iOS Route - Ping But Not SSH LAN Devices ?

Post Reply
HeyRob
OpenVpn Newbie
Posts: 2
Joined: Sun Feb 02, 2020 1:25 pm

iOS Route - Ping But Not SSH LAN Devices ?

Post by HeyRob » Sun Feb 02, 2020 1:36 pm

Hello All,

I recently switched from Android to Apple, and am having issues with a particular ovpn profile that I would like to route ONLY (10.0.0.0 255.255.255.0) ovpn server LAN... On Android, the following server/client config works perfectly... I could ping, SSH, etc. any device on the 10.0.0.0 network. On iOS, I can only ping LAN devices on 10.0.0.0, and all SSH connections fail. It's the weirdest thing.

Server:

Server config

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/os_4f1e607b-8e41-4f87-acd5-175baa21cef1.crt
key /etc/openvpn/easy-rsa/pki/private/os_4f1e607b-8e41-4f87-acd5-175baa21cef1.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 10.0.0.100"
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3



Client:
Client config

client
dev tun
proto udp
remote server port
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name os_4f1e607b-8e41-4f87-acd5-175baa21cef1 name
cipher AES-256-CBC
auth SHA256
auth-nocache
route-nopull
route 10.0.0.0 255.255.255.0
verb 3
<ca>



OVPN Client Logs:

Code: Select all

2020-02-02 08:43:02 1

2020-02-02 08:43:02 ----- OpenVPN Start -----
OpenVPN core 3.git::2ae73415 ios arm64 64-bit PT_PROXY built on Dec  2 2019 14:44:28

2020-02-02 08:43:02 OpenVPN core 3.git::2ae73415 ios arm64 64-bit PT_PROXY built on Dec  2 2019 14:44:28

2020-02-02 08:43:02 Frame=512/2048/512 mssfix-ctrl=1250

2020-02-02 08:43:02 UNUSED OPTIONS
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
10 [verify-x509-name] [DietPi_4f1e607b-8e41-4f87-acd5-175baa21cef1] [name] 
13 [auth-nocache] 
16 [verb] [3] 

2020-02-02 08:43:02 EVENT: RESOLVE

2020-02-02 08:43:02 Contacting [2607:7700:0:2f:0:1:498b:d57f]:1194/UDP via UDP

2020-02-02 08:43:02 EVENT: WAIT

2020-02-02 08:43:02 Connecting to [hostname]:1194 (2607:7700:0:2f:0:1:498b:d57f) via UDPv6

2020-02-02 08:43:02 EVENT: CONNECTING

2020-02-02 08:43:02 Tunnel Options:V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client

2020-02-02 08:43:02 Creds: UsernameEmpty/PasswordEmpty

2020-02-02 08:43:02 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.1.1-2819
IV_VER=3.git::2ae73415
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_IPv6=0
IV_AUTO_SESS=1


2020-02-02 08:43:02 VERIFY OK : depth=1
cert. version     : 3
serial number     : 5B:8D:DB:C0:AE:8B:45:A7:45:21:C5:1A:3F:8F:78:6C:CD:4F:BD:A8
issuer name       : CN=ChangeMe
subject name      : CN=ChangeMe
issued  on        : 2019-10-24 21:40:06
expires on        : 2029-10-21 21:40:06
signed using      : ECDSA with SHA256
EC key size       : 256 bits
basic constraints : CA=true
key usage         : Key Cert Sign, CRL Sign


2020-02-02 08:43:02 VERIFY OK : depth=0
cert. version     : 3
serial number     : F2:1F:87:A0:A0:9D:AF:A8:01:C7:9E:7D:F5:8A:41:F6
issuer name       : CN=ChangeMe
subject name      : CN=DietPi_4f1e607b-8e41-4f87-acd5-175baa21cef1
issued  on        : 2019-10-24 21:40:06
expires on        : 2029-10-21 21:40:06
signed using      : ECDSA with SHA256
EC key size       : 256 bits
basic constraints : CA=false
subject alt name  : DietPi_4f1e607b-8e41-4f87-acd5-175baa21cef1
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication


2020-02-02 08:43:02 SSL Handshake: TLSv1.2/TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

2020-02-02 08:43:02 Session is ACTIVE

2020-02-02 08:43:02 EVENT: GET_CONFIG

2020-02-02 08:43:02 Sending PUSH_REQUEST to server...

2020-02-02 08:43:03 Ignored due to route-nopull: [dhcp-option] [DNS] [10.0.0.100] 

2020-02-02 08:43:03 Ignored due to route-nopull: [redirect-gateway] [def1] 

2020-02-02 08:43:03 OPTIONS:
0 [route] [10.0.0.0] [255.255.255.0] 
1 [block-outside-dns] 
2 [route-gateway] [10.8.0.1] 
3 [topology] [subnet] 
4 [ping] [1800] 
5 [ping-restart] [3600] 
6 [ifconfig] [10.8.0.2] [255.255.255.0] 
7 [peer-id] [0] 
8 [cipher] [AES-256-GCM] 
9 [block-ipv6] 


2020-02-02 08:43:03 PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA256
  compress: NONE
  peer ID: 0

2020-02-02 08:43:03 EVENT: ASSIGN_IP

2020-02-02 08:43:03 NIP: preparing TUN network settings

2020-02-02 08:43:03 NIP: init TUN network settings with endpoint: 2607:7700:0:2f:0:1:498b:d57f

2020-02-02 08:43:03 NIP: adding IPv4 address to network settings 10.8.0.2/255.255.255.0

2020-02-02 08:43:03 NIP: adding (included) IPv4 route 10.8.0.0/24

2020-02-02 08:43:03 NIP: adding (included) IPv4 route 10.0.0.0/24

2020-02-02 08:43:03 NIP: blocking all IPv6 traffic

2020-02-02 08:43:03 Connected via NetworkExtensionTUN

2020-02-02 08:43:03 EVENT: CONNECTED hostname via /UDPv6 on NetworkExtensionTUN/10.8.0.2/ gw=[/]

2020-02-02 08:43:10 EVENT: DISCONNECTED





As I said, I can ping devices on my LAN network (10.0.0.0), but cannot SSH them. I have also reviewed SSHd logs on LAN hosts.. there are no connection attempts arriving to the SSH daemon's. I can also successfully route all of my traffic through VPN, as well as connect via SSH to LAN devices, if I do not use route-nopull in client config. Any help would be greatly appreciated!
Last edited by Pippin on Mon Feb 03, 2020 2:43 pm, edited 1 time in total.
Reason: Formatting

User avatar
Pippin
Forum Team
Posts: 612
Joined: Wed Jul 01, 2015 8:03 am

Re: iOS Route - Ping But Not SSH LAN Devices ?

Post by Pippin » Sun Feb 02, 2020 2:00 pm

Take a look at –pull-filter accept|ignore|reject instead of –route-nopull in manual 2.4:
https://openvpn.net/community-resources ... envpn-2-4/

HeyRob
OpenVpn Newbie
Posts: 2
Joined: Sun Feb 02, 2020 1:25 pm

Re: iOS Route - Ping But Not SSH LAN Devices ?

Post by HeyRob » Sun Feb 02, 2020 2:06 pm

Thanks for the suggestion Pippin. Related to the issue above, how would I use -pull-filter to alter the behavior to allow SSH to devices on the 10.0.0.0 network (of which I can already ping?). Thank you again!

User avatar
Pippin
Forum Team
Posts: 612
Joined: Wed Jul 01, 2015 8:03 am

Re: iOS Route - Ping But Not SSH LAN Devices ?

Post by Pippin » Mon Feb 03, 2020 2:56 pm

–route-nopull filters more then probably wanted, see after push request in your client log.

Remove –route-nopull, connect and take a look at the client log after it sends the push request.
Then use –pull-filter to ignore the options you do not want.

Post Reply