iOS client connects, access external but not internal network

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
wolftech
OpenVpn Newbie
Posts: 2
Joined: Fri Jul 14, 2017 7:50 pm

iOS client connects, access external but not internal network

Post by wolftech » Fri Jul 14, 2017 8:24 pm

I have a Debian 9 OpenVPN server running well. My Windows 10 OpenVPN client works perfectly: it has full access to the internal network (can access internal servers via ssh and http/s) and external sites (can access any website, external servers via ssh). My iOS clients (iPhone, iOS 10.3.2 and iPad, iOS 10.3.2), however, cannot access the internal network. They can access external resources via http/s and ssh, but not the internal network by IP address or hostname. The ovpn files are identical except for the keys and certs. I've played with the OpenVPN iOS configuration, but have not found any combo that can get me to my internal network on iOS.

<server.conf>
local 192.168.1.30
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

<iOS and Win ovpn>
client
dev tun
proto udp
remote my.server.hostname 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
<ca>
--my inline ca--
</ca>
<cert>
-- my inline client cert--
</cert>
<key>
--my inline client key --
</key>

I'm using ufw. Here's its status:

Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
1194/udp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
1194/udp (v6) ALLOW Anywhere (v6)

and added to the before.rules:
*nat
: POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o ens192 -j MASQUERADE
COMMIT

and to the ufw default file:
DEFAULT_FORWARD_POLICY="ACCEPT"

<sysctl.conf>
net.ipv4.ip_forward=1

Hoping someone has found the right recipe for iOS to get access to the internal network.

simon_lefisch
OpenVpn Newbie
Posts: 4
Joined: Mon Jul 10, 2017 12:01 am

Re: iOS client connects, access external but not internal network

Post by simon_lefisch » Fri Jul 14, 2017 8:29 pm

wolftech wrote:I have a Debian 9 OpenVPN server running well. My Windows 10 OpenVPN client works perfectly: it has full access to the internal network (can access internal servers via ssh and http/s) and external sites (can access any website, external servers via ssh). My iOS clients (iPhone, iOS 10.3.2 and iPad, iOS 10.3.2), however, cannot access the internal network. They can access external resources via http/s and ssh, but not the internal network by IP address or hostname. The ovpn files are identical except for the keys and certs. I've played with the OpenVPN iOS configuration, but have not found any combo that can get me to my internal network on iOS.

<server.conf>
local 192.168.1.30
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

<iOS and Win ovpn>
client
dev tun
proto udp
remote my.server.hostname 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
<ca>
--my inline ca--
</ca>
<cert>
-- my inline client cert--
</cert>
<key>
--my inline client key --
</key>

I'm using ufw. Here's its status:

Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
1194/udp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
1194/udp (v6) ALLOW Anywhere (v6)

and added to the before.rules:
*nat
: POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o ens192 -j MASQUERADE
COMMIT

and to the ufw default file:
DEFAULT_FORWARD_POLICY="ACCEPT"

<sysctl.conf>
net.ipv4.ip_forward=1

Hoping someone has found the right recipe for iOS to get access to the internal network.
You need to push routes to you internal network. Add something like below to server.conf:

push "route 192.168.1.0 255.255.255.0"

Or whatever your LAN is.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: iOS client connects, access external but not internal network

Post by TinCanTech » Fri Jul 14, 2017 10:02 pm

Yeah .. and Pray !

wolftech
OpenVpn Newbie
Posts: 2
Joined: Fri Jul 14, 2017 7:50 pm

Re: iOS client connects, access external but not internal network

Post by wolftech » Mon Jul 24, 2017 3:54 pm

Thanks! That was the missing piece to the puzzle -- not saying that the praying didn't help, too. I can now SSH and reach local http/s servers on both platforms.

Post Reply