So today I posted about issues connecting through my OpenVPN. I could connect to VPN from iPhone.
I could access the internet. However I could not access anything on my LAN. I was able to ping the tunnel IP.
After troubleshooting we determined it was the OpenVPN IOS client that didn't work. I setup a Windows client on my laptop and loaded the Windows profile in openvpn client.
I connected to iPhone hotspot from my laptop and all was working well. routing table OK and I was able to access my LAN.
I did some googling and read a lot of issues with IOS9 and the OpenVPN connect client. Some say disable IPv6, some say FAVOR_LZA (whatever that may be).
My question is. Does anybody got a working setup with IOS9 iPhone OpenVPN connect client and can you share what you did to get your setup working.
I run a OpenVPN server with traffic forced through the tunnel. I see my routes and DNS servers etc in OpenVPN log on my iPhone.
So it should be working well, but it doesn't
Hope somebody can help.
I determined with an app that OpenVPN connect does not change the routing table for the iPhone.
- When I connect with my laptop through iPhone hotspot my default gateway is set to my tunnel IP.
- Wen I connect my iPhone with OpenVPN and I connect my laptop through iPhone hotspot my default gateway is not change.
- When I connect my iPhone with OpenVPN connect and view routing table with the routing table app default gateway is not changed.
is this a know issue?
Pippin last edited by
Don`t know the solution but this
- Wen I connect my iPhone with OpenVPN and I connect my laptop through iPhone hotspot my default gateway is not change.
will not work anyway because one needs to set a route manually in iPhone, from the iPhone-hotspot-subnet to the tunnel.
So the problem seems to be
When I connect my iPhone with OpenVPN connect and view routing table with the routing table app default gateway is not changed
what app are you using to view the routing table on your ios9 device?
I don't have an app that shows the routing table that I am aware of but more than happy to check it with the app your using.
But what I can tell you, if I do a traceroute internet address when just on wifi first hop is 192.168.1.1, and if I connect to my openvpn server via the openvpn ios app and then do a traceroute I am going down the vpn tunnel.
Do you have your openvpn server set to be default gateway?
Using 9.3.4 on iphone 5s with openvpn app 1.0.7 build 199
If I do a whats my IP from the phone while using vpn I see my home public IP, and when I do not use the vpn and just the wifi here at the office I see my office public IP. See 2nd photo attached.
Nothing special done to have it work like this.. Grab the config from the vpn export and import into the iphone openvpn app.
Thanks! I used the routing table IOS app. It's a free app from the appstore. But checking what's my ip is also a good test.
I can confirm that when connecting with VPN presents the public IP of my mobile provider. So not my public IP.
I attached my OpenVPN config. Maybe you can compare it with yours, or have a clue what's wrong?
keepalive 10 60
server 10.15.10.0 255.255.255.0
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'MY AD' false server1" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.external.nl' 1"
management /var/etc/openvpn/server1.sock unix
push "route 192.168.20.0 255.255.255.0" –> internal route to server vlan
push "dhcp-option DOMAIN argus.local"
push "dhcp-option DNS 192.168.20.13" --> internal dns server
push "dhcp-option DNS 192.168.20.15" --> internal dns server
push "dhcp-option NTP 192.168.20.13"
push "redirect-gateway def1"
tls-auth /var/etc/openvpn/server1.tls-auth 0
push "redirect-gateway def1" --> these are additional options I pushed, but they don't seem to do the trick
push "redirect-gateway local def1" --> these are additional options I pushed, but they don't seem to do the trick
push "redirect-gateway ipv6" --> these are additional options I pushed, but they don't seem to do the trick
that sure and the hell is not a config for IOS.. Where is config you use on your openvpn app?
