OpenVPN IOS9
-
So today I posted about issues connecting through my OpenVPN. I could connect to VPN from iPhone.
I could access the internet. However I could not access anything on my LAN. I was able to ping the tunnel IP.After troubleshooting we determined it was the OpenVPN IOS client that didn't work. I setup a Windows client on my laptop and loaded the Windows profile in openvpn client.
I connected to iPhone hotspot from my laptop and all was working well. routing table OK and I was able to access my LAN.I did some googling and read a lot of issues with IOS9 and the OpenVPN connect client. Some say disable IPv6, some say FAVOR_LZA (whatever that may be).
My question is. Does anybody got a working setup with IOS9 iPhone OpenVPN connect client and can you share what you did to get your setup working.
I run a OpenVPN server with traffic forced through the tunnel. I see my routes and DNS servers etc in OpenVPN log on my iPhone.
So it should be working well, but it doesn'tHope somebody can help.
Kind regards,
Mark
-
I determined with an app that OpenVPN connect does not change the routing table for the iPhone.
- When I connect with my laptop through iPhone hotspot my default gateway is set to my tunnel IP.
- Wen I connect my iPhone with OpenVPN and I connect my laptop through iPhone hotspot my default gateway is not change.
- When I connect my iPhone with OpenVPN connect and view routing table with the routing table app default gateway is not changed.
is this a know issue?
-
Don`t know the solution but this
- Wen I connect my iPhone with OpenVPN and I connect my laptop through iPhone hotspot my default gateway is not change.
will not work anyway because one needs to set a route manually in iPhone, from the iPhone-hotspot-subnet to the tunnel.
So the problem seems to be
When I connect my iPhone with OpenVPN connect and view routing table with the routing table app default gateway is not changed
-
what app are you using to view the routing table on your ios9 device?
I don't have an app that shows the routing table that I am aware of but more than happy to check it with the app your using.
But what I can tell you, if I do a traceroute internet address when just on wifi first hop is 192.168.1.1, and if I connect to my openvpn server via the openvpn ios app and then do a traceroute I am going down the vpn tunnel.
Do you have your openvpn server set to be default gateway?
Using 9.3.4 on iphone 5s with openvpn app 1.0.7 build 199
If I do a whats my IP from the phone while using vpn I see my home public IP, and when I do not use the vpn and just the wifi here at the office I see my office public IP. See 2nd photo attached.
Nothing special done to have it work like this.. Grab the config from the vpn export and import into the iphone openvpn app.
-
Hi John
Thanks! I used the routing table IOS app. It's a free app from the appstore. But checking what's my ip is also a good test.
I can confirm that when connecting with VPN presents the public IP of my mobile provider. So not my public IP.I attached my OpenVPN config. Maybe you can compare it with yours, or have a clue what's wrong?
dev ovpns1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local <<ip_openvpn>>
tls-server
server 10.15.10.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'MY AD' false server1" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.external.nl' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 10
push "route 192.168.20.0 255.255.255.0" –> internal route to server vlan
push "dhcp-option DOMAIN argus.local"
push "dhcp-option DNS 192.168.20.13" --> internal dns server
push "dhcp-option DNS 192.168.20.15" --> internal dns server
push "dhcp-option NTP 192.168.20.13"
push "redirect-gateway def1"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float
topology subnet
push "redirect-gateway def1" --> these are additional options I pushed, but they don't seem to do the trick
push "redirect-gateway local def1" --> these are additional options I pushed, but they don't seem to do the trick
push "redirect-gateway ipv6" --> these are additional options I pushed, but they don't seem to do the trickThanks!!</ip_openvpn>
-
that sure and the hell is not a config for IOS.. Where is config you use on your openvpn app?
