after upgrade wheezy -> jessie no DNS from iPhone

[tony.blue]

Hello,

please excuse my bad english. I am not a native speaker.

I have OpenVPN for two years running on a Debian Router. But after the upgrade from wheezy to jessie i got a a connect in the OpenVPN APP and i am able to ping from the iphone to the openvpn-Server. But when I try to ping to a Name like http://www.google.de I got no response. So I think I got no DNS-Service.

The error is only on ios Devices (iPhone). I use a Win7 OpenVPN Client too. It connects to OpenVPN-Server with DNS-Service.

This is my scenario:

iPhone/Win7-Client ------Internet (tunneled through OpenVPN)----- Debian-Router/OpenVPN-Server ----- LAN (192.168.1.X)
| |
DMZ WLAN (192.168.4.X)


/var/log/syslog on the Debian-Router/OpenVPN-Server

May 17 22:51:33 router ovpn-server[1043]: MULTI: multi_create_instance called
May 17 22:51:33 router ovpn-server[1043]: 80.187.102.115:23366 Re-using SSL/TLS context
May 17 22:51:33 router ovpn-server[1043]: 80.187.102.115:23366 LZO compression initialized
May 17 22:51:33 router ovpn-server[1043]: 80.187.102.115:23366 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
May 17 22:51:33 router ovpn-server[1043]: 80.187.102.115:23366 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
May 17 22:51:33 router ovpn-server[1043]: 80.187.102.115:23366 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
May 17 22:51:33 router ovpn-server[1043]: 80.187.102.115:23366 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
May 17 22:51:33 router ovpn-server[1043]: 80.187.102.115:23366 Local Options hash (VER=V4): '691e95c7'
May 17 22:51:33 router ovpn-server[1043]: 80.187.102.115:23366 Expected Remote Options hash (VER=V4): '66096c33'
May 17 22:51:33 router ovpn-server[1043]: 80.187.102.115:23366 TLS: Initial packet from [AF_INET]80.187.102.115:23366, sid=d9a04708 9786143a
May 17 22:51:33 router ovpn-server[1043]: 80.187.102.115:23366 VERIFY OK: depth=1, C=DE, ST=BY, L=Munchen, O=Home-VPN, CN=Home-VPN CA, emailAddress=administrator@myfileserver.duck
May 17 22:51:33 router ovpn-server[1043]: 80.187.102.115:23366 VERIFY OK: depth=0, C=DE, ST=BY, L=Munchen, O=Home-VPN, CN=client1, emailAddress=administrator@myfileserver.duck
May 17 22:51:33 router ovpn-server[1043]: 80.187.102.115:23366 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
May 17 22:51:33 router ovpn-server[1043]: 80.187.102.115:23366 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May 17 22:51:33 router ovpn-server[1043]: 80.187.102.115:23366 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
May 17 22:51:33 router ovpn-server[1043]: 80.187.102.115:23366 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
May 17 22:51:34 router ovpn-server[1043]: 80.187.102.115:23366 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
May 17 22:51:34 router ovpn-server[1043]: 80.187.102.115:23366 [client1] Peer Connection Initiated with [AF_INET]80.187.102.115:23366
May 17 22:51:34 router ovpn-server[1043]: client1/80.187.102.115:23366 MULTI_sva: pool returned IPv4=192.168.10.10, IPv6=(Not enabled)
May 17 22:51:34 router ovpn-server[1043]: client1/80.187.102.115:23366 MULTI: Learn: 192.168.10.10 -> client1/80.187.102.115:23366
May 17 22:51:34 router ovpn-server[1043]: client1/80.187.102.115:23366 MULTI: primary virtual IP for client1/80.187.102.115:23366: 192.168.10.10
May 17 22:51:34 router ovpn-server[1043]: client1/80.187.102.115:23366 PUSH: Received control message: 'PUSH_REQUEST'
May 17 22:51:34 router ovpn-server[1043]: client1/80.187.102.115:23366 send_push_reply(): safe_cap=940
May 17 22:51:34 router ovpn-server[1043]: client1/80.187.102.115:23366 SENT CONTROL [client1]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 192.168.3.0 255.255.255.0,redirect-gateway,dhcp-option DNS 192.168.10.1,dhcp-option WINS 192.168.1.200,route 192.168.10.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 192.168.10.10 192.168.10.9' (status=1)


/etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ./easy-rsa2/keys/ca.crt
cert ./easy-rsa2/keys/router.crt
key ./easy-rsa2/keys/router.key # Diese Datei geheim halten.
dh ./easy-rsa2/keys/dh1024.pem # Diffie-Hellman-Parameter
server 192.168.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.3.0 255.255.255.0"
push "redirect-gateway"
push "dhcp-option DNS 192.168.10.1"
push "dhcp-option WINS 192.168.1.200"
client-to-client
keepalive 10 120
cipher AES-128-CBC # AES
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
verb 4


client.ovpn on the iPhone:
client
dev tun
proto udp
remote my.dynvpn.de 1194
remote 192.168.4.254 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 3

[tony.blue]

Has no one an idea?

Thank you!

