iOS: tun_builder_route_error: only tunnel routes supported [

[LtsGH]

folks,
i run into an issue with configuring the client on iOS.

I got 2 networks that I wanna reach behind a tun.
i do not have i-access, so only 2 networks are reachable.

the same config works in win/unix.

after I get pushed the routes I see that error message and the client disconnects.
tun_builder_route_error: only tunnel routes supported [ERR]

+++++++++++++++++++++++++++++++
here is my config:
client
proto tcp
dev tun
remote <ip address> <port>

tls-client

ca cacert.pem
cert <cert>.pem
key <key>.key
cipher AES-128-CBC

resolv-retry infinite
ping-restart 10
persist-tun
up-restart
no-replay

pull
tun-mtu 1500
comp-lzo
explicit-exit-notify 2
fragment 1390

verb 6
mute 2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
and here is the log:

2013-02-06 15:31:24 ----- OpenVPN Start -----
2013-02-06 15:31:24 LZO-ASYM init swap=0 asym=0
2013-02-06 15:31:24 EVENT: RESOLVE
2013-02-06 15:31:24 EVENT: WAIT
2013-02-06 15:31:24 Connecting to <ip address>:<port> (<ip address>) via TCPv4
2013-02-06 15:31:24 EVENT: CONNECTING
2013-02-06 15:31:24 Tunnel Options:V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client
2013-02-06 15:31:24 Peer Info:
IV_VER=1.0
IV_PLAT=ios
IV_NCP=1
IV_LZO=1

2013-02-06 15:31:25 VERIFY OK: depth=0
cert. version : 3
serial number : 82:B8:1A:03:DF:02:14:AD
issuer name : C=DE, ST=<Region>, L=<City>, O=<domain> GmbH, OU=CA, CN=ca.<domain>.com, emailAddress=admin@<domain>.com
subject name : C=DE, ST=<Region>, L=<City>, O=<domain> GmbH, OU=VPN, CN=vpn.<domain>.com, emailAddress=admin@<domain>.com
issued on : 2007-02-25 08:57:19
expires on : 2017-02-22 08:57:19
signed using : RSA+MD5
RSA key size : 1024 bits

2013-02-06 15:31:25 VERIFY OK: depth=1
cert. version : 3
serial number : 82:B8:1A:03:DF:02:14:97
issuer name : C=DE, ST=<Region>, L=<City>, O=<domain> GmbH, OU=CA, CN=ca.<domain>.com, emailAddress=admin@<domain>.com
subject name : C=DE, ST=<Region>, L=<City>, O=<domain> GmbH, OU=CA, CN=ca.<domain>.com, emailAddress=admin@<domain>.com
issued on : 2006-02-24 18:11:41
expires on : 2016-02-22 18:11:41
signed using : RSA+MD5
RSA key size : 1024 bits

2013-02-06 15:31:25 SSL Handshake: TLSv1.0/SSL-EDH-RSA-AES-256-SHA
2013-02-06 15:31:25 Session is ACTIVE
2013-02-06 15:31:26 EVENT: GET_CONFIG
2013-02-06 15:31:26 Sending PUSH_REQUEST to server...
2013-02-06 15:31:26 OPTIONS:
0 [route] [192.168.168.1]
1 [ping] [10]
2 [ping-restart] [120]
3 [route] [192.168.0.0] [255.255.0.0] [192.168.168.29] [111]
4 [route] [10.0.0.0] [255.0.0.0] [192.168.168.29] [111]
5 [ifconfig] [192.168.168.30] [192.168.168.29]