Here is ios config that send traffic out vpn just fine..
persist-tun persist-key cipher AES-256-CBC auth SHA256 tls-client client remote 24.13. <snipped>1194 udp lport 0 verify-x509-name "pfsenseopenvpn" name ns-cert-type server comp-lzo adaptive <ca>-----BEGIN CERTIFICATE----- MIIELzCCAxegAwIBAgIBADANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJVUzEL <snipped>irJgwPhnD40VEnqBGuWr0GmqBg== -----END CERTIFICATE-----</snipped></ca> <cert>-----BEGIN CERTIFICATE----- MIIEhTCCA22gAwIBAgIBBjANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJVUzEL <snipped>07iTItFJbGEFnDE9Uf2gmTKok1C0SeJlalJnFUbn8XGHysRpWjGiUInvvL56N9wO zpZCx3PBzrSZ -----END CERTIFICATE-----</snipped></cert> <key>-----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCbnH1XmTQ5ism9 <snipped>PJg7xn9awG5LLeyDvvTxKFg= -----END PRIVATE KEY-----</snipped></key> <tls-auth># # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- a2d1d1ce8e37bdc037ff3536b448b309 <snipped>ff4352097dbc693dfe974ed2267efebe -----END OpenVPN Static key V1-----</snipped></tls-auth> key-direction 1</snipped>So set in the openvpn config redirect gateway, grab the right config for your ios/android vpn connect app.. There you go traffic out the tunnel..
I even just did a new export of this and just sent it to my phone and connected via my cell.. You can see out my cell, its using ipv6 even.. I then connect to vpn, and out my tunnel
edit: Ok grabbed your app, can see when on vpn default is out the tun interface, you can see I am connected to my vpn and have a route to for my tunnel network 10.0.200, etc.. There was much more there. Then disconnect from vpn and you can see my default route is out pdp_ip0 interface.
-
Hi John,
The config I attached was the OpenVPN server config file. Maybe you can share yours as well? it's in /var/etc/openvpn on your pfsense.
My iPhone's routing table with VPN connected:
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 100.85.55.7 UGSc 193 3 pdp_ip0
default link#11 UCSI 1 0 utun0
10.15.10/24 link#11 UCS 1 0 utun0
10.15.10.2 10.15.10.2 UH 1 0 utun0
100.85.55.7 100.85.55.7 UHr 192 0 pdp_ip0
100.85.55.7/32 link#2 UCS 1 0 pdp_ip0
127 127.0.0.1 UCS 1 0 lo0
127.0.0.1 127.0.0.1 UH 2 0 lo0
<<my external="" ip="">> 100.85.55.7 UGHS 1 0 pdp_ip0
224.0.0 link#2 UmCS 2 0 pdp_ip0
224.0.0.251 link#2 UHmWI 1 0 pdp_ip0
255.255.255.255/32 link#2 UCS 1 0 pdp_ip0Internet6:
Destination Gateway Flags Netif Expire
::1 ::1 UHL lo0
fe80::%lo0/64 fe80::1%lo0 UcI lo0
fe80::1%lo0 link#1 UHLI lo0
fe80::%awdl0/64 link#10 UCI awdl0
fe80::2087:f2ff:fe5a:91d3%awdl0 22:87:f2:5a:aa:bb UHLI lo0
ff01::%lo0/32 ::1 UmCI lo0
ff01::%en0/32 link#8 UmCI en0
ff01::%awdl0/32 link#10 UmCI awdl0
ff02::%lo0/32 ::1 UmCI lo0
ff02::%en0/32 link#8 UmCI en0
ff02::%awdl0/32 link#10 UmCI awdl0I do also have the redirect gateway checkbox enabled. My OpenVPN iphone config:
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
remote vpn.mydomain.com 1194 udp
lport 0
verify-x509-name "vpn.mydomain.com" name
auth-user-pass
ns-cert-type server<ca>–---BEGIN CERTIFICATE-----
MIIEcTCCA1mgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCTkwx
EDAOBgNVBAgTB1V0cmVjaHQxEDAOBgNVBAcTB1V0cmVjaHQxETAPBgNVBAoTCEFS
R1VTIElUMR4wHAYJKoZIhvcNAQkBFg9tYXJrQGJyaWxtYW4uZXUxHDAaBgNVBAMT
E3Bmc2Vuc2UuYXJndXMubG9jYWwwHhcNMTYwODA4MjA0ODAwWhcNMjYwODA2MjA0
OstrippedMQswCQYDVQQGEwJOTDEQ