Here is ios config that send traffic out vpn just fine..
persist-tun persist-key cipher AES-256-CBC auth SHA256 tls-client client remote 24.13. <snipped>1194 udp lport 0 verify-x509-name "pfsenseopenvpn" name ns-cert-type server comp-lzo adaptive <ca>-----BEGIN CERTIFICATE----- MIIELzCCAxegAwIBAgIBADANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJVUzEL <snipped>irJgwPhnD40VEnqBGuWr0GmqBg== -----END CERTIFICATE-----</snipped></ca> <cert>-----BEGIN CERTIFICATE----- MIIEhTCCA22gAwIBAgIBBjANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJVUzEL <snipped>07iTItFJbGEFnDE9Uf2gmTKok1C0SeJlalJnFUbn8XGHysRpWjGiUInvvL56N9wO zpZCx3PBzrSZ -----END CERTIFICATE-----</snipped></cert> <key>-----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCbnH1XmTQ5ism9 <snipped>PJg7xn9awG5LLeyDvvTxKFg= -----END PRIVATE KEY-----</snipped></key> <tls-auth># # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- a2d1d1ce8e37bdc037ff3536b448b309 <snipped>ff4352097dbc693dfe974ed2267efebe -----END OpenVPN Static key V1-----</snipped></tls-auth> key-direction 1</snipped>
So set in the openvpn config redirect gateway, grab the right config for your ios/android vpn connect app.. There you go traffic out the tunnel..
I even just did a new export of this and just sent it to my phone and connected via my cell.. You can see out my cell, its using ipv6 even.. I then connect to vpn, and out my tunnel
edit: Ok grabbed your app, can see when on vpn default is out the tun interface, you can see I am connected to my vpn and have a route to for my tunnel network 10.0.200, etc.. There was much more there. Then disconnect from vpn and you can see my default route is out pdp_ip0 interface.
The config I attached was the OpenVPN server config file. Maybe you can share yours as well? it's in /var/etc/openvpn on your pfsense.
My iPhone's routing table with VPN connected:
Destination Gateway Flags Refs Use Netif Expire
default 100.85.55.7 UGSc 193 3 pdp_ip0
default link#11 UCSI 1 0 utun0
10.15.10/24 link#11 UCS 1 0 utun0
10.15.10.2 10.15.10.2 UH 1 0 utun0
100.85.55.7 100.85.55.7 UHr 192 0 pdp_ip0
100.85.55.7/32 link#2 UCS 1 0 pdp_ip0
127 127.0.0.1 UCS 1 0 lo0
127.0.0.1 127.0.0.1 UH 2 0 lo0
<<my external="" ip="">> 100.85.55.7 UGHS 1 0 pdp_ip0
224.0.0 link#2 UmCS 2 0 pdp_ip0
18.104.22.168 link#2 UHmWI 1 0 pdp_ip0
255.255.255.255/32 link#2 UCS 1 0 pdp_ip0
Destination Gateway Flags Netif Expire
::1 ::1 UHL lo0
fe80::%lo0/64 fe80::1%lo0 UcI lo0
fe80::1%lo0 link#1 UHLI lo0
fe80::%awdl0/64 link#10 UCI awdl0
fe80::2087:f2ff:fe5a:91d3%awdl0 22:87:f2:5a:aa:bb UHLI lo0
ff01::%lo0/32 ::1 UmCI lo0
ff01::%en0/32 link#8 UmCI en0
ff01::%awdl0/32 link#10 UmCI awdl0
ff02::%lo0/32 ::1 UmCI lo0
ff02::%en0/32 link#8 UmCI en0
ff02::%awdl0/32 link#10 UmCI awdl0
I do also have the redirect gateway checkbox enabled. My OpenVPN iphone config:
<key>-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----</key>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----</tls-auth>
here is my config for that instance of openvpn running..
[2.3.2-RELEASE][root@pfSense.local.lan]/var/etc/openvpn: cat server2.conf dev ovpns2 verb 3 dev-type tun tun-ipv6 dev-node /dev/tun2 writepid /var/run/openvpn_server2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 24.13.snipped tls-server server 10.0.200.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc/server2 tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'pfsenseopenvpn' 1" lport 1194 management /var/etc/openvpn/server2.sock unix max-clients 2 push "route 192.168.9.0 255.255.255.0" push "route 192.168.2.0 255.255.255.0" push "route 192.168.3.0 255.255.255.0" push "dhcp-option DOMAIN local.lan" push "dhcp-option DNS 192.168.9.253" push "redirect-gateway def1" ca /var/etc/openvpn/server2.ca cert /var/etc/openvpn/server2.cert key /var/etc/openvpn/server2.key dh /etc/dh-parameters.2048 tls-auth /var/etc/openvpn/server2.tls-auth 0 comp-lzo adaptive persist-remote-ip float topology subnet tls-version-min 1.2 [2.3.2-RELEASE][root@pfSense.local.lan]/var/etc/openvpn:
Its got those network in there for other routes because I flip it from from default gateway redirect and not when I need/want to for different setups. Also that tls-version-min 1.2 is in my options section.. Since you really should only edit your vpn stuff and pretty much everything else in pfsense in the gui.. I have also attached the current gui setting for the vpn instance. I run 1 on tcp as well.
