OpenVPN on iOS connects, but no traffic



  • Hi all,

    I have OpenVPN 2.4.4 installed and setup OpenVPN using the wizard and exported client config using the export utility. OpenVPN Connect on iOS connects fine, but no traffic flows through the VPN (websites won't load, can't connect to LAN).

    OpenVPN for Android works fine. Any thoughts?

    Sanitized iOS OpenVPN Connect log below.

    2018-57-19 11:57:35 1
    
    2018-57-19 11:57:35 ----- OpenVPN Start -----
    OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Oct 3 2018 06:35:04
    
    2018-57-19 11:57:35 Frame=512/2048/512 mssfix-ctrl=1250
    
    2018-57-19 11:57:35 UNUSED OPTIONS
    0 [persist-tun] 
    1 [persist-key] 
    3 [ncp-ciphers] [AES-128-GCM] 
    5 [tls-client] 
    8 [verify-x509-name] [MyServerName] [name] 
    
    2018-57-19 11:57:35 EVENT: RESOLVE
    
    2018-57-19 11:57:35 Contacting [XX.XX.XX.XX]:1194/UDP via UDP
    
    2018-57-19 11:57:35 EVENT: WAIT
    
    2018-57-19 11:57:35 Connecting to [MyDomain.com]:1194 (XX.XX.XX.XX) via UDPv4
    
    2018-57-19 11:57:35 EVENT: CONNECTING
    
    2018-57-19 11:57:35 Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client
    
    2018-57-19 11:57:35 Creds: Username/Password
    
    2018-57-19 11:57:35 Peer Info:
    IV_GUI_VER=net.openvpn.connect.ios 3.0.2-894
    IV_VER=3.2
    IV_PLAT=ios
    IV_NCP=2
    IV_TCPNL=1
    IV_PROTO=2
    IV_LZO_STUB=1
    IV_COMP_STUB=1
    IV_COMP_STUBv2=1
    IV_IPv6=1
    
    
    2018-57-19 11:57:35 VERIFY OK : depth=1
    cert. version : 3
    serial number : 00
    issuer name : CN=MyCA, C=CA, ST=State, L=Location, O=MyOrganization
    subject name : CN=MyServerName, C=CA, ST=State, L=Location, O=MyOrganization
    issued on : 2018-10-18 02:07:49
    expires on : 2028-10-15 02:07:49
    signed using : RSA with SHA-256
    RSA key size : 2048 bits
    basic constraints : CA=true
    key usage : Key Cert Sign, CRL Sign
    
    
    2018-57-19 11:57:35 VERIFY OK : depth=0
    cert. version : 3
    serial number : 01
    issuer name : CN=MyCA, C=CA, ST=State, L=Location, O=MyOrganization
    subject name : CN=MyServerName, C=CA, ST=State, L=Location, O=MyOrganization
    issued on : 2018-10-18 02:07:50
    expires on : 2028-10-15 02:07:50
    signed using : RSA with SHA-256
    RSA key size : 2048 bits
    basic constraints : CA=false
    subject alt name : MyServerName
    cert. type : SSL Server
    key usage : Digital Signature, Key Encipherment
    ext key usage : TLS Web Server Authentication, ???
    
    
    2018-57-19 11:57:35 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
    
    2018-57-19 11:57:35 Session is ACTIVE
    
    2018-57-19 11:57:35 EVENT: GET_CONFIG
    
    2018-57-19 11:57:35 Sending PUSH_REQUEST to server...
    
    2018-57-19 11:57:36 Sending PUSH_REQUEST to server...
    
    2018-57-19 11:57:38 Sending PUSH_REQUEST to server...
    
    2018-57-19 11:57:38 OPTIONS:
    0 [dhcp-option] [DNS] [1.1.1.1] 
    1 [redirect-gateway] [def1] 
    2 [route-gateway] [10.0.1.1] 
    3 [topology] [subnet] 
    4 [ping] [10] 
    5 [ping-restart] [60] 
    6 [ifconfig] [10.0.1.2] [255.255.255.0] 
    7 [peer-id] [1] 
    8 [cipher] [AES-128-GCM] 
    
    
    2018-57-19 11:57:38 PROTOCOL OPTIONS:
    cipher: AES-128-GCM
    digest: SHA256
    compress: COMP_STUB
    peer ID: 1
    
    2018-57-19 11:57:38 EVENT: ASSIGN_IP
    
    2018-57-19 11:57:38 NIP: preparing TUN network settings
    
    2018-57-19 11:57:38 NIP: init TUN network settings with endpoint: XX.XX.XX.XX
    
    2018-57-19 11:57:38 NIP: adding IPv4 address to network settings 10.0.1.2/255.255.255.0
    
    2018-57-19 11:57:38 NIP: adding (included) IPv4 route 10.0.1.0/24
    
    2018-57-19 11:57:38 NIP: redirecting all IPv4 traffic to TUN interface
    
    2018-57-19 11:57:38 NIP: adding DNS 1.1.1.1
    
    2018-57-19 11:57:38 Connected via NetworkExtensionTUN
    
    2018-57-19 11:57:38 LZO-ASYM init swap=0 asym=1
    
    2018-57-19 11:57:38 Comp-stub init swap=1
    
    2018-57-19 11:57:38 EVENT: CONNECTED MyUser@MyDomain:1194 (XX.XX.XX.XX) via /UDPv4 on NetworkExtensionTUN/10.0.1.2/ gw=[/]
    


  • @shutch The latest OpenVPN client on iOS has 'allow compression' disabled by default, because of the VORACLE attack. Try re-enabling it in the settings to see if that helps.



  • @bigsy wow! thanks. After trying stuff for 3 hrs this tip was the answer.