OpenVPN IOS9



  • So today I posted about issues connecting through my OpenVPN. I could connect to VPN from iPhone.
    I could access the internet. However I could not access anything on my LAN. I was able to ping the tunnel IP.

    After troubleshooting we determined it was the OpenVPN IOS client that didn't work. I setup a Windows client on my laptop and loaded the Windows profile in openvpn client.
    I connected to iPhone hotspot from my laptop and all was working well. routing table OK and I was able to access my LAN.

    I did some googling and read a lot of issues with IOS9 and the OpenVPN connect client. Some say disable IPv6, some say FAVOR_LZA (whatever that may be).

    My question is. Does anybody got a working setup with IOS9 iPhone OpenVPN connect client and can you share what you did to get your setup working.

    I run a OpenVPN server with traffic forced through the tunnel. I see my routes and DNS servers etc in OpenVPN log on my iPhone.
    So it should be working well, but it doesn't

    Hope somebody can help.

    Kind regards,

    Mark



  • I determined with an app that OpenVPN connect does not change the routing table for the iPhone.

    • When I connect with my laptop through iPhone hotspot my default gateway is set to my tunnel IP.
    • Wen I connect my iPhone with OpenVPN and I connect my laptop through iPhone hotspot my default gateway is not change.
    • When I connect my iPhone with OpenVPN connect and view routing table with the routing table app default gateway is not changed.

    is this a know issue?



  • Don`t know the solution but this

    • Wen I connect my iPhone with OpenVPN and I connect my laptop through iPhone hotspot my default gateway is not change.

    will not work anyway because one needs to set a route manually in iPhone, from the iPhone-hotspot-subnet to the tunnel.

    So the problem seems to be

    When I connect my iPhone with OpenVPN connect and view routing table with the routing table app default gateway is not changed


  • LAYER 8 Global Moderator

    what app are you using to view the routing table on your ios9 device?

    I don't have an app that shows the routing table that I am aware of but more than happy to check it with the app your using.

    But what I can tell you, if I do a traceroute internet address when just on wifi first hop is 192.168.1.1, and if I connect to my openvpn server via the openvpn ios app and then do a traceroute I am going down the vpn tunnel.

    Do you have your openvpn server set to be default gateway?

    Using 9.3.4 on iphone 5s with openvpn app 1.0.7 build 199

    If I do a whats my IP from the phone while using vpn I see my home public IP, and when I do not use the vpn and just the wifi here at the office I see my office public IP.  See 2nd photo attached.

    Nothing special done to have it work like this..  Grab the config from the vpn export and import into the iphone openvpn app.






  • Hi John

    Thanks! I used the routing table IOS app. It's a free app from the appstore. But checking what's my ip is also a good test.
    I can confirm that when connecting with VPN presents the public IP of my mobile provider. So not my public IP.

    I attached my OpenVPN config. Maybe you can compare it with yours, or have a clue what's wrong?

    dev ovpns1
    verb 1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto tcp-server
    cipher AES-256-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local <<ip_openvpn>>
    tls-server
    server 10.15.10.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server1
    username-as-common-name
    auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'MY AD' false server1" via-env
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.external.nl' 1"
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    max-clients 10
    push "route 192.168.20.0 255.255.255.0" –> internal route to server vlan
    push "dhcp-option DOMAIN argus.local"
    push "dhcp-option DNS 192.168.20.13" --> internal dns server
    push "dhcp-option DNS 192.168.20.15" --> internal dns server
    push "dhcp-option NTP 192.168.20.13"
    push "redirect-gateway def1"
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    persist-remote-ip
    float
    topology subnet
    push "redirect-gateway def1" --> these are additional options I pushed, but they don't seem to do the trick
    push "redirect-gateway local def1" --> these are additional options I pushed, but they don't seem to do the trick
    push "redirect-gateway ipv6" --> these are additional options I pushed, but they don't seem to do the trick

    Thanks!!</ip_openvpn>


  • LAYER 8 Global Moderator

    that sure and the hell is not a config for IOS..  Where is config you use on your openvpn app?

