Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN installed, iOS client connects, but no internet or local resources

    Scheduled Pinned Locked Moved OpenVPN
    20 Posts 3 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dajokahn
      last edited by

      Hi,

      I'm not a firewall expert. Had another solution implemented, it worked well, but I upgraded internet speed and that last solution only recognized one of my intel pro1000 gigabit NICs.

      Installed pfSense and was happy that it recognized both.

      I went through the wizard, got OpenVPN configured, exported ovpn for client, imported ovpn in iOS, connected successfully.

      But when connected from iOS to the OpenVPN:
      I can't access internet.
      I can't access local Plex server.

      However, I can actually see and login to pfSense at 192.168.1.1 when logged into VPN from cellular network on iOS.

      What can I give you for you to be able to help me with this?

      Thank you,
      Dajo

      1 Reply Last reply Reply Quote 0
      • D
        dajokahn
        last edited by

        here's some things I found.
        I connected again from iOS and got some logs:

        StatusSystem LogsOpenVPN:

        Apr 14 21:22:48 openvpn 49115 174.236.144.58:2017 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.0.2-894
        Apr 14 21:22:48 openvpn 49115 174.236.144.58:2017 peer info: IV_VER=3.2
        Apr 14 21:22:48 openvpn 49115 174.236.144.58:2017 peer info: IV_PLAT=ios
        Apr 14 21:22:48 openvpn 49115 174.236.144.58:2017 peer info: IV_NCP=2
        Apr 14 21:22:48 openvpn 49115 174.236.144.58:2017 peer info: IV_TCPNL=1
        Apr 14 21:22:48 openvpn 49115 174.236.144.58:2017 peer info: IV_PROTO=2
        Apr 14 21:22:48 openvpn user 'dajo' authenticated
        Apr 14 21:22:48 openvpn 49115 174.236.144.58:2017 [dajo] Peer Connection Initiated with [AF_INET]174.236.144.58:2017
        Apr 14 21:22:48 openvpn 49115 dajo/174.236.144.58:2017 MULTI_sva: pool returned IPv4=192.168.2.2, IPv6=(Not enabled)

        GertjanG 1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @dajokahn
          last edited by

          @dajokahn said in OpenVPN installed, iOS client connects, but no internet or local resources:

          I connected again from iOS and got some logs: ...

          When using an iPhone, using the OpenVPN app, I have the same logs.
          You could also "find" the log on the client, although it would probably not show the issue.

          What do you have here : Firewall => Rules => OpenVPN ?

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 1
          • D
            dajokahn
            last edited by

            Screen Shot 2019-04-15 at 7.31.16 AM.png

            thank you!

            1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan
              last edited by

              Firewall rule looks fine.

              Your OpenVPN setttings ?

              Check also your settings with the official OpenVPN videos (Youtube => Netgate).

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                on your iphone you should see way more logs than that - like your routes being added, etc.. if no routes add then no your no going to go anywhere.

                example just connected with my iphone XR running the same openvpn connect app

                2019-04-15 07:33:40 Contacting [64.53.snipped]:1194/UDP via UDP
                2019-04-15 07:33:40 EVENT: WAIT
                2019-04-15 07:33:40 Connecting to [64.53.snipped]:1194 (64.53.snipped) via UDPv4
                2019-04-15 07:33:40 EVENT: CONNECTING
                
                2019-04-15 07:33:40 Tunnel Options:V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-client
                
                2019-04-15 07:33:40 Creds: UsernameEmpty/PasswordEmpty
                
                2019-04-15 07:33:40 Peer Info:
                IV_GUI_VER=net.openvpn.connect.ios 3.0.2-894
                IV_VER=3.2
                IV_PLAT=ios
                IV_NCP=2
                IV_TCPNL=1
                IV_PROTO=2
                IV_AUTO_SESS=1
                
                
                2019-04-15 07:33:40 VERIFY OK : depth=1
                cert. version    : 3
                serial number    : 00
                issuer name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=snipped, CN=openvpn
                subject name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=snipped, CN=openvpn
                issued  on        : 2015-01-10 14:15:11
                expires on        : 2025-01-07 14:15:11
                signed using      : RSA with SHA-256
                RSA key size      : 2048 bits
                basic constraints : CA=true
                