2013-02-06 15:31:26 LZO-ASYM init swap=0 asym=0
2013-02-06 15:31:26 EVENT: ASSIGN_IP
2013-02-06 15:31:26 TUN Error: tun_builder_error: error parsing IPv4 route: [route] [192.168.0.0] [255.255.0.0] [192.168.168.29] [111] : tun_builder_route_error: only tunnel routes supported
2013-02-06 15:31:26 EVENT: TUN_SETUP_FAILED tun_builder_error: error parsing IPv4 route: [route] [192.168.0.0] [255.255.0.0] [192.168.168.29] [111] : tun_builder_route_error: only tunnel routes supported [ERR]
2013-02-06 15:31:26 EVENT: DISCONNECTED
2013-02-06 15:31:26 Raw stats on disconnect:
BYTES_IN : 3789
BYTES_OUT : 2602
PACKETS_IN : 22
PACKETS_OUT : 35
TUN_SETUP_FAILED : 1
2013-02-06 15:31:26 Performance stats on disconnect:
CPU usage (microseconds): 214319
Network bytes per CPU second: 29820
Tunnel bytes per CPU second: 0
2013-02-06 15:31:26 ----- OpenVPN Stop -----
2013-02-06 15:31:26 EVENT: DISCONNECT_PENDING
2013-02-06 15:31:48 ----- OpenVPN Start -----
2013-02-06 15:31:48 LZO-ASYM init swap=0 asym=0
2013-02-06 15:31:48 EVENT: RESOLVE
2013-02-06 15:31:48 EVENT: WAIT
2013-02-06 15:31:48 Connecting to <ip address>:<port> (<ip address>) via TCPv4
2013-02-06 15:31:48 EVENT: CONNECTING
2013-02-06 15:31:48 Tunnel Options:V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client
2013-02-06 15:31:48 Peer Info:
IV_VER=1.0
IV_PLAT=ios
IV_NCP=1
IV_LZO=1

2013-02-06 15:31:49 VERIFY OK: depth=0
cert. version : 3
serial number : 82:B8:1A:03:DF:02:14:AD
issuer name : C=DE, ST=<Region>, L=<City>, O=<domain> GmbH, OU=CA, CN=ca.<domain>.com, emailAddress=admin@<domain>.com
subject name : C=DE, ST=<Region>, L=<City>, O=<domain> GmbH, OU=VPN, CN=vpn.<domain>.com, emailAddress=admin@<domain>.com
issued on : 2007-02-25 08:57:19
expires on : 2017-02-22 08:57:19
signed using : RSA+MD5
RSA key size : 1024 bits

2013-02-06 15:31:49 VERIFY OK: depth=1
cert. version : 3
serial number : 82:B8:1A:03:DF:02:14:97
issuer name : C=DE, ST=<Region>, L=<City>, O=<domain> GmbH, OU=CA, CN=ca.<domain>.com, emailAddress=admin@<domain>.com
subject name : C=DE, ST=<Region>, L=<City>, O=<domain> GmbH, OU=CA, CN=ca.<domain>.com, emailAddress=admin@<domain>.com
issued on : 2006-02-24 18:11:41
expires on : 2016-02-22 18:11:41
signed using : RSA+MD5
RSA key size : 1024 bits

2013-02-06 15:31:49 SSL Handshake: TLSv1.0/SSL-EDH-RSA-AES-256-SHA
2013-02-06 15:31:49 Session is ACTIVE
2013-02-06 15:31:50 EVENT: GET_CONFIG
2013-02-06 15:31:50 Sending PUSH_REQUEST to server...
2013-02-06 15:31:50 OPTIONS:
0 [route] [192.168.168.1]
1 [ping] [10]
2 [ping-restart] [120]
3 [route] [192.168.0.0] [255.255.0.0] [192.168.168.29] [111]
4 [route] [10.0.0.0] [255.0.0.0] [192.168.168.29] [111]
5 [ifconfig] [192.168.168.30] [192.168.168.29]

2013-02-06 15:31:50 LZO-ASYM init swap=0 asym=0
2013-02-06 15:31:50 EVENT: ASSIGN_IP
2013-02-06 15:31:51 TUN Error: tun_builder_error: error parsing IPv4 route: [route] [192.168.0.0] [255.255.0.0] [192.168.168.29] [111] : tun_builder_route_error: only tunnel routes supported
2013-02-06 15:31:51 EVENT: TUN_SETUP_FAILED tun_builder_error: error parsing IPv4 route: [route] [192.168.0.0] [255.255.0.0] [192.168.168.29] [111] : tun_builder_route_error: only tunnel routes supported [ERR]
2013-02-06 15:31:51 EVENT: DISCONNECTED
2013-02-06 15:31:51 Raw stats on disconnect:
BYTES_IN : 3789
BYTES_OUT : 2602
PACKETS_IN : 22
PACKETS_OUT : 35
TUN_SETUP_FAILED : 1
2013-02-06 15:31:51 Performance stats on disconnect:
CPU usage (microseconds): 218059
Network bytes per CPU second: 29308
Tunnel bytes per CPU second: 0
2013-02-06 15:31:51 ----- OpenVPN Stop -----
2013-02-06 15:31:51 EVENT: DISCONNECT_PENDING

++++++++++++++++++++++++++++++++

Do I miss something on client side?
I do not have access to the server side unfortunately.

