OpenVPN installed, iOS client connects, but no internet or local resources



  • Hi,

    I'm not a firewall expert. Had another solution implemented, it worked well, but I upgraded internet speed and that last solution only recognized one of my intel pro1000 gigabit NICs.

    Installed pfSense and was happy that it recognized both.

    I went through the wizard, got OpenVPN configured, exported ovpn for client, imported ovpn in iOS, connected successfully.

    But when connected from iOS to the OpenVPN:
    I can't access internet.
    I can't access local Plex server.

    However, I can actually see and login to pfSense at 192.168.1.1 when logged into VPN from cellular network on iOS.

    What can I give you for you to be able to help me with this?

    Thank you,
    Dajo



  • here's some things I found.
    I connected again from iOS and got some logs:

    StatusSystem LogsOpenVPN:

    Apr 14 21:22:48 openvpn 49115 174.236.144.58:2017 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.0.2-894
    Apr 14 21:22:48 openvpn 49115 174.236.144.58:2017 peer info: IV_VER=3.2
    Apr 14 21:22:48 openvpn 49115 174.236.144.58:2017 peer info: IV_PLAT=ios
    Apr 14 21:22:48 openvpn 49115 174.236.144.58:2017 peer info: IV_NCP=2
    Apr 14 21:22:48 openvpn 49115 174.236.144.58:2017 peer info: IV_TCPNL=1
    Apr 14 21:22:48 openvpn 49115 174.236.144.58:2017 peer info: IV_PROTO=2
    Apr 14 21:22:48 openvpn user 'dajo' authenticated
    Apr 14 21:22:48 openvpn 49115 174.236.144.58:2017 [dajo] Peer Connection Initiated with [AF_INET]174.236.144.58:2017
    Apr 14 21:22:48 openvpn 49115 dajo/174.236.144.58:2017 MULTI_sva: pool returned IPv4=192.168.2.2, IPv6=(Not enabled)



  • @dajokahn said in OpenVPN installed, iOS client connects, but no internet or local resources:

    I connected again from iOS and got some logs: ...

    When using an iPhone, using the OpenVPN app, I have the same logs.
    You could also "find" the log on the client, although it would probably not show the issue.

    What do you have here : Firewall => Rules => OpenVPN ?



  • Screen Shot 2019-04-15 at 7.31.16 AM.png

    thank you!



  • Firewall rule looks fine.

    Your OpenVPN setttings ?

    Check also your settings with the official OpenVPN videos (Youtube => Netgate).


  • LAYER 8 Global Moderator

    on your iphone you should see way more logs than that - like your routes being added, etc.. if no routes add then no your no going to go anywhere.

    example just connected with my iphone XR running the same openvpn connect app

    2019-04-15 07:33:40 Contacting [64.53.snipped]:1194/UDP via UDP
    2019-04-15 07:33:40 EVENT: WAIT
    2019-04-15 07:33:40 Connecting to [64.53.snipped]:1194 (64.53.snipped) via UDPv4
    2019-04-15 07:33:40 EVENT: CONNECTING
    
    2019-04-15 07:33:40 Tunnel Options:V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-client
    
    2019-04-15 07:33:40 Creds: UsernameEmpty/PasswordEmpty
    
    2019-04-15 07:33:40 Peer Info:
    IV_GUI_VER=net.openvpn.connect.ios 3.0.2-894
    IV_VER=3.2
    IV_PLAT=ios
    IV_NCP=2
    IV_TCPNL=1
    IV_PROTO=2
    IV_AUTO_SESS=1
    
    
    2019-04-15 07:33:40 VERIFY OK : depth=1
    cert. version    : 3
    serial number    : 00
    issuer name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=snipped, CN=openvpn
    subject name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=snipped, CN=openvpn
    issued  on        : 2015-01-10 14:15:11
    expires on        : 2025-01-07 14:15:11
    signed using      : RSA with SHA-256
    RSA key size      : 2048 bits
    basic constraints : CA=true
    
