VPN & Intranet okay / no regular Internet over VPN

[Maverick]

After 4 hours working on this problem I decided to give up.

I want to connect with my iPAD from my network into the network of my university. I got this working and I can access the Intranet just fine but not the regular www.

The university forces everybody in their network to use their own proxy like http://proxy.zzz.com ....

I tried all possible settings in my iPAD WiFi settings but I simply don't get it working.

The regular www works fine on my Macs and my Windows Computer but not on my iPAD.

Is there anything I could do?

In the OS X settings I can see that the "Search Domain" changes to zzz.com and the two DNS Server from my ISP are replaced with two IPs from the University. On my iPAD nothing changes. I tried entering the numbers by hand but no luck.

I got so far but now I have no idea what else I could do!

Code: Select all

client
dev tun
proto udp
remote vpn-gw.charite.de 1194
remote 193.175.73.100 1194
resolv-retry infinite
nobind
persist-key
persist-tun
pkcs12 client.p12
comp-lzo
verb 3
reneg-sec 3600
auth-user-pass
script-security 2
explicit-exit-notify
mute-replay-warnings
ns-cert-type server
<ca>
XXX
</ca>

so intranet.charite.de works, accessing my local router (192.168.1.1) works but no google.com ...

Thank You!

[Crisxs]

Hello!
I also have the same problem, I can connect from my iphone client to server using vpn and access the router 192.168.1.1, but I cannot use the router's internet on vpn client. I don't know what to do next.
This is my server config:

Code: Select all

local 192.168.1.1
port 1194
proto udp
dev tun
ca   /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/Server.crt
key  /etc/openvpn/keys/Server.key # This file should be kept secret
dh   /etc/openvpn/keys/dh.pem
server 10.8.1.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1"
topology subnet
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0
cipher AES-128-CBC 
comp-lzo
max-clients 5
persist-key
persist-tun
verb 6
--script-security 2
--mute-replay-warnings

iptables -L -t nat:

Code: Select all

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
prerouting_rule  all  --  anywhere             anywhere            
zone_lan_prerouting  all  --  anywhere             anywhere            
zone_wan_prerouting  all  --  anywhere             anywhere            

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
postrouting_rule  all  --  anywhere             anywhere            
zone_lan_nat  all  --  anywhere             anywhere            
zone_wan_nat  all  --  anywhere             anywhere            

Chain nat_reflection_in (1 references)
target     prot opt source               destination         
DNAT       tcp  --  192.168.1.0/24       x.x.x.x  tcp dpt:openvpn /* wan */ to:192.168.1.1:1194
DNAT       udp  --  192.168.1.0/24       x.x.x.x  udp dpt:openvpn /* wan */ to:192.168.1.1:1194

Chain nat_reflection_out (1 references)
target     prot opt source               destination         
SNAT       tcp  --  192.168.1.0/24       lan          tcp dpt:openvpn /* wan */ to:192.168.1.1
SNAT       udp  --  192.168.1.0/24       lan          udp dpt:openvpn /* wan */ to:192.168.1.1

Chain postrouting_rule (1 references)
target     prot opt source               destination         
nat_reflection_out  all  --  anywhere             anywhere            

Chain prerouting_rule (1 references)
target     prot opt source               destination         
nat_reflection_in  all  --  anywhere             anywhere            

Chain zone_lan_nat (1 references)
target     prot opt source               destination         

Chain zone_lan_prerouting (1 references)
target     prot opt source               destination         

Chain zone_wan_nat (1 references)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere            

Chain zone_wan_prerouting (1 references)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             anywhere             tcp dpt:openvpn to:192.168.1.1:1194
DNAT       udp  --  anywhere             anywhere             udp dpt:openvpn to:192.168.1.1:1194

ifconfig command:

Code: Select all

br-lan    Link encap:Ethernet  HWaddr ?
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr:? Scope:Link
          inet6 addr: ? Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2500 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2556 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:323731 (316.1 KiB)  TX bytes:1317957 (1.2 MiB)

eth0      Link encap:Ethernet  HWaddr ?
          inet6 addr: ? Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6465 errors:0 dropped:2 overruns:59550 frame:0
          TX packets:7000 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1436401 (1.3 MiB)  TX bytes:2000491 (1.9 MiB)
          Interrupt:4 

eth0.1    Link encap:Ethernet  HWaddr ?
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2440 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2533 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:318963 (311.4 KiB)  TX bytes:1311282 (1.2 MiB)

eth0.2    Link encap:Ethernet  HWaddr ?
          inet6 addr: ? Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4020 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4060 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:999199 (975.7 KiB)  TX bytes:449066 (438.5 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:68 errors:0 dropped:0 overruns:0 frame:0
          TX packets:68 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:5970 (5.8 KiB)  TX bytes:5970 (5.8 KiB)

pppoe-wan Link encap:Point-to-Point Protocol  
          inet addr:?  P-t-P:10.0.0.1  Mask:255.255.255.255
          inet6 addr: ? Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:2301 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2502 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:891322 (870.4 KiB)  TX bytes:346922 (338.7 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.1.1  P-t-P:10.8.1.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:83 errors:0 dropped:0 overruns:0 frame:0
          TX packets:68 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:8088 (7.8 KiB)  TX bytes:9228 (9.0 KiB)

wlan0     Link encap:Ethernet  HWaddr ?  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:58 errors:0 dropped:0 overruns:0 frame:0
          TX packets:639 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:5568 (5.4 KiB)  TX bytes:256458 (250.4 KiB)

Thanks!

[Crisxs]

I finally managed to solve the problem and now everything works. I have created a new network interface, vpn, which is connected to tun0 and I have assigned the firewall-zone of the lan. The protocol for this new interface is unmanaged. Btw for my router I am using OpenWrt.
This is the server configuration:

Code: Select all

local 192.168.1.1
port 1194
proto udp
dev tun
ca   /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key  /etc/openvpn/keys/server.key 
dh   /etc/openvpn/keys/dh.pem
server 10.8.1.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
max-clients 5
persist-key
persist-tun
verb 3
--script-security 2
--mute-replay-warnings

[Maverick]

My problem is: I can't change the server config ...

It is all managed by my University.

[jamesyonan]

Maverick,

Make sure to import client.p12 as a separate step into the iOS keychain.

Have you tried this with the new 1.0.1 iOS client?

If it still doesn't work, can you post the iOS log file?

James

[Ablaze]

I think I've got the exact same problem as Maverick as I'm trying to connect to the same university.

I have converted the P12 file to three PEM files and added them to the OVPN file.
The connection itself works OK, but I can't open any webpages in Safari, not even if I manually add the proxy.

Pages don't load at all (I haven't tried with intranet servers yet), not even for a second and there is no error message either.

Therefore my guess would be that there is something wrong with some certificate which iOS doesn't trust.
To me that looks like a good explanation why Safari refuses to open ANY webpage while connected to the VPN...

I have tried to import the P12 file (by opening it as an email attachment) - but then I am prompted for a password which I don't have.
Btw, extracting the PEM files didn't require a password (well, an empty one to be exact, but that didn't work for importing the certificate into the keychain).

Any suggestion?
Thanks.

[Ablaze]

Any ideas, anyone? I haven't tried anything since my last post, have their been improvements in the iOS client?
Thanks.