I tried the "redirect-gateway def1" thern I dont get the error message, but still no traffic is going through.

Thanks for your help.
LtsGH

[aj montgomery]

Please post your server config.

[LtsGH]

unfortunately I dont have access to it, I just tried to use the same server/client config I used on unix/windows on the Iphone.
any idea what it could be?

thanks! LtsGH

[aj montgomery]

Hard to say without seeing the server config.

[aj montgomery]

Also, I do not believe that "redirect-gateway-def1" is supported in this method. You would need to use "redirect-gateway".

The other thing that I notice is when looking at your log data:
2013-02-06 15:31:50 Sending PUSH_REQUEST to server...
2013-02-06 15:31:50 OPTIONS:
0 [route] [192.168.168.1]
1 [ping] [10]
2 [ping-restart] [120]
3 [route] [192.168.0.0] [255.255.0.0] [192.168.168.29] [111]
4 [route] [10.0.0.0] [255.0.0.0] [192.168.168.29] [111]
5 [ifconfig] [192.168.168.30] [192.168.168.29]

If your iOS device is on a wifi network that uses the 192.168.XXX.XXX format, you may likely be having issues as it appears that your OpenVPN server is trying to impose an IP address as shown in 5 [ifconfig] [192.168.168.30] [192.168.168.29]

It also appears that your server is pushing the parameter ping-restart and you also have it indicated in the client config. You may want to remove it from the client.

In my testing, I found that having more parameters in my client config were actually causing my issues. I removed nearly all of the extraneous parameters from the client config and had more success.

You might want to try eliminating some of the parameters marked between the bold markup tags and try then:

Code: Select all

client
proto tcp
dev tun
remote <ip address> <port>

[b]tls-client[/b]

ca cacert.pem
cert <cert>.pem
key <key>.key
cipher AES-128-CBC

[b]resolv-retry infinite[/b]
[b]ping-restart 10[/b]
[b]persist-tun[/b]
[b]up-restart[/b]
[b]no-replay[/b]

pull
[b]tun-mtu 1500[/b]
comp-lzo
[b]explicit-exit-notify 2[/b]
[b]fragment 1390[/b]

verb 6
mute 2

[aj montgomery]

To me, it really looks like the way that the route parameters are configured on the server are not supported on the iOS client.

[LtsGH]

I do belive it as well that the way the routes are configured causing the issues.
I got a client that will get no routes pushed, but then, how do I configure the client to use the tunnel?
To my knowledge there is no way to include any route statement in the client config. correct? and I did not find any app that would do that for me ... having an un-jailbreaked device for a change.

I will try the redirect gateway, but I dont wanna use the tunnel as default, I only need to reach the 2 networks. but could live with that situation as long as I could reach the destination for a while.

I changed the wireless ip network to make sure that this is not causing the issues, with the same result.

Thanks for ur testing!
could u pls try on ur server to change ur routes that it would look like mine? if u dont mind?

Thanks again!

LtsGH

[LtsGH]

removed all the suggested parameters, same issue, seems that the route format is wrong.
I was looking for kind of release notes or so ... with a kind of config guide, couldnt find any so far.

thanks !
LtsGH

[jamesyonan]

The iOS VPN API doesn't support adding arbitrary routes. Only routes describing subnets to be routed into the tunnel are supported.

Also, in 1.0.1 of the iOS client, support will be added for the "net_gateway" route destination. This will allow specific routes to be excluded from the tunnel.

James

[LtsGH]

Hi James,
those routes are routes that point into the tunnel.
If I leave them out, than no traffic is forwared into the tunnel.

I am not looking for a split-tunnel option here.

so to conclude:
1. with routes pointing to the tunnel no traffic is forwarded
2. without routes, also no traffic is going into the tunnel

is there any client option that I am missing in my config?

Thanks,
LtsGH