iPhone/iPad no longer works after update

IsaacFL

Neither my iPhone nor my iPad can make a good connection to OpenVPN.

They will connect to the VPN with no errors, but if I try to open a website, safari eventually gives up and says the server is not responding.
I have an app that will let me ping from the iphone, and I can ping google.com or my local pfsense box no problem on both ipv4 and ipv6.

Any website, including pfsense itself, or google will not open. I changed the firewall rules to log the connections, and I see the connection in the firewall rule pass. I also see the connection in the state tables as active.

This is an OpenVPN configuration that I had worked in the past, but there has been an update to pfsense (2.4.4-RELEASE) and iOS 12 since the last time I tried it.

I can connect a windows 10 laptop OpenVPN connectin thru the same Wi-Fi and it seems to work fine. Is there an issue with iOS that I am not aware of?

pfSenseTest

Maybe this.?
https://forums.openvpn.net/viewtopic.php?f=36&t=27186

Derelict

I would start by deleting the profiles on the devices, making sure the openvpn client export package is current, re-exporting, and re-importing the config to the devices.

IsaacFL

@pfsensetest said in iPhone/iPad no longer works after update:

Maybe this.?
https://forums.openvpn.net/viewtopic.php?f=36&t=27186

this fixed it. iPhone compression.

IsaacFL

While futzing around before I found the compression setting on the iPhone. I have found that the DNS on the ipv6 side in the VPN doesn't work.

If I set the DNS server to the pfsense ipv4 address (192.168.70.1) on the OpenVPN interface, DNS works fine.
If I set the DNS server to the ipv6 address (myprefix::1) then DNS query is refused.

pfSenseTest

@isaacfl said in iPhone/iPad no longer works after update:

@pfsensetest said in iPhone/iPad no longer works after update:

Maybe this.?
https://forums.openvpn.net/viewtopic.php?f=36&t=27186

this fixed it. iPhone compression.

Best to remove the compression line completely from server and client config because of Voracle.
https://community.openvpn.net/openvpn/wiki/VORACLE

IsaacFL

@pfsensetest said in iPhone/iPad no longer works after update:

@isaacfl said in iPhone/iPad no longer works after update:

@pfsensetest said in iPhone/iPad no longer works after update:

Maybe this.?
https://forums.openvpn.net/viewtopic.php?f=36&t=27186

this fixed it. iPhone compression.

Best to remove the compression line completely from server and client config because of Voracle.
https://community.openvpn.net/openvpn/wiki/VORACLE

This is what I did. I turned it off on the server.

IsaacFL

@derelict said in iPhone/iPad no longer works after update:

I would start by deleting the profiles on the devices, making sure the openvpn client export package is current, re-exporting, and re-importing the config to the devices.

I am not sure if it is a bug I have found, maybe I should start a new post?

The pfsense DNS Resolver will not respond to DNS queries over ipv6 from OpenVPN clients.
I can assign it to use an outside DNS server (i.e. 2001:4860:4860::8888) but can't use the pfsense DNS server ipv6 address. I am using the address of the vpn subnet ::1)

Derelict

You'll have to be more specific. There is nothing "Special" about OpenVPN vs direct traffic. It is all routed.

Your VPN would need to be configured to pass IPv6 traffic and the unbound would need to be listening and have the IPv6 tunnel network address passed in the ACLs, etc.

IsaacFL

@Derelict
I am using 192.168.70.0/24 and 2605:xxxx:xxxx:9570::0/64 as my Tunnel networks.

I have the OpenVPN server set to provide a DNS server list to clients. It says that addresses may be IPv4 or IPv6, so I have:

DNS Server 1 192.168.70.1
DNS Server 2 2605:xxxx:xxxx:9570::1

When the client connects to the OpenVPN server, I see in its ipconfig that the client is using the above dns servers.

On a PC if I do an nslookup with 192.168.70.1 as the server I get the expected response.

If I do an nslookup with 2605:xxxx:xxxx:9570::1 as the server, I get query refused.

In the firewall I see the query to 2605:xxxx:xxxx:9570::1 get passed to 53, so it isn't the firewall blocking it.

Unbound is not listening on address 2605:xxxx:xxxx:9570::1 but I can't see why it would not be, as in the DNS resolver I have "All" selected for the Network interfaces.

Derelict

Have a look at Services > DNS Resolver, Access Lists and see if adding the tunnel network to an Allow list there doesn't start allowing queries.

IsaacFL

@derelict said in iPhone/iPad no longer works after update:

Have a look at Services > DNS Resolver, Access Lists and see if adding the tunnel network to an Allow list there doesn't start allowing queries.

That fixed it. Thanks,