Page 1 of 1

OpenVPN 3.0.2 (894) and iOS 12.1 - dhcp-option PROXY_AUTO_CONFIG_URL not working

Posted: Wed Nov 07, 2018 7:52 am
by comphilip
OpenVPN Connect Version: 3.0.2 (894)
iOS Version: 12.1 (16B92)

OpenVPN Server config:

Code: Select all

push "dhcp-option PROXY_AUTO_CONFIG_URL http://proxy.example.com/wpad.dat"
push "dhcp-option DNS 172.30.80.1"
push "dhcp-option DOMAIN exmaple.com"
push "route 172.30.0.0 255.255.0.0 vpn_gateway"
After connection established, routes and DNS options works well. I can open http://proxy.example.com/wpad.dat in safari.
But safari not use rules in http://proxy.example.com/wpad.dat. The same rule works well in wifi's proxy configuration.

OpenVPN Connect Log:

Code: Select all

2018-11-07 13:58:01 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Oct  3 2018 06:35:04
2018-11-07 13:58:01 Frame=512/2048/512 mssfix-ctrl=1250
2018-11-07 13:58:01 UNUSED OPTIONS
1 [nobind]
2018-11-07 13:58:01 EVENT: RESOLVE
2018-11-07 13:58:01 Contacting [192.168.30.2]:1194/UDP via UDP
2018-11-07 13:58:01 EVENT: WAIT
2018-11-07 13:58:01 Connecting to [abc.3322.org]:1194 (192.168.30.2) via UDPv4
2018-11-07 13:58:01 EVENT: CONNECTING
2018-11-07 13:58:01 Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
2018-11-07 13:58:01 Creds: UsernameEmpty/PasswordEmpty
2018-11-07 13:58:01 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.0.2-894
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1
IV_BS64DL=1

2018-11-07 13:58:01 VERIFY OK : depth=0
cert. version    : 3
serial number    : 01
issuer name      : CN=abc.3322.org
subject name      : CN=abc.3322.org
issued  on        : 2017-06-23 14:50:28
expires on        : 2027-06-21 14:50:28
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
key usage        : Digital Signature, Key Encipherment
ext key usage    : TLS Web Server Authentication

2018-11-07 13:58:01 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2018-11-07 13:58:01 Session is ACTIVE
2018-11-07 13:58:01 EVENT: GET_CONFIG
2018-11-07 13:58:01 Sending PUSH_REQUEST to server...
2018-11-07 13:58:01 OPTIONS:
0 [route] [192.168.254.1]
1 [topology] [net30]
2 [ping] [10]
3 [ping-restart] [60]
4 [dhcp-option] [PROXY_AUTO_CONFIG_URL] [http://proxy.example.com/wpad.dat]
5 [dhcp-option] [DNS] [172.30.80.1]
6 [dhcp-option] [DOMAIN] [example.com]
7 [route] [172.30.0.0] [255.255.0.0] [vpn_gateway]
8 [ifconfig] [192.168.254.6] [192.168.254.5]
9 [peer-id] [0]
10 [cipher] [AES-256-GCM]

2018-11-07 13:58:01 PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA1
  compress: NONE
  peer ID: 0
2018-11-07 13:58:01 EVENT: ASSIGN_IP
2018-11-07 13:58:01 NIP: preparing TUN network settings
2018-11-07 13:58:01 NIP: init TUN network settings with endpoint: 192.168.30.2
2018-11-07 13:58:01 NIP: adding IPv4 address to network settings 192.168.254.6/255.255.255.252
2018-11-07 13:58:01 NIP: adding (included) IPv4 route 192.168.254.4/30
2018-11-07 13:58:01 NIP: adding (included) IPv4 route 192.168.254.1/32
2018-11-07 13:58:01 NIP: adding (included) IPv4 route 172.30.0.0/16
2018-11-07 13:58:01 NIP: adding DNS 172.30.80.1
2018-11-07 13:58:01 NIP: adding match domain example.com
2018-11-07 13:58:01 NIP: setting proxy auto-config URL to http://proxy.example.com/wpad.dat
2018-11-07 13:58:01 NIP: adding DNS specific routes:
2018-11-07 13:58:01 NIP: adding (included) IPv4 route 172.30.80.1/32
2018-11-07 13:58:01 Connected via NetworkExtensionTUN
2018-11-07 13:58:01 EVENT: CONNECTED abc.3322.org:1194 (192.168.30.2) via /UDPv4 on NetworkExtensionTUN/192.168.254.6/ gw=[/]

Re: OpenVPN 3.0.2 (894) and iOS 12.1 - dhcp-option PROXY_AUTO_CONFIG_URL not working

Posted: Fri Dec 28, 2018 4:51 am
by comphilip
I finally find out where the problem is.

dhcp-option proxy settings only works with redirect-gateway def1. It seems due to iOS limitation, iOS only accept proxy setting if VPN routes all traffic.

I removed redirect-gateway def1 and set white list in .pac file, and hoping only sites in white list route via VPN.