    Here is ios config that send traffic out vpn just fine..

    
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA256
    tls-client
    client
    remote 24.13. <snipped>1194 udp
    lport 0
    verify-x509-name "pfsenseopenvpn" name
    ns-cert-type server
    comp-lzo adaptive
    
     <ca>-----BEGIN CERTIFICATE-----
    MIIELzCCAxegAwIBAgIBADANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJVUzEL
     <snipped>irJgwPhnD40VEnqBGuWr0GmqBg==
    -----END CERTIFICATE-----</snipped></ca> 
     <cert>-----BEGIN CERTIFICATE-----
    MIIEhTCCA22gAwIBAgIBBjANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJVUzEL
     <snipped>07iTItFJbGEFnDE9Uf2gmTKok1C0SeJlalJnFUbn8XGHysRpWjGiUInvvL56N9wO
    zpZCx3PBzrSZ
    -----END CERTIFICATE-----</snipped></cert> 
     <key>-----BEGIN PRIVATE KEY-----
    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCbnH1XmTQ5ism9
     <snipped>PJg7xn9awG5LLeyDvvTxKFg=
    -----END PRIVATE KEY-----</snipped></key> 
     <tls-auth>#
    # 2048 bit OpenVPN static key
    #
    -----BEGIN OpenVPN Static key V1-----
    a2d1d1ce8e37bdc037ff3536b448b309
     <snipped>ff4352097dbc693dfe974ed2267efebe
    -----END OpenVPN Static key V1-----</snipped></tls-auth> 
     key-direction 1</snipped> 
    

    So set in the openvpn config redirect gateway, grab the right config for your ios/android vpn connect app.. There you go traffic out the tunnel..

    I even just did a new export of this and just sent it to my phone and connected via my cell..  You can see out my cell, its using ipv6 even..  I then connect to vpn, and out my tunnel

    edit:  Ok grabbed your app, can see when on vpn default is out the tun interface, you can see I am connected to my vpn and have a route to for my tunnel network 10.0.200, etc..  There was much more there.  Then disconnect from vpn and you can see my default route is out pdp_ip0 interface.










  • Hi John,

    The config I attached was the OpenVPN server config file. Maybe you can share yours as well? it's in /var/etc/openvpn on your pfsense.

    My iPhone's routing table with VPN connected:

    Routing tables

    Internet:
    Destination Gateway Flags Refs Use Netif Expire
    default 100.85.55.7 UGSc 193 3 pdp_ip0
    default link#11 UCSI 1 0 utun0
    10.15.10/24 link#11 UCS 1 0 utun0
    10.15.10.2 10.15.10.2 UH 1 0 utun0
    100.85.55.7 100.85.55.7 UHr 192 0 pdp_ip0
    100.85.55.7/32 link#2 UCS 1 0 pdp_ip0
    127 127.0.0.1 UCS 1 0 lo0
    127.0.0.1 127.0.0.1 UH 2 0 lo0
    <<my external="" ip="">> 100.85.55.7 UGHS 1 0 pdp_ip0
    224.0.0 link#2 UmCS 2 0 pdp_ip0
    224.0.0.251 link#2 UHmWI 1 0 pdp_ip0
    255.255.255.255/32 link#2 UCS 1 0 pdp_ip0

    Internet6:
    Destination Gateway Flags Netif Expire
    ::1 ::1 UHL lo0
    fe80::%lo0/64 fe80::1%lo0 UcI lo0
    fe80::1%lo0 link#1 UHLI lo0
    fe80::%awdl0/64 link#10 UCI awdl0
    fe80::2087:f2ff:fe5a:91d3%awdl0 22:87:f2:5a:aa:bb UHLI lo0
    ff01::%lo0/32 ::1 UmCI lo0
    ff01::%en0/32 link#8 UmCI en0
    ff01::%awdl0/32 link#10 UmCI awdl0
    ff02::%lo0/32 ::1 UmCI lo0
    ff02::%en0/32 link#8 UmCI en0
    ff02::%awdl0/32 link#10 UmCI awdl0