MA4GA1UECBMHVXRyZWNodDEQMA4GA1UEBxMHVXRyZWNodDERMA8GA1UEChMIQVJH
VVMgSVQxHjAcBgkqhkiG9w0BCQEWD21hcmtAYnJpbG1hbi5ldTEcMBoGA1UEAxMT
cGZzZW5zZS5hcmd1cy5sb2NhbIIBADAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB
BjANBgkqhkiG9w0BAQsFAAOCAQEAq4z4MJPwjtUxJH4iFPkc/wtTgSzZ22zdiXfE
fcr69msTi2cwIcLgKsO4ScIAHz4QQGye53bIUex5UmDLo1faQD87Sl2tWRvc9NU1
q2wM8b3pRYR+3mS2XEoZKsHt72VsfcPJH0HbTt6vXl7iFqiiqZ+ofdwXGhROamXA
KZoD/CaDdS7pWUBk+g1AqGyyp03YgBMKIIHNuki3vERg5C0Ejt0ego4731o/9N/u
3rN4CswxTTPiNhbLmG03Gx/q3N4wV0mCxO4YrK+D8GinFTuknzQ6DtLr74+lFt4a
NTI1IJulS0pSe8m0IXrddxoe4+zlXy/4jX9agrkpv4Rb0DXNFQ==
-----END CERTIFICATE-----</ca>
<cert>-----BEGIN CERTIFICATE-----
MIIEqDCCA5CgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCTkwx
EDAOBgstripped2REF+UnJ7mGfLksm1MZxuqYrAqvp1dB
LkCOp3PMK9/ByYQrtEJZFURSvimSj1mdl3ECAwEAAaOCATUwggExMAkGA1UdEwQC
MAAwCwYDVR0PBAQDAgXgMDEGCWCGSAGG+EIBDQQkFiJPcGVuU1NMIEdlbmVyYXRl
ZCBVc2VyIENlcnRpZmljYXRlMB0GA1UdDgQWBBRs7y69Rw1+EmNdKtuvXyDO79UV
lDCBrwYDVR0jBIGnMIGkgBTQCbYVWC0iXc5Nz5gatG2iDys6g6GBiKSBhTCBgjEL
MAkGA1UEBhMCTkwxEDAOBgNVBAgTB1V0cmVjaHQxEDAOBgNVBAcTB1V0cmVjaHQx
ETAstripped
-----END CERTIFICATE-----</cert>
<key>-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDZKQVyhL7zeIJp
+rbLRigms9l12Srge/Ez+tGDyft9spcfXp5bLlTgwOyVhupP7IXO4QIqobukPQKa
eIt9y8imIJX5euiOlDj9qDnLO990l+x6uC+2ioUWWIPUV1/OTOLt0F+WowYnHwI7
rLi0CDR0VyH2J3RyDQoXdHfJphOnHt0w+OsfRoEdxvAAVoxLtzfrHAe61464lLWf
stripped
qNIAFuRriAK96x7NxKPeMZILfzeR5eWY5QJQC
Y5Dd0Dnh8SLroAiqpkrQww==
-----END PRIVATE KEY-----</key>
<tls-auth>#2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
e6779093811f6a6050d6bd9749f65d1f
75ccc4d0c08c9ae03410a1c8263120c6
stripped
a53cafa965295c77ba8fb9fb551ea202
03d653922166f958007981f35c60fcbd
7c8622859e92992aa147b402d0d08990
6fca1d0051c3fc1edcf3c2d5c58a0f8b
756b87c2acf7a5da05c493cc90d12070
7b633d29803e1f20d79cd56d6c2b4f31
-----END OpenVPN Static key V1-----</tls-auth>
key-direction 1</my> -
here is my config for that instance of openvpn running..
[2.3.2-RELEASE][root@pfSense.local.lan]/var/etc/openvpn: cat server2.conf dev ovpns2 verb 3 dev-type tun tun-ipv6 dev-node /dev/tun2 writepid /var/run/openvpn_server2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 24.13.snipped tls-server server 10.0.200.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc/server2 tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'pfsenseopenvpn' 1" lport 1194 management /var/etc/openvpn/server2.sock unix max-clients 2 push "route 192.168.9.0 255.255.255.0" push "route 192.168.2.0 255.255.255.0" push "route 192.168.3.0 255.255.255.0" push "dhcp-option DOMAIN local.lan" push "dhcp-option DNS 192.168.9.253" push "redirect-gateway def1" ca /var/etc/openvpn/server2.ca cert /var/etc/openvpn/server2.cert key /var/etc/openvpn/server2.key dh /etc/dh-parameters.2048 tls-auth /var/etc/openvpn/server2.tls-auth 0 comp-lzo adaptive persist-remote-ip float topology subnet tls-version-min 1.2 [2.3.2-RELEASE][root@pfSense.local.lan]/var/etc/openvpn:Its got those network in there for other routes because I flip it from from default gateway redirect and not when I need/want to for different setups. Also that tls-version-min 1.2 is in my options section.. Since you really should only edit your vpn stuff and pretty much everything else in pfsense in the gui.. I have also attached the current gui setting for the vpn instance. I run 1 on tcp as well.