                2019-04-15 07:33:40 VERIFY OK : depth=0
                cert. version    : 3
                serial number    : 01
                issuer name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=snipped, CN=openvpn
                subject name      : C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=snipped, CN=pfsenseopenvpn
                issued  on        : 2015-01-10 14:15:12
                expires on        : 2025-01-07 14:15:12
                signed using      : RSA with SHA-256
                RSA key size      : 2048 bits
                basic constraints : CA=false
                cert. type        : SSL Server
                key usage        : Digital Signature, Key Encipherment
                ext key usage    : TLS Web Server Authentication
                
                2019-04-15 07:33:40 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
                2019-04-15 07:33:40 Session is ACTIVE
                2019-04-15 07:33:40 EVENT: GET_CONFIG
                2019-04-15 07:33:40 Sending PUSH_REQUEST to server...
                2019-04-15 07:33:40 OPTIONS:
                0 [route] [192.168.9.0] [255.255.255.0]
                1 [route] [192.168.2.0] [255.255.255.0]
                2 [route] [192.168.3.0] [255.255.255.0]
                3 [dhcp-option] [DNS] [192.168.9.253]
                4 [route-gateway] [10.0.200.1]
                5 [topology] [subnet]
                6 [ping] [10]
                7 [ping-restart] [60]
                8 [ifconfig] [10.0.200.2] [255.255.255.0]
                9 [peer-id] [0]
                10 [cipher] [AES-128-GCM]
                
                2019-04-15 07:33:40 PROTOCOL OPTIONS:
                  cipher: AES-128-GCM
                  digest: SHA256
                  compress: NONE
                  peer ID: 0
                
                2019-04-15 07:33:40 EVENT: ASSIGN_IP
                2019-04-15 07:33:40 NIP: preparing TUN network settings
                2019-04-15 07:33:40 NIP: init TUN network settings with endpoint: 64.53.snipped
                2019-04-15 07:33:40 NIP: adding IPv4 address to network settings 10.0.200.2/255.255.255.0
                2019-04-15 07:33:40 NIP: adding (included) IPv4 route 10.0.200.0/24
                2019-04-15 07:33:40 NIP: adding (included) IPv4 route 192.168.9.0/24
                2019-04-15 07:33:40 NIP: adding (included) IPv4 route 192.168.2.0/24
                2019-04-15 07:33:40 NIP: adding (included) IPv4 route 192.168.3.0/24
                
                2019-04-15 07:33:40 NIP: adding DNS 192.168.9.253
                
                2019-04-15 07:33:40 NIP: adding match domain ALL
                2019-04-15 07:33:40 NIP: adding DNS specific routes:
                2019-04-15 07:33:40 NIP: adding (included) IPv4 route 192.168.9.253/32
                2019-04-15 07:33:40 Connected via NetworkExtensionTUN
                2019-04-15 07:33:40 EVENT: CONNECTED 64.53.snipped:1194 (64.53.snipped) via /UDPv4 on NetworkExtensionTUN/10.0.200.2/ gw=[/]
                2019-04-15 07:33:41 RECONNECT TEST: Internet:ReachableViaWiFi/-R t------
                

                Right from the app you can email your logs to yourself... Then post the info here, and snipout any personal info like public IP, like I did above.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                GertjanG 1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan @johnpoz
                  last edited by

                  Ah, ok, I understand now :
                  @johnpoz said in OpenVPN installed, iOS client connects, but no internet or local resources:

                  2019-04-15 07:33:40 NIP: adding (included) IPv4 route 10.0.200.0/24
                  2019-04-15 07:33:40 NIP: adding (included) IPv4 route 192.168.9.0/24
                  2019-04-15 07:33:40 NIP: adding (included) IPv4 route 192.168.2.0/24
                  2019-04-15 07:33:40 NIP: adding (included) IPv4 route 192.168.3.0/24

                  I didn't have all these "adding (included) IPv4 route" for all my LAN's. I thought so : something is missing.
                  I have :

                  7fdd7f25-6bdf-4fc0-a75e-6145ff9eb777-image.png

                  Which allows my clients to connect to "everything".

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz

                    yeah you can do that if you want.. I don't - but he doesn't show that either in his log..