    I do also have the redirect gateway checkbox enabled. My OpenVPN iphone config:

    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA1
    tls-client
    client
    remote vpn.mydomain.com 1194 udp
    lport 0
    verify-x509-name "vpn.mydomain.com" name
    auth-user-pass
    ns-cert-type server

    <ca>–---BEGIN CERTIFICATE-----
    MIIEcTCCA1mgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCTkwx
    EDAOBgNVBAgTB1V0cmVjaHQxEDAOBgNVBAcTB1V0cmVjaHQxETAPBgNVBAoTCEFS
    R1VTIElUMR4wHAYJKoZIhvcNAQkBFg9tYXJrQGJyaWxtYW4uZXUxHDAaBgNVBAMT
    E3Bmc2Vuc2UuYXJndXMubG9jYWwwHhcNMTYwODA4MjA0ODAwWhcNMjYwODA2MjA0
    OstrippedMQswCQYDVQQGEwJOTDEQ
    MA4GA1UECBMHVXRyZWNodDEQMA4GA1UEBxMHVXRyZWNodDERMA8GA1UEChMIQVJH
    VVMgSVQxHjAcBgkqhkiG9w0BCQEWD21hcmtAYnJpbG1hbi5ldTEcMBoGA1UEAxMT
    cGZzZW5zZS5hcmd1cy5sb2NhbIIBADAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB
    BjANBgkqhkiG9w0BAQsFAAOCAQEAq4z4MJPwjtUxJH4iFPkc/wtTgSzZ22zdiXfE
    fcr69msTi2cwIcLgKsO4ScIAHz4QQGye53bIUex5UmDLo1faQD87Sl2tWRvc9NU1
    q2wM8b3pRYR+3mS2XEoZKsHt72VsfcPJH0HbTt6vXl7iFqiiqZ+ofdwXGhROamXA
    KZoD/CaDdS7pWUBk+g1AqGyyp03YgBMKIIHNuki3vERg5C0Ejt0ego4731o/9N/u
    3rN4CswxTTPiNhbLmG03Gx/q3N4wV0mCxO4YrK+D8GinFTuknzQ6DtLr74+lFt4a
    NTI1IJulS0pSe8m0IXrddxoe4+zlXy/4jX9agrkpv4Rb0DXNFQ==
    -----END CERTIFICATE-----</ca>
    <cert>-----BEGIN CERTIFICATE-----
    MIIEqDCCA5CgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCTkwx
    EDAOBgstripped2REF+UnJ7mGfLksm1MZxuqYrAqvp1dB
    LkCOp3PMK9/ByYQrtEJZFURSvimSj1mdl3ECAwEAAaOCATUwggExMAkGA1UdEwQC
    MAAwCwYDVR0PBAQDAgXgMDEGCWCGSAGG+EIBDQQkFiJPcGVuU1NMIEdlbmVyYXRl
    ZCBVc2VyIENlcnRpZmljYXRlMB0GA1UdDgQWBBRs7y69Rw1+EmNdKtuvXyDO79UV
    lDCBrwYDVR0jBIGnMIGkgBTQCbYVWC0iXc5Nz5gatG2iDys6g6GBiKSBhTCBgjEL
    MAkGA1UEBhMCTkwxEDAOBgNVBAgTB1V0cmVjaHQxEDAOBgNVBAcTB1V0cmVjaHQx
    ETAstripped
    -----END CERTIFICATE-----</cert>
    <key>-----BEGIN PRIVATE KEY-----
    MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDZKQVyhL7zeIJp
    +rbLRigms9l12Srge/Ez+tGDyft9spcfXp5bLlTgwOyVhupP7IXO4QIqobukPQKa
    eIt9y8imIJX5euiOlDj9qDnLO990l+x6uC+2ioUWWIPUV1/OTOLt0F+WowYnHwI7
    rLi0CDR0VyH2J3RyDQoXdHfJphOnHt0w+OsfRoEdxvAAVoxLtzfrHAe61464lLWf
    stripped
    qNIAFuRriAK96x7NxKPeMZILfzeR5eWY5QJQC
    Y5Dd0Dnh8SLroAiqpkrQww==
    -----END PRIVATE KEY-----</key>
    <tls-auth>#

