version that happens to be the same right now ) Youtube Video (example : Lawrence ?) and use that to make a working connection.
When it works, add you own changes 'up until it fails'. Then you know what the issue is. -
@gertjan said in OpenVPN Connection to iOS not working since update from 2.4.5p1 to 2.5.2:
Undo whatever you did, related to routing ?
Just to be clear: The only thing I did, was upgrade vom 2.4.5p1. It worked there. Since them, I'm trying to get back to the state I had with 2.4.5p1.
-
The (a) OpenVPN setup probably needs some changes as many Open-VPN parameters changed when shifted from 2.4.x to 2.5.y.
I advise you to read what you mentioned :
@highc said in OpenVPN Connection to iOS not working since update from 2.4.5p1 to 2.5.2:
(as available from here.
There is a big :
section.
Don't forget to export a newer opvn file for the clients.
-
@gertjan
Ok, I did not just point to that section, but I actually read it ("of course, I'm tempted to say"). It might be that ...Linux-specific features - VRF support - Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip commands)
... the netlink part is related to my problem. But there is no config option on this in pfSense. Neither would I know how to debug that part in pfSense. I'm happy to execute commands, but it would be great, if someone with a bit of background knowledge of how this works in pfSense could help me.
And as I said above, I did recreate the client config, exported it, and imported it again into the client. Doesn't work. I could redo the whole thing now for the third again and hope for a different outcome this time. But that sounds like a very desperate approach.
There are, by the way, open bug reports for OpenVPN related to pushing routes (e.g., here and here). But whether or not that is related to my problem where I can't even ping the OpenVPN client itself from pfSense, I don't know.
-
You entered this :
push "route 192.168.1.0 255.255.255.0" push "route 192.168.2.0 255.255.255.0" push "route 192.168.2.0 255.255.255.0" push "route 192.168.3.0 255.255.255.0"
?
( and why a leading space the last 3 lines ?)
-
@highc said in OpenVPN Connection to iOS not working since update from 2.4.5p1 to 2.5.2:
something missing for the OpenVPN net 10.0.10.0/24:
You would not push the tunnel network you setup.. These should be in the routing table of pfsense, if openvpn is running.
example I use 10.0.8/24 and 10.0.200.248/29 in my tunnel networks.
routing table on pfsense shows these..
There really is little reason to use push route, networks you want your clients to get to should be listed in the local networks of your vpn
When not using the force gateway parameter
Notice if I disable the vpn instance, that route is no longer listed in pfsense for that tunnel network.
-
@johnpoz said in OpenVPN Connection to iOS not working since update from 2.4.5p1 to 2.5.2:
You would not push the tunnel network you setup.
Did I miss that ?
He isn't pushing "10.0.10.0 255.255.255.0" (right ?)As I have a
server 192.168.3.0 255.255.255.0
because my tunnel is 192.168.3.0/24
@highc has
server 10.0.10.0 255.255.255.0
as 10.0.10.0 is is tunnel.
-
Ok, thanks. I've now configured the VPN to route all IPv4 traffic via the VPN. That works. Will leave it at that.
-
@gertjan said in OpenVPN Connection to iOS not working since update from 2.4.5p1 to 2.5.2:
He isn't pushing "10.0.10.0 255.255.255.0" (right ?)
No he isn't pushing it - but you wouldn't need too.. The problem I saw with his configuration was that pfsense showed no route for his tunnel.
So something glitched or his instance wasn't actually running as I showed. If the instance is running there should be routes on pfsense for that tunnel network. See where I tuned off my instance and the route went away.
My point about pushing as well - is there is really no reason to have to add those. As long as you list them as local networks they are auto pushed.. You don't need to add them to the options box, etc.