• So today I posted about issues connecting through my OpenVPN. I could connect to VPN from iPhone.
    I could access the internet. However I could not access anything on my LAN. I was able to ping the tunnel IP.

    After troubleshooting we determined it was the OpenVPN IOS client that didn't work. I setup a Windows client on my laptop and loaded the Windows profile in openvpn client.
    I connected to iPhone hotspot from my laptop and all was working well. routing table OK and I was able to access my LAN.

    I did some googling and read a lot of issues with IOS9 and the OpenVPN connect client. Some say disable IPv6, some say FAVOR_LZA (whatever that may be).

    My question is. Does anybody got a working setup with IOS9 iPhone OpenVPN connect client and can you share what you did to get your setup working.

    I run a OpenVPN server with traffic forced through the tunnel. I see my routes and DNS servers etc in OpenVPN log on my iPhone.
    So it should be working well, but it doesn't

    Hope somebody can help.

    Kind regards,


  • I determined with an app that OpenVPN connect does not change the routing table for the iPhone.

    • When I connect with my laptop through iPhone hotspot my default gateway is set to my tunnel IP.
    • Wen I connect my iPhone with OpenVPN and I connect my laptop through iPhone hotspot my default gateway is not change.
    • When I connect my iPhone with OpenVPN connect and view routing table with the routing table app default gateway is not changed.

    is this a know issue?

  • Don`t know the solution but this

    • Wen I connect my iPhone with OpenVPN and I connect my laptop through iPhone hotspot my default gateway is not change.

    will not work anyway because one needs to set a route manually in iPhone, from the iPhone-hotspot-subnet to the tunnel.

    So the problem seems to be

    When I connect my iPhone with OpenVPN connect and view routing table with the routing table app default gateway is not changed

  • LAYER 8 Global Moderator

    what app are you using to view the routing table on your ios9 device?

    I don't have an app that shows the routing table that I am aware of but more than happy to check it with the app your using.

    But what I can tell you, if I do a traceroute internet address when just on wifi first hop is, and if I connect to my openvpn server via the openvpn ios app and then do a traceroute I am going down the vpn tunnel.

    Do you have your openvpn server set to be default gateway?

    Using 9.3.4 on iphone 5s with openvpn app 1.0.7 build 199

    If I do a whats my IP from the phone while using vpn I see my home public IP, and when I do not use the vpn and just the wifi here at the office I see my office public IP.  See 2nd photo attached.

    Nothing special done to have it work like this..  Grab the config from the vpn export and import into the iphone openvpn app.

  • Hi John

    Thanks! I used the routing table IOS app. It's a free app from the appstore. But checking what's my ip is also a good test.
    I can confirm that when connecting with VPN presents the public IP of my mobile provider. So not my public IP.

    I attached my OpenVPN config. Maybe you can compare it with yours, or have a clue what's wrong?

    dev ovpns1
    verb 1
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/
    #user nobody
    #group nobody
    script-security 3
    keepalive 10 60
    proto tcp-server
    cipher AES-256-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/
    client-disconnect /usr/local/sbin/
    local <<ip_openvpn>>
    client-config-dir /var/etc/openvpn-csc/server1
    auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'MY AD' false server1" via-env
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls '' 1"
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 10
    push "route" –> internal route to server vlan
    push "dhcp-option DOMAIN argus.local"
    push "dhcp-option DNS" --> internal dns server
    push "dhcp-option DNS" --> internal dns server
    push "dhcp-option NTP"
    push "redirect-gateway def1"
    ca /var/etc/openvpn/
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    topology subnet
    push "redirect-gateway def1" --> these are additional options I pushed, but they don't seem to do the trick
    push "redirect-gateway local def1" --> these are additional options I pushed, but they don't seem to do the trick
    push "redirect-gateway ipv6" --> these are additional options I pushed, but they don't seem to do the trick


  • LAYER 8 Global Moderator

    that sure and the hell is not a config for IOS..  Where is config you use on your openvpn app?

    Here is ios config that send traffic out vpn just fine..

    cipher AES-256-CBC
    auth SHA256
    remote 24.13. <snipped>1194 udp
    lport 0
    verify-x509-name "pfsenseopenvpn" name
    ns-cert-type server
    comp-lzo adaptive
     <ca>-----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----</snipped></ca> 
     <cert>-----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----</snipped></cert> 
     <key>-----BEGIN PRIVATE KEY-----
    -----END PRIVATE KEY-----</snipped></key> 
    # 2048 bit OpenVPN static key
    -----BEGIN OpenVPN Static key V1-----
    -----END OpenVPN Static key V1-----</snipped></tls-auth> 
     key-direction 1</snipped> 

    So set in the openvpn config redirect gateway, grab the right config for your ios/android vpn connect app.. There you go traffic out the tunnel..