    2048 bit OpenVPN static key

    -----BEGIN OpenVPN Static key V1-----
    e6779093811f6a6050d6bd9749f65d1f
    75ccc4d0c08c9ae03410a1c8263120c6
    stripped
    a53cafa965295c77ba8fb9fb551ea202
    03d653922166f958007981f35c60fcbd
    7c8622859e92992aa147b402d0d08990
    6fca1d0051c3fc1edcf3c2d5c58a0f8b
    756b87c2acf7a5da05c493cc90d12070
    7b633d29803e1f20d79cd56d6c2b4f31
    -----END OpenVPN Static key V1-----</tls-auth>
    key-direction 1</my>


  • LAYER 8 Global Moderator

    here is my config for that instance of openvpn running..

    
    [2.3.2-RELEASE][root@pfSense.local.lan]/var/etc/openvpn: cat server2.conf  
    dev ovpns2                                                                 
    verb 3                                                                     
    dev-type tun                                                               
    tun-ipv6                                                                   
    dev-node /dev/tun2                                                         
    writepid /var/run/openvpn_server2.pid                                      
    #user nobody                                                               
    #group nobody                                                              
    script-security 3                                                          
    daemon                                                                     
    keepalive 10 60                                                            
    ping-timer-rem                                                             
    persist-tun                                                                
    persist-key                                                                
    proto udp                                                                  
    cipher AES-256-CBC                                                         
    auth SHA256                                                                
    up /usr/local/sbin/ovpn-linkup                                             
    down /usr/local/sbin/ovpn-linkdown                                         
    local 24.13.snipped                                                         
    tls-server                                                                 
    server 10.0.200.0 255.255.255.0                                            
    client-config-dir /var/etc/openvpn-csc/server2                             
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'pfsenseopenvpn' 1"       
    lport 1194                                                                 
    management /var/etc/openvpn/server2.sock unix                              
    max-clients 2                                                              
    push "route 192.168.9.0 255.255.255.0"                                     
    push "route 192.168.2.0 255.255.255.0"                                     
    push "route 192.168.3.0 255.255.255.0"                                     
    push "dhcp-option DOMAIN local.lan"                                        
    push "dhcp-option DNS 192.168.9.253"                                       
    push "redirect-gateway def1"                                               
    ca /var/etc/openvpn/server2.ca                                             
    cert /var/etc/openvpn/server2.cert                                         
    key /var/etc/openvpn/server2.key                                           
    dh /etc/dh-parameters.2048                                                 
    tls-auth /var/etc/openvpn/server2.tls-auth 0                               
    comp-lzo adaptive                                                          
    persist-remote-ip                                                          
    float                                                                      
    topology subnet                                                            
    tls-version-min 1.2                                                        
    [2.3.2-RELEASE][root@pfSense.local.lan]/var/etc/openvpn:                   
    
    

    Its got those network in there for other routes because I flip it from from default gateway redirect and not when I need/want to for different setups.  Also that tls-version-min 1.2 is in my options section.. Since you really should only edit your vpn stuff and pretty much everything else in pfsense in the gui.. I have also attached the current gui setting for the vpn instance.  I run 1 on tcp as well.




  • Ok, I'm starting to get al little lost  :-\

    Comparing our configs I don't see a real difference. When I push a route with the route "push 192.168.20.0 255.255.255.0"; openvpn option that route arrives in the openvpn connect logging.
    However my routing table isn't modified. I don't see a seperate route for this network.

    Hope you have another idea.

    Thanks

    Mark


  • LAYER 8 Global Moderator

    and what version of the app are you using?  What version of the ios are you running?  What does the log of your connection say?