Ok, I'm starting to get al little lost :-\
Comparing our configs I don't see a real difference. When I push a route with the route "push 192.168.20.0 255.255.255.0"; openvpn option that route arrives in the openvpn connect logging.
However my routing table isn't modified. I don't see a seperate route for this network.
Hope you have another idea.
and what version of the app are you using? What version of the ios are you running? What does the log of your connection say?
2016-08-12 05:21:16 EVENT: RESOLVE 2016-08-12 05:21:16 Contacting 24.13.snip:1194 via UDP 2016-08-12 05:21:16 EVENT: WAIT 2016-08-12 05:21:16 SetTunnelSocket returned 1 2016-08-12 05:21:16 Connecting to [24.13.snip]:1194 (24.13.snip) via UDPv4 2016-08-12 05:21:16 EVENT: CONNECTING 2016-08-12 05:21:16 Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client 2016-08-12 05:21:16 Peer Info: IV_GUI_VER=net.openvpn.connect.ios 1.0.7-199 IV_VER=3.0.11 IV_PLAT=ios IV_NCP=2 IV_TCPNL=1 IV_PROTO=2 IV_LZO=1 2016-08-12 05:21:16 VERIFY OK: depth=1 cert. version : 3 serial number : 00 issuer name : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snip, CN=openvpn subject name : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snip, CN=openvpn issued on : 2015-01-10 14:15:11 expires on : 2025-01-07 14:15:11 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=true 2016-08-12 05:21:16 VERIFY OK: depth=0 cert. version : 3 serial number : 01 issuer name : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snip, CN=openvpn subject name : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snip, CN=pfsenseopenvpn issued on : 2015-01-10 14:15:12 expires on : 2025-01-07 14:15:12 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=false cert. type : SSL Server key usage : Digital Signature, Key Encipherment ext key usage : TLS Web Server Authentication 2016-08-12 05:21:16 SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 2016-08-12 05:21:16 Session is ACTIVE 2016-08-12 05:21:16 EVENT: GET_CONFIG 2016-08-12 05:21:16 Sending PUSH_REQUEST to server... 2016-08-12 05:21:17 OPTIONS: 0 [route] [192.168.9.0] [255.255.255.0] 1 [route] [192.168.2.0] [255.255.255.0] 2 [route] [192.168.3.0] [255.255.255.0] 3 [dhcp-option] [DOMAIN] [local.lan] 4 [dhcp-option] [DNS] [192.168.9.253] 5 [redirect-gateway] [def1] 6 [route-gateway] [10.0.200.1] 7 [topology] [subnet] 8 [ping]  9 [ping-restart]  10 [ifconfig] [10.0.200.2] [255.255.255.0] 2016-08-12 05:21:17 PROTOCOL OPTIONS: cipher: AES-256-CBC digest: SHA256 compress: LZO peer ID: -1 2016-08-12 05:21:17 EVENT: ASSIGN_IP 2016-08-12 05:21:17 Connected via tun 2016-08-12 05:21:17 EVENT: CONNECTED @24.13.snip:1194 (24.13.snip) via /UDPv4 on tun/10.0.200.2/ 2016-08-12 05:21:17 LZO-ASYM init swap=0 asym=0 2016-08-12 05:21:17 SetStatus Connected
First of all thank you for taking this amount of time working with me on this problem.
I can report it's solved. I do not know the solution I'm afraid.
I just layed it to rest for a while. I then once again compared our configs and added the push routes.
I also changed the compression.
I think I tried it in the past but suddenly it also works on my iPhone. So the changed parts now look like this:
- push "redirect-gateway def1";push "redirect-gateway local def1";push "redirect-gateway ipv6";push "route 192.168.20.0 255.255.255.0"
- and compression is on Enabled with adaptive compression.
I'm not sure if any of these fixed my issue, I'm just very glad it's working and I hope it never breaks 8)
Once again thanks for taking the time helping me. All the best!