    2019-04-15 07:33:40 VERIFY OK : depth=0
    cert. version    : 3
    serial number    : 01
    issuer name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=snipped, CN=openvpn
    subject name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=snipped, CN=pfsenseopenvpn
    issued  on        : 2015-01-10 14:15:12
    expires on        : 2025-01-07 14:15:12
    signed using      : RSA with SHA-256
    RSA key size      : 2048 bits
    basic constraints : CA=false
    cert. type        : SSL Server
    key usage        : Digital Signature, Key Encipherment
    ext key usage    : TLS Web Server Authentication
    
    2019-04-15 07:33:40 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
    2019-04-15 07:33:40 Session is ACTIVE
    2019-04-15 07:33:40 EVENT: GET_CONFIG
    2019-04-15 07:33:40 Sending PUSH_REQUEST to server...
    2019-04-15 07:33:40 OPTIONS:
    0 [route] [192.168.9.0] [255.255.255.0]
    1 [route] [192.168.2.0] [255.255.255.0]
    2 [route] [192.168.3.0] [255.255.255.0]
    3 [dhcp-option] [DNS] [192.168.9.253]
    4 [route-gateway] [10.0.200.1]
    5 [topology] [subnet]
    6 [ping] [10]
    7 [ping-restart] [60]
    8 [ifconfig] [10.0.200.2] [255.255.255.0]
    9 [peer-id] [0]
    10 [cipher] [AES-128-GCM]
    
    2019-04-15 07:33:40 PROTOCOL OPTIONS:
      cipher: AES-128-GCM
      digest: SHA256
      compress: NONE
      peer ID: 0
    
    2019-04-15 07:33:40 EVENT: ASSIGN_IP
    2019-04-15 07:33:40 NIP: preparing TUN network settings
    2019-04-15 07:33:40 NIP: init TUN network settings with endpoint: 64.53.snipped
    2019-04-15 07:33:40 NIP: adding IPv4 address to network settings 10.0.200.2/255.255.255.0
    2019-04-15 07:33:40 NIP: adding (included) IPv4 route 10.0.200.0/24
    2019-04-15 07:33:40 NIP: adding (included) IPv4 route 192.168.9.0/24
    2019-04-15 07:33:40 NIP: adding (included) IPv4 route 192.168.2.0/24
    2019-04-15 07:33:40 NIP: adding (included) IPv4 route 192.168.3.0/24
    
    2019-04-15 07:33:40 NIP: adding DNS 192.168.9.253
    
    2019-04-15 07:33:40 NIP: adding match domain ALL
    2019-04-15 07:33:40 NIP: adding DNS specific routes:
    2019-04-15 07:33:40 NIP: adding (included) IPv4 route 192.168.9.253/32
    2019-04-15 07:33:40 Connected via NetworkExtensionTUN
    2019-04-15 07:33:40 EVENT: CONNECTED 64.53.snipped:1194 (64.53.snipped) via /UDPv4 on NetworkExtensionTUN/10.0.200.2/ gw=[/]
    2019-04-15 07:33:41 RECONNECT TEST: Internet:ReachableViaWiFi/-R t------
    

    Right from the app you can email your logs to yourself... Then post the info here, and snipout any personal info like public IP, like I did above.



  • Ah, ok, I understand now :
    @johnpoz said in OpenVPN installed, iOS client connects, but no internet or local resources:

    2019-04-15 07:33:40 NIP: adding (included) IPv4 route 10.0.200.0/24
    2019-04-15 07:33:40 NIP: adding (included) IPv4 route 192.168.9.0/24
    2019-04-15 07:33:40 NIP: adding (included) IPv4 route 192.168.2.0/24
    2019-04-15 07:33:40 NIP: adding (included) IPv4 route 192.168.3.0/24

    I didn't have all these "adding (included) IPv4 route" for all my LAN's. I thought so : something is missing.
    I have :

    7fdd7f25-6bdf-4fc0-a75e-6145ff9eb777-image.png

    Which allows my clients to connect to "everything".