                    Also looks like he is using 192.168.2 as his tunnel - if that steps on his local network where he is connecting from - then also another bad day sort of thing.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • D
                      dajokahn
                      last edited by

                      dashboard.PNG
                      firewall_rules_lan.PNG
                      firewall_rules_wan.PNG
                      openVPN_firewall_rule.PNG
                      openvpn_server.PNG
                      opwnvpn_server_1.PNG
                      opwnvpn_server_2.PNG
                      opwnvpn_server_3.PNG
                      opwnvpn_server_4.PNG
                      opwnvpn_server_5.PNG
                      opwnvpn_server_6.PNG

                      1 Reply Last reply Reply Quote 0
                      • D
                        dajokahn
                        last edited by

                        ok, guys, besides screenshots above and iOS openvpn connect app logs, please let me know if there i anything else I need to provide.

                        2019-11-15 20:11:15 1

                        2019-11-15 20:11:15 ----- OpenVPN Start -----
                        OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Oct 3 2018 06:35:04

                        2019-11-15 20:11:15 Frame=512/2048/512 mssfix-ctrl=1250

                        2019-11-15 20:11:15 UNUSED OPTIONS
                        0 [persist-tun]
                        1 [persist-key]
                        4 [tls-client]
                        7 [lport] [0]
                        8 [verify-x509-name] [testOpenPVN] [name]

                        2019-11-15 20:11:15 EVENT: RESOLVE

                        2019-11-15 20:11:15 Contacting [75.76.77.78]:1194/UDP via UDP

                        2019-11-15 20:11:15 EVENT: WAIT

                        2019-11-15 20:11:15 Connecting to [75.76.77.78]:1194 (75.76.77.78) via UDPv4

                        2019-11-15 20:11:15 EVENT: CONNECTING

                        2019-11-15 20:11:15 Tunnel Options:V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client

                        2019-11-15 20:11:15 Creds: Username/Password

                        2019-11-15 20:11:15 Peer Info:
                        IV_GUI_VER=net.openvpn.connect.ios 3.0.2-894
                        IV_VER=3.2
                        IV_PLAT=ios
                        IV_NCP=2
                        IV_TCPNL=1
                        IV_PROTO=2

                        2019-11-15 20:11:16 VERIFY OK : depth=0
                        cert. version : 3
                        serial number : 01
                        issuer name : CN=testOpenPVN, C=US, ST=TN, L=City, O=test
                        subject name : CN=testOpenPVN, C=US, ST=TN, L=City, O=test
                        issued on : 2019-04-14 20:45:31
                        expires on : 2029-04-11 20:45:31
                        signed using : RSA with SHA-256
                        RSA key size : 4096 bits
                        basic constraints : CA=false
                        subject alt name : testOpenPVN
                        cert. type : SSL Server
                        key usage : Digital Signature, Key Encipherment
                        ext key usage : TLS Web Server Authentication, ???

                        2019-11-15 20:11:17 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

                        2019-11-15 20:11:17 Session is ACTIVE

                        2019-11-15 20:11:17 EVENT: GET_CONFIG

                        2019-11-15 20:11:17 Sending PUSH_REQUEST to server...

                        2019-11-15 20:11:17 OPTIONS:
                        0 [dhcp-option] [DOMAIN] [localdomain]
                        1 [dhcp-option] [DNS] [192.168.1.1]
                        2 [redirect-gateway] [def1]
                        3 [route-gateway] [192.168.2.1]
                        4 [topology] [subnet]
                        5 [ping] [10]
                        6 [ping-restart] [60]
                        7 [ifconfig] [192.168.2.2] [255.255.255.0]
                        8 [peer-id] [0]
                        9 [cipher] [AES-128-GCM]

                        2019-11-15 20:11:17 PROTOCOL OPTIONS:
                        cipher: AES-128-GCM
                        digest: SHA256
                        compress: NONE
                        peer ID: 0

                        2019-11-15 20:11:17 EVENT: ASSIGN_IP

                        2019-11-15 20:11:17 NIP: preparing TUN network settings

                        2019-11-15 20:11:17 NIP: init TUN network settings with endpoint: 75.76.77.78

                        2019-11-15 20:11:17 NIP: adding IPv4 address to network settings 192.168.2.2/255.255.255.0

                        2019-11-15 20:11:17 NIP: adding (included) IPv4 route 192.168.2.0/24

                        2019-11-15 20:11:17 NIP: redirecting all IPv4 traffic to TUN interface

                        2019-11-15 20:11:17 NIP: adding match domain localdomain

                        2019-11-15 20:11:17 NIP: adding DNS 192.168.1.1

                        2019-11-15 20:11:17 Connected via NetworkExtensionTUN

                        2019-11-15 20:11:17 EVENT: CONNECTED dajo@75.76.77.78:1194 (75.76.77.78) via /UDPv4 on NetworkExtensionTUN/192.168.2.2/ gw=[/]

                        1 Reply Last reply Reply Quote 0
                        • GertjanG
                          Gertjan
                          last edited by Gertjan

                          I compared your settings with mine.