-
Ok, I'm starting to get al little lost :-\
Comparing our configs I don't see a real difference. When I push a route with the route "push 192.168.20.0 255.255.255.0"; openvpn option that route arrives in the openvpn connect logging.
However my routing table isn't modified. I don't see a seperate route for this network.Hope you have another idea.
Thanks
Mark
-
and what version of the app are you using? What version of the ios are you running? What does the log of your connection say?
2016-08-12 05:21:16 EVENT: RESOLVE 2016-08-12 05:21:16 Contacting 24.13.snip:1194 via UDP 2016-08-12 05:21:16 EVENT: WAIT 2016-08-12 05:21:16 SetTunnelSocket returned 1 2016-08-12 05:21:16 Connecting to [24.13.snip]:1194 (24.13.snip) via UDPv4 2016-08-12 05:21:16 EVENT: CONNECTING 2016-08-12 05:21:16 Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client 2016-08-12 05:21:16 Peer Info: IV_GUI_VER=net.openvpn.connect.ios 1.0.7-199 IV_VER=3.0.11 IV_PLAT=ios IV_NCP=2 IV_TCPNL=1 IV_PROTO=2 IV_LZO=1 2016-08-12 05:21:16 VERIFY OK: depth=1 cert. version : 3 serial number : 00 issuer name : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snip, CN=openvpn subject name : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snip, CN=openvpn issued on : 2015-01-10 14:15:11 expires on : 2025-01-07 14:15:11 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=true 2016-08-12 05:21:16 VERIFY OK: depth=0 cert. version : 3 serial number : 01 issuer name : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snip, CN=openvpn subject name : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snip, CN=pfsenseopenvpn issued on : 2015-01-10 14:15:12 expires on : 2025-01-07 14:15:12 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=false cert. type : SSL Server key usage : Digital Signature, Key Encipherment ext key usage : TLS Web Server Authentication 2016-08-12 05:21:16 SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 2016-08-12 05:21:16 Session is ACTIVE 2016-08-12 05:21:16 EVENT: GET_CONFIG 2016-08-12 05:21:16 Sending PUSH_REQUEST to server... 2016-08-12 05:21:17 OPTIONS: 0 [route] [192.168.9.0] [255.255.255.0] 1 [route] [192.168.2.0] [255.255.255.0] 2 [route] [192.168.3.0] [255.255.255.0] 3 [dhcp-option] [DOMAIN] [local.lan] 4 [dhcp-option] [DNS] [192.168.9.253] 5 [redirect-gateway] [def1] 6 [route-gateway] [10.0.200.1] 7 [topology] [subnet] 8 [ping] [10] 9 [ping-restart] [60] 10 [ifconfig] [10.0.200.2] [255.255.255.0] 2016-08-12 05:21:17 PROTOCOL OPTIONS: cipher: AES-256-CBC digest: SHA256 compress: LZO peer ID: -1 2016-08-12 05:21:17 EVENT: ASSIGN_IP 2016-08-12 05:21:17 Connected via tun 2016-08-12 05:21:17 EVENT: CONNECTED @24.13.snip:1194 (24.13.snip) via /UDPv4 on tun/10.0.200.2/ 2016-08-12 05:21:17 LZO-ASYM init swap=0 asym=0 2016-08-12 05:21:17 SetStatus Connected -
Hi John,
First of all thank you for taking this amount of time working with me on this problem.
I can report it's solved. I do not know the solution I'm afraid.I just layed it to rest for a while. I then once again compared our configs and added the push routes.
I also changed the compression.I think I tried it in the past but suddenly it also works on my iPhone. So the changed parts now look like this:
- push "redirect-gateway def1";push "redirect-gateway local def1";push "redirect-gateway ipv6";push "route 192.168.20.0 255.255.255.0"
- and compression is on Enabled with adaptive compression.
I'm not sure if any of these fixed my issue, I'm just very glad it's working and I hope it never breaks 8)
Once again thanks for taking the time helping me. All the best!