  • LAYER 8 Global Moderator

    yeah you can do that if you want.. I don't - but he doesn't show that either in his log..

    Also looks like he is using 192.168.2 as his tunnel - if that steps on his local network where he is connecting from - then also another bad day sort of thing.



  • dashboard.PNG
    firewall_rules_lan.PNG
    firewall_rules_wan.PNG
    openVPN_firewall_rule.PNG
    openvpn_server.PNG
    opwnvpn_server_1.PNG
    opwnvpn_server_2.PNG
    opwnvpn_server_3.PNG
    opwnvpn_server_4.PNG
    opwnvpn_server_5.PNG
    opwnvpn_server_6.PNG



  • ok, guys, besides screenshots above and iOS openvpn connect app logs, please let me know if there i anything else I need to provide.

    2019-11-15 20:11:15 1

    2019-11-15 20:11:15 ----- OpenVPN Start -----
    OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Oct 3 2018 06:35:04

    2019-11-15 20:11:15 Frame=512/2048/512 mssfix-ctrl=1250

    2019-11-15 20:11:15 UNUSED OPTIONS
    0 [persist-tun]
    1 [persist-key]
    4 [tls-client]
    7 [lport] [0]
    8 [verify-x509-name] [testOpenPVN] [name]

    2019-11-15 20:11:15 EVENT: RESOLVE

    2019-11-15 20:11:15 Contacting [75.76.77.78]:1194/UDP via UDP

    2019-11-15 20:11:15 EVENT: WAIT

    2019-11-15 20:11:15 Connecting to [75.76.77.78]:1194 (75.76.77.78) via UDPv4

    2019-11-15 20:11:15 EVENT: CONNECTING

    2019-11-15 20:11:15 Tunnel Options:V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client

    2019-11-15 20:11:15 Creds: Username/Password

    2019-11-15 20:11:15 Peer Info:
    IV_GUI_VER=net.openvpn.connect.ios 3.0.2-894
    IV_VER=3.2
    IV_PLAT=ios
    IV_NCP=2
    IV_TCPNL=1
    IV_PROTO=2

    2019-11-15 20:11:16 VERIFY OK : depth=0
    cert. version : 3
    serial number : 01
    issuer name : CN=testOpenPVN, C=US, ST=TN, L=City, O=test
    subject name : CN=testOpenPVN, C=US, ST=TN, L=City, O=test
    issued on : 2019-04-14 20:45:31
    expires on : 2029-04-11 20:45:31
    signed using : RSA with SHA-256
    RSA key size : 4096 bits
    basic constraints : CA=false
    subject alt name : testOpenPVN
    cert. type : SSL Server
    key usage : Digital Signature, Key Encipherment
    ext key usage : TLS Web Server Authentication, ???

    2019-11-15 20:11:17 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

    2019-11-15 20:11:17 Session is ACTIVE

    2019-11-15 20:11:17 EVENT: GET_CONFIG

    2019-11-15 20:11:17 Sending PUSH_REQUEST to server...

    2019-11-15 20:11:17 OPTIONS:
    0 [dhcp-option] [DOMAIN] [localdomain]
    1 [dhcp-option] [DNS] [192.168.1.1]
    2 [redirect-gateway] [def1]
    3 [route-gateway] [192.168.2.1]
    4 [topology] [subnet]
    5 [ping] [10]
    6 [ping-restart] [60]
    7 [ifconfig] [192.168.2.2] [255.255.255.0]
    8 [peer-id] [0]
    9 [cipher] [AES-128-GCM]

    2019-11-15 20:11:17 PROTOCOL OPTIONS:
    cipher: AES-128-GCM
    digest: SHA256
    compress: NONE
    peer ID: 0

    2019-11-15 20:11:17 EVENT: ASSIGN_IP

    2019-11-15 20:11:17 NIP: preparing TUN network settings

    2019-11-15 20:11:17 NIP: init TUN network settings with endpoint: 75.76.77.78

    2019-11-15 20:11:17 NIP: adding IPv4 address to network settings 192.168.2.2/255.255.255.0