                          85c9dde6-9252-4d18-a2c9-ce38a9289b07-image.png

                          I have 192.168.2.1 as a DNS for VPN clients - not the LAN based DNS.

                          Your LAN rules : remove (temporality) the source "LAN Net" here.

                          51369577-58d3-4d29-baec-a6e660e95285-image.png

                          You're not using IPv6 so "IPv4 only" seems more logic to me.

                          e5a36a8d-e7d5-4f90-b692-2da117fe5c53-image.png

                          When you are connected, can you ping 192.168.1.1 ?
                          Can you ping a device on LAN, like your plesk server ?
                          Does DNS work ?
                          Test with Resolver in pure Resolver mode (1.1.1.1 and 1.0.0.1 aren't needed anyway).

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by johnpoz

                            No internet - could just be that you can not resolve.. Did you set the resolver ACLs correctly? Out of the box it will auto allow your local networks, but not a tunnel network.

                            As to getting lan clients - do their firewalls allow access from your tunnel network?

                            No need to remove lan net as source - that has NOTHING to do with traffic from your vpn tunnel.. And is correct..

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • D
                              dajokahn
                              last edited by

                              when connected to OpenVPN tunnel from a cellular network through iOS, yes I can actually use safari to log into pfSense firewall at 192.168.1.1.

                              as far as clients firewalls allowing access from tunnel network, I don't know. Using my previous firewall solution as soon as I connected to OpenVPN, I could access my plex server no problem. How can I allow access from "tunnel" network?

                              As far as setting resolver ACLs correctly, I have to learn how to do that.

                              Also, the routes that I see in johnpoz OpenVPN client logs: I don't see routing on mine...

                              1 Reply Last reply Reply Quote 0
                              • D
                                dajokahn
                                last edited by dajokahn

                                resolver_acl.PNG
                                I assume this is the setting you're talking about, johnpoz... nothing there...

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by johnpoz

                                  So your using the automatic ALCs, which I do not believe adds your tunnel network.. So no you wouldn't be able to resolve anything. if your asking unbound on pfsense.

                                  As to routing, if your using the default all through vpn your fine. But if you can not resolve this would explain no internet, and might also explain no plex access if your trying to resolve it vs access it by IP.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    dajokahn
                                    last edited by

                                    acl.PNG
                                    i understand now. Undernetworks in the above screenshot, should I add 192.168.2.0?

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by johnpoz

                                      Yes you should add your tunnel network and the correct mask for your tunnel network ie using /24 I do believe.

                                      I disable the auto acls - so I manually add them
                                      autoacl.png

                                      But default is enabled, so as you see only internal networks are allowed - not tunnel networks.

                                      Should prob check any docs about setting up openvpn and make sure this mentioned, or make sure the tunnel networks are auto added, which I do not believe they are - but would have to double check that... The quick way to test is just do a simple query to your unbound running on pfsense from your vpn client. To validate if you can resolve or not.

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        dajokahn
                                        last edited by

                                        thank you! adding the resolver settings for tunnel network fixed it.
                                        I appreciate all of your help very much!

                                        1 Reply Last reply Reply Quote 0
                                        • GertjanG
                                          Gertjan
                                          last edited by

                                          I have this

                                          5f462a88-4cb3-4f49-a208-c90d62b73b30-image.png

                                          Isn't that default : non-checked ?
                                          My Resolver ACL list is totally empty.
                                          I can reach all my LAN's just fine from using the OpenVPN.

                                          A not working DNS should not impact a ping to a LAN IP, the Plesk device.

                                          No "help me" PM's please. Use the forum, the community will thank you.
                                          Edit : and where are the logs ??

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by

                                            Non working dns doesn't stop a ping via IP, but stuff doesn't work if your trying to use fqdn to ping ;)

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.