    I even just did a new export of this and just sent it to my phone and connected via my cell..  You can see out my cell, its using ipv6 even..  I then connect to vpn, and out my tunnel

    edit:  Ok grabbed your app, can see when on vpn default is out the tun interface, you can see I am connected to my vpn and have a route to for my tunnel network 10.0.200, etc..  There was much more there.  Then disconnect from vpn and you can see my default route is out pdp_ip0 interface.

  • Hi John,

    The config I attached was the OpenVPN server config file. Maybe you can share yours as well? it's in /var/etc/openvpn on your pfsense.

    My iPhone's routing table with VPN connected:

    Routing tables

    Destination Gateway Flags Refs Use Netif Expire
    default UGSc 193 3 pdp_ip0
    default link#11 UCSI 1 0 utun0
    10.15.10/24 link#11 UCS 1 0 utun0 UH 1 0 utun0 UHr 192 0 pdp_ip0 link#2 UCS 1 0 pdp_ip0
    127 UCS 1 0 lo0 UH 2 0 lo0
    <<my external="" ip="">> UGHS 1 0 pdp_ip0
    224.0.0 link#2 UmCS 2 0 pdp_ip0 link#2 UHmWI 1 0 pdp_ip0 link#2 UCS 1 0 pdp_ip0

    Destination Gateway Flags Netif Expire
    ::1 ::1 UHL lo0
    fe80::%lo0/64 fe80::1%lo0 UcI lo0
    fe80::1%lo0 link#1 UHLI lo0
    fe80::%awdl0/64 link#10 UCI awdl0
    fe80::2087:f2ff:fe5a:91d3%awdl0 22:87:f2:5a:aa:bb UHLI lo0
    ff01::%lo0/32 ::1 UmCI lo0
    ff01::%en0/32 link#8 UmCI en0
    ff01::%awdl0/32 link#10 UmCI awdl0
    ff02::%lo0/32 ::1 UmCI lo0
    ff02::%en0/32 link#8 UmCI en0
    ff02::%awdl0/32 link#10 UmCI awdl0

    I do also have the redirect gateway checkbox enabled. My OpenVPN iphone config:

    cipher AES-256-CBC
    auth SHA1
    remote 1194 udp
    lport 0
    verify-x509-name "" name
    ns-cert-type server

    <ca>–---BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----</ca>
    <cert>-----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----</cert>
    <key>-----BEGIN PRIVATE KEY-----
    -----END PRIVATE KEY-----</key>

    2048 bit OpenVPN static key

    -----BEGIN OpenVPN Static key V1-----
    -----END OpenVPN Static key V1-----</tls-auth>
    key-direction 1</my>

  • LAYER 8 Global Moderator

    here is my config for that instance of openvpn running..

    [2.3.2-RELEASE][root@pfSense.local.lan]/var/etc/openvpn: cat server2.conf  
    dev ovpns2                                                                 
    verb 3                                                                     
    dev-type tun                                                               
    dev-node /dev/tun2                                                         
    writepid /var/run/                                      
    #user nobody                                                               
    #group nobody                                                              
    script-security 3                                                          
    keepalive 10 60                                                            
    proto udp                                                                  
    cipher AES-256-CBC                                                         
    auth SHA256                                                                
    up /usr/local/sbin/ovpn-linkup                                             
    down /usr/local/sbin/ovpn-linkdown                                         
    local 24.13.snipped                                                         
    client-config-dir /var/etc/openvpn-csc/server2                             
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'pfsenseopenvpn' 1"       
    lport 1194                                                                 
    management /var/etc/openvpn/server2.sock unix                              
    max-clients 2                                                              
    push "route"                                     
    push "route"                                     
    push "route"                                     
    push "dhcp-option DOMAIN local.lan"                                        
    push "dhcp-option DNS"                                       
    push "redirect-gateway def1"                                               
    ca /var/etc/openvpn/                                             
    cert /var/etc/openvpn/server2.cert                                         
    key /var/etc/openvpn/server2.key                                           
    dh /etc/dh-parameters.2048                                                 
    tls-auth /var/etc/openvpn/server2.tls-auth 0                               
    comp-lzo adaptive                                                          
    topology subnet                                                            
    tls-version-min 1.2                                                        

    Its got those network in there for other routes because I flip it from from default gateway redirect and not when I need/want to for different setups.  Also that tls-version-min 1.2 is in my options section.. Since you really should only edit your vpn stuff and pretty much everything else in pfsense in the gui.. I have also attached the current gui setting for the vpn instance.  I run 1 on tcp as well.