    2019-11-15 20:11:17 NIP: adding (included) IPv4 route 192.168.2.0/24

    2019-11-15 20:11:17 NIP: redirecting all IPv4 traffic to TUN interface

    2019-11-15 20:11:17 NIP: adding match domain localdomain

    2019-11-15 20:11:17 NIP: adding DNS 192.168.1.1

    2019-11-15 20:11:17 Connected via NetworkExtensionTUN

    2019-11-15 20:11:17 EVENT: CONNECTED dajo@75.76.77.78:1194 (75.76.77.78) via /UDPv4 on NetworkExtensionTUN/192.168.2.2/ gw=[/]



  • I compared your settings with mine.

    85c9dde6-9252-4d18-a2c9-ce38a9289b07-image.png

    I have 192.168.2.1 as a DNS for VPN clients - not the LAN based DNS.

    Your LAN rules : remove (temporality) the source "LAN Net" here.

    51369577-58d3-4d29-baec-a6e660e95285-image.png

    You're not using IPv6 so "IPv4 only" seems more logic to me.

    e5a36a8d-e7d5-4f90-b692-2da117fe5c53-image.png

    When you are connected, can you ping 192.168.1.1 ?
    Can you ping a device on LAN, like your plesk server ?
    Does DNS work ?
    Test with Resolver in pure Resolver mode (1.1.1.1 and 1.0.0.1 aren't needed anyway).


  • LAYER 8 Global Moderator

    No internet - could just be that you can not resolve.. Did you set the resolver ACLs correctly? Out of the box it will auto allow your local networks, but not a tunnel network.

    As to getting lan clients - do their firewalls allow access from your tunnel network?

    No need to remove lan net as source - that has NOTHING to do with traffic from your vpn tunnel.. And is correct..



  • when connected to OpenVPN tunnel from a cellular network through iOS, yes I can actually use safari to log into pfSense firewall at 192.168.1.1.

    as far as clients firewalls allowing access from tunnel network, I don't know. Using my previous firewall solution as soon as I connected to OpenVPN, I could access my plex server no problem. How can I allow access from "tunnel" network?

    As far as setting resolver ACLs correctly, I have to learn how to do that.

    Also, the routes that I see in johnpoz OpenVPN client logs: I don't see routing on mine...



  • resolver_acl.PNG
    I assume this is the setting you're talking about, johnpoz... nothing there...


  • LAYER 8 Global Moderator

    So your using the automatic ALCs, which I do not believe adds your tunnel network.. So no you wouldn't be able to resolve anything. if your asking unbound on pfsense.

    As to routing, if your using the default all through vpn your fine. But if you can not resolve this would explain no internet, and might also explain no plex access if your trying to resolve it vs access it by IP.



  • acl.PNG
    i understand now. Undernetworks in the above screenshot, should I add 192.168.2.0?


  • LAYER 8 Global Moderator

    Yes you should add your tunnel network and the correct mask for your tunnel network ie using /24 I do believe.

    I disable the auto acls - so I manually add them
    autoacl.png

    But default is enabled, so as you see only internal networks are allowed - not tunnel networks.

    Should prob check any docs about setting up openvpn and make sure this mentioned, or make sure the tunnel networks are auto added, which I do not believe they are - but would have to double check that... The quick way to test is just do a simple query to your unbound running on pfsense from your vpn client. To validate if you can resolve or not.



  • thank you! adding the resolver settings for tunnel network fixed it.
    I appreciate all of your help very much!



  • I have this

    5f462a88-4cb3-4f49-a208-c90d62b73b30-image.png

    Isn't that default : non-checked ?
    My Resolver ACL list is totally empty.
    I can reach all my LAN's just fine from using the OpenVPN.

    A not working DNS should not impact a ping to a LAN IP, the Plesk device.


  • LAYER 8 Global Moderator

    Non working dns doesn't stop a ping via IP, but stuff doesn't work if your trying to use fqdn to ping ;)


Log in to reply