[tony.blue]

Now I found this message in my /var/log/syslog:

Code: Select all

Jun 14 16:21:00 debrouter ovpn-server[4784]: client1/192.168.4.3:64660 UDPv4 READ [101] from [AF_INET]192.168.4.3:64660: P_DATA_V1 kid=0 DATA len=100
Jun 14 16:21:00 debrouter ovpn-server[4784]: client1/192.168.4.3:64660 UDPv4 WRITE [69] to [AF_INET]192.168.4.3:64660: P_DATA_V1 kid=0 DATA len=68
Jun 14 16:21:00 debrouter ovpn-server[4784]: client1/192.168.4.3:64660 TUN WRITE [57]
Jun 14 16:21:05 debrouter ovpn-server[4784]: client1/192.168.4.3:64660 UDPv4 READ [117] from [AF_INET]192.168.4.3:64660: P_DATA_V1 kid=0 DATA len=116
Jun 14 16:21:05 debrouter ovpn-server[4784]: client1/192.168.4.3:64660 TUN WRITE [73]
Jun 14 16:21:07 debrouter ovpn-server[4784]: 192.168.4.3:55962 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jun 14 16:21:07 debrouter ovpn-server[4784]: 192.168.4.3:55962 TLS Error: TLS handshake failed
Jun 14 16:21:07 debrouter ovpn-server[4784]: 192.168.4.3:55962 SIGUSR1[soft,tls-error] received, client-instance restarting

I could make the tunnel without error. But If I try to ping a DNS-Name (like ping http://www.google.de) I got this error message.

Here´s my configuration:

OpenVPN

server.conf
Code:
port 1194
proto udp
dev tun
ca ./easy-rsa2/keys/ca.crt
cert ./easy-rsa2/keys/micky.crt
key ./easy-rsa2/keys/micky.key # Diese Datei geheim halten.
dh ./easy-rsa2/keys/dh1024.pem # Diffie-Hellman-Parameter
server 192.168.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.3.0 255.255.255.0"
push "redirect-gateway"
push "dhcp-option DNS 192.168.10.1"
push "dhcp-option WINS 192.168.1.200"
client-to-client
keepalive 10 120
cipher AES-128-CBC # AES
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
verb 6


client.conf
Code:
client
dev tun
proto udp
# --- für Zugriff aus dem Internet
remote star.dynvpn.de 1194
# für Zugriff aus dem WLAN
remote 192.168.4.254 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 3


shorewall

interfaces
Code:
#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 detect tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians
loc eth0 detect tcpflags,detectnets,nosmurfs
dmz eth2 detect tcpflags,detectnets,nosmurfs
ovpn tun0 detect tcpflags,detectnets,nosmurfs
wlan eth3 detect tcpflags,detectnets,nosmurfs
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


policy
Code:
loc net ACCEPT info
loc vmn ACCEPT info
loc ovpn ACCEPT info
loc dmz REJECT info
loc $FW REJECT info
loc wlan ACCEPT info
loc all REJECT info

--snip--

$FW net ACCEPT info
$FW dmz ACCEPT info
$FW loc ACCEPT info
$FW vmn ACCEPT info
$FW wlan ACCEPT info
$FW all ACCEPT info

---snip---
net dmz DROP info
net $FW DROP info
net loc DROP info
net vmn DROP info
net wlan DROP info
net all DROP info

ovpn net ACCEPT info
ovpn loc ACCEPT info
ovpn vmn ACCEPT info
ovpn wlan ACCEPT info
ovpn dmz REJECT info
ovpn $FW REJECT info
ovpn all REJECT info

wlan net ACCEPT info
wlan loc ACCEPT info
wlan vmn ACCEPT info
wlan dmz REJECT info
wlan $FW ACCEPT info
wlan ovpn REJECT info
wlan all REJECT info

# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


rules
Code:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
#
# Accept DNS connections from the firewall to the Internet
DNS/ACCEPT $FW net
DNS/ACCEPT dmz net
DNS/ACCEPT loc net
DNS/ACCEPT loc $FW
DNS/ACCEPT vmn net
DNS/ACCEPT vmn $FW
DNS/ACCEPT ovpn net
DNS/ACCEPT ovpn $FW
DNS/ACCEPT wlan net
DNS/ACCEPT wlan $FW
DNS/ACCEPT dmz $FW
#
Ping/ACCEPT loc $FW
Ping/ACCEPT loc ovpn
Ping/ACCEPT loc net
Ping/ACCEPT loc dmz
Ping/ACCEPT vmn $FW
Ping/ACCEPT vmn loc
Ping/ACCEPT vmn ovpn
Ping/ACCEPT vmn net
Ping/ACCEPT vmn dmz
Ping/ACCEPT dmz $FW
Ping/ACCEPT dmz loc
Ping/ACCEPT dmz vmn
Ping/ACCEPT dmz net
Ping/ACCEPT ovpn $FW
Ping/ACCEPT ovpn loc
Ping/ACCEPT ovpn vmn
Ping/ACCEPT ovpn dmz
Ping/ACCEPT $FW ovpn
Ping/ACCEPT $FW wlan

---snip ---
#
Web/ACCEPT loc $FW
Web/ACCEPT loc wlan
Web/ACCEPT vmn $FW
Web/ACCEPT vmn wlan
Web/ACCEPT ovpn $FW
#
--- snip ---

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


tunnels
Code:
#TYPE ZONE GATEWAY GATEWAY
# ZONE
openvpnserver:1194 net 0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE