Page 1 of 1

Problems with iOS client - only partially working

Posted: Wed Mar 10, 2021 11:27 am
by chkk1963
Hi,

I have setup an OpenVPN server in my home LAN on a Ubuntu VM. OpenVPN version is "2.4.7-1ubuntu2", Ubuntu version is is "20.04.2 LTS".

My router's (Unifi USG) WAN is connected to a fiber provider ("Deutsche Glasfaser") where only the IPv6 is directly accessible (there is a public IPv4, but this from a carrier grade NAT range not reachable from the internet) and OpenVPN is set up with IPv6 support. So I opened port 1194 for UDP in the router's firewall to the public IPv6 address of my OpenVPN server and registered the IPv6 address with a DynDNS provider.

OpenVPN client (iPhone not connected to LAN but to 4G with IPv6 address) connects immediately and some things work as expected:
  • I can ping all the servers on my internal network from the iPhone using their IPv4 addresses
  • I can SSH into the hosts where SSH is available
  • I can also ping the IP of the connected iOS client from my servers
So it looks like routes are pushed from the iOS client's 10.8 address to my 192.168.0.0 local network. But there are a lot of things not working as expected:
  • I cannot open a web site hosted on one of my local servers
  • I cannot RDP into one of my Windows servers (telnet to port 3389 on the same server works, so I can reach the server/port, just no response)
  • And what is really strange: I have an iPerf3 server running on one of my VMs which I use for intranet performance measurements. The OpenVPN client can upload to the iPerf3 server with no problems with the expected line speed but cannot download (no error, just a rate of 0 bytes). And I can ping the iOS client from the server running iPerf3
All above works fine when the iPhone is directly connected to my local network.

This is my OpenVPN server.conf file:

Server Config

port 1194
proto udp6
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 192.168.0.1"
push "redirect-gateway def1"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_DMmF4CvEG4i12glA.crt
key server_DMmF4CvEG4i12glA.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
#push "route 192.168.0.0 255.255.255.0"
client-to-client


Also had a 'push "route 192.168.0.0 255.255.255.0"' originally in the conf - makes no difference, all above still working / not working as before.

IP forwarding is enabled on the server running OpenVPN and routing between tun0 / eth0 enabled:

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
I have also checked my LAN firewall rules to check if anything was logged as blocked for 10.8.0.* - all fine.

Any suggestions / ideas?

Chris

Re: Problems with iOS client - only partially working

Posted: Wed Mar 10, 2021 11:36 am
by Pippin
Please do not triple post !

I have deleted the other two.
Thanks.