    
    2016-08-12 05:21:16 EVENT: RESOLVE
    2016-08-12 05:21:16 Contacting 24.13.snip:1194 via UDP
    2016-08-12 05:21:16 EVENT: WAIT
    2016-08-12 05:21:16 SetTunnelSocket returned 1
    2016-08-12 05:21:16 Connecting to [24.13.snip]:1194 (24.13.snip) via UDPv4
    2016-08-12 05:21:16 EVENT: CONNECTING
    2016-08-12 05:21:16 Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client
    2016-08-12 05:21:16 Peer Info:
    IV_GUI_VER=net.openvpn.connect.ios 1.0.7-199
    IV_VER=3.0.11
    IV_PLAT=ios
    IV_NCP=2
    IV_TCPNL=1
    IV_PROTO=2
    IV_LZO=1
    
    2016-08-12 05:21:16 VERIFY OK: depth=1
    cert. version    : 3
    serial number    : 00
    issuer name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snip, CN=openvpn
    subject name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snip, CN=openvpn
    issued  on        : 2015-01-10 14:15:11
    expires on        : 2025-01-07 14:15:11
    signed using      : RSA with SHA-256
    RSA key size      : 2048 bits
    basic constraints : CA=true
    
    2016-08-12 05:21:16 VERIFY OK: depth=0
    cert. version    : 3
    serial number    : 01
    issuer name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snip, CN=openvpn
    subject name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snip, CN=pfsenseopenvpn
    issued  on        : 2015-01-10 14:15:12
    expires on        : 2025-01-07 14:15:12
    signed using      : RSA with SHA-256
    RSA key size      : 2048 bits
    basic constraints : CA=false
    cert. type        : SSL Server
    key usage        : Digital Signature, Key Encipherment
    ext key usage    : TLS Web Server Authentication
    
    2016-08-12 05:21:16 SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
    2016-08-12 05:21:16 Session is ACTIVE
    2016-08-12 05:21:16 EVENT: GET_CONFIG
    2016-08-12 05:21:16 Sending PUSH_REQUEST to server...
    2016-08-12 05:21:17 OPTIONS:
    0 [route] [192.168.9.0] [255.255.255.0]
    1 [route] [192.168.2.0] [255.255.255.0]
    2 [route] [192.168.3.0] [255.255.255.0]
    3 [dhcp-option] [DOMAIN] [local.lan]
    4 [dhcp-option] [DNS] [192.168.9.253]
    5 [redirect-gateway] [def1]
    6 [route-gateway] [10.0.200.1]
    7 [topology] [subnet]
    8 [ping] [10]
    9 [ping-restart] [60]
    10 [ifconfig] [10.0.200.2] [255.255.255.0]
    
    2016-08-12 05:21:17 PROTOCOL OPTIONS:
      cipher: AES-256-CBC
      digest: SHA256
      compress: LZO
      peer ID: -1
    2016-08-12 05:21:17 EVENT: ASSIGN_IP
    2016-08-12 05:21:17 Connected via tun
    2016-08-12 05:21:17 EVENT: CONNECTED @24.13.snip:1194 (24.13.snip) via /UDPv4 on tun/10.0.200.2/
    2016-08-12 05:21:17 LZO-ASYM init swap=0 asym=0
    2016-08-12 05:21:17 SetStatus Connected
    
    


  • Hi John,

    First of all thank you for taking this amount of time working with me on this problem.
    I can report it's solved. I do not know the solution I'm afraid.

    I just layed it to rest for a while. I then once again compared our configs and added the push routes.
    I also changed the compression.

    I think I tried it in the past but suddenly it also works on my iPhone. So the changed parts now look like this:

    • push "redirect-gateway def1";push "redirect-gateway local def1";push "redirect-gateway ipv6";push "route 192.168.20.0 255.255.255.0"
    • and compression is on Enabled with adaptive compression.

    I'm not sure if any of these fixed my issue, I'm just very glad it's working and I hope it never breaks  8)

    Once again thanks for taking the time helping me. All the best!


Log in to reply