  • Ok, I'm starting to get al little lost  :-\

    Comparing our configs I don't see a real difference. When I push a route with the route "push"; openvpn option that route arrives in the openvpn connect logging.
    However my routing table isn't modified. I don't see a seperate route for this network.

    Hope you have another idea.



  • LAYER 8 Global Moderator

    and what version of the app are you using?  What version of the ios are you running?  What does the log of your connection say?

    2016-08-12 05:21:16 EVENT: RESOLVE
    2016-08-12 05:21:16 Contacting 24.13.snip:1194 via UDP
    2016-08-12 05:21:16 EVENT: WAIT
    2016-08-12 05:21:16 SetTunnelSocket returned 1
    2016-08-12 05:21:16 Connecting to [24.13.snip]:1194 (24.13.snip) via UDPv4
    2016-08-12 05:21:16 EVENT: CONNECTING
    2016-08-12 05:21:16 Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client
    2016-08-12 05:21:16 Peer Info:
    IV_GUI_VER=net.openvpn.connect.ios 1.0.7-199
    2016-08-12 05:21:16 VERIFY OK: depth=1
    cert. version    : 3
    serial number    : 00
    issuer name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snip, CN=openvpn
    subject name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snip, CN=openvpn
    issued  on        : 2015-01-10 14:15:11
    expires on        : 2025-01-07 14:15:11
    signed using      : RSA with SHA-256
    RSA key size      : 2048 bits
    basic constraints : CA=true
    2016-08-12 05:21:16 VERIFY OK: depth=0
    cert. version    : 3
    serial number    : 01
    issuer name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snip, CN=openvpn
    subject name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snip, CN=pfsenseopenvpn
    issued  on        : 2015-01-10 14:15:12
    expires on        : 2025-01-07 14:15:12
    signed using      : RSA with SHA-256
    RSA key size      : 2048 bits
    basic constraints : CA=false
    cert. type        : SSL Server
    key usage        : Digital Signature, Key Encipherment
    ext key usage    : TLS Web Server Authentication
    2016-08-12 05:21:16 SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
    2016-08-12 05:21:16 Session is ACTIVE
    2016-08-12 05:21:16 EVENT: GET_CONFIG
    2016-08-12 05:21:16 Sending PUSH_REQUEST to server...
    2016-08-12 05:21:17 OPTIONS:
    0 [route] [] []
    1 [route] [] []
    2 [route] [] []
    3 [dhcp-option] [DOMAIN] [local.lan]
    4 [dhcp-option] [DNS] []
    5 [redirect-gateway] [def1]
    6 [route-gateway] []
    7 [topology] [subnet]
    8 [ping] [10]
    9 [ping-restart] [60]
    10 [ifconfig] [] []
    2016-08-12 05:21:17 PROTOCOL OPTIONS:
      cipher: AES-256-CBC
      digest: SHA256
      compress: LZO
      peer ID: -1
    2016-08-12 05:21:17 EVENT: ASSIGN_IP
    2016-08-12 05:21:17 Connected via tun
    2016-08-12 05:21:17 EVENT: CONNECTED @24.13.snip:1194 (24.13.snip) via /UDPv4 on tun/
    2016-08-12 05:21:17 LZO-ASYM init swap=0 asym=0
    2016-08-12 05:21:17 SetStatus Connected

  • Hi John,

    First of all thank you for taking this amount of time working with me on this problem.
    I can report it's solved. I do not know the solution I'm afraid.

    I just layed it to rest for a while. I then once again compared our configs and added the push routes.
    I also changed the compression.

    I think I tried it in the past but suddenly it also works on my iPhone. So the changed parts now look like this:

    • push "redirect-gateway def1";push "redirect-gateway local def1";push "redirect-gateway ipv6";push "route"
    • and compression is on Enabled with adaptive compression.

    I'm not sure if any of these fixed my issue, I'm just very glad it's working and I hope it never breaks  8)

    Once again thanks for taking the time helping me. All the best!

Log in to reply