No Access to Internet After Successful Connection

[nlucchesi]

My log indicates that OpenVPN for iOS connects with my OpenVPN Server. However, I can't access any Internet resources, e.g., web or mail, from my phone.

I presume that I have a routing problem and I'd guess that '[ifconfig] [10.10.50.10] [10.10.50.9]' is trying to tell me what the problem is. But, I can't understand/see the problem.

Can anyone give me a clue?

Thank you.

- nello


iOS Log

Code: Select all

2015-06-23 15:43:54 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-AES-256-CBC-SHA
2015-06-23 15:43:54 Session is ACTIVE
2015-06-23 15:43:54 EVENT: GET_CONFIG
2015-06-23 15:43:54 Sending PUSH_REQUEST to server...
2015-06-23 15:43:54 OPTIONS:
0 [redirect-gateway] [def1] 
1 [dhcp-option] [DNS] [10.10.49.1] 
2 [route] [10.10.49.0] [255.255.255.0] 
3 [route] [10.10.50.1] 
4 [topology] [net30] 
5 [ping] [10] 
6 [ping-restart] [120] 
7 [ifconfig] [10.10.50.10] [10.10.50.9] 

2015-06-23 15:43:54 LZO-ASYM init swap=0 asym=0
2015-06-23 15:43:54 EVENT: ASSIGN_IP
2015-06-23 15:43:54 Connected via tun
2015-06-23 15:43:54 EVENT: CONNECTED @<OpenVPN Server FQDN>:443 (<OpenVPN Server IP Address>) via /UDPv4 on tun/10.10.50.10/
2015-06-23 15:43:54 NET Internet:ReachableViaWiFi/-R t----l-
2015-06-23 15:43:55 SetStatus Connected

iPhone.ovpn

Code: Select all

#
# Client connection parameters
client
dev tun
proto udp
nobind
comp-lzo
persist-key
;cipher x
;user nobody
;group nobody
#
# Server is only <OpenVPN Server FQDN> 
remote <OpenVPN Server FQDN> 443
resolv-retry infinite
remote-cert-tls server
verify-x509-name <OpenVPN Server FQDN> name
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1
#
# Access Internet through server
dhcp-option DNS 10.10.49.1
redirect-gateway def1
#
# Silence repeating messages
mute 10
#
# Silence duplicate packet warnings
mute-replay-warnings
#
# Log file verbosity
# 0   Silent, except for fatal errors
# 4   General usage
# 5-6 Debug connection problems
# 9   Extremely verbose
verb 6
#
# Certificate authority public key
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>

[Traffic]

Your server config is the crucial element ...

Please see these HOWTOs:

• HOWTO: Expanding the scope of the VPN to include additional machines
• HOWTO: Routing all client traffic (including web-traffic) through the VPN

[nlucchesi]

Your server config is the crucial element ...

Yes, of course. Apologies for not including the server configuration file, shown below.

Since I'm able to connect to this OpenVPN server and get to the Internet from my OS X OpenVPN client (Tunnelblick), I'm puzzled why I can't do the same from iOS.

I'm just not seeing the difference between my iOS and OS X configurations. Any input appreciated.

Thank you.

- nello



iOS client configuration

Code: Select all

#
# Client connection parameters
client
dev tun
proto udp
nobind
comp-lzo
persist-key
;cipher x
;user nobody
;group nobody
#
# Server is only <OpenVPN Server FQDN> 
remote <OpenVPN Server FQDN> 443
resolv-retry infinite
remote-cert-tls server
verify-x509-name <OpenVPN Server FQDN> name
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1
#
# Access Internet through server
dhcp-option DNS 10.10.49.1
redirect-gateway def1
#
# Silence repeating messages
mute 10
#
# Silence duplicate packet warnings
mute-replay-warnings
#
# Log file verbosity
# 0   Silent, except for fatal errors
# 4   General usage
# 5-6 Debug connection problems
# 9   Extremely verbose
verb 6
#
# Certificate authority public key
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>

OSX (Tunnelblick) client configuration

Code: Select all

# Use unique keys for each client
cert nelloMacBookAir13.crt
key nelloMacBookAir13.key 
#
# No Changes Below Line
#################################
#
# Client connection parameters
client
dev tun
proto udp
nobind
comp-lzo
persist-key
;cipher x
;user nobody
;group nobody
#
# Server is only <OpenVPN Server FQDN> 
remote <OpenVPN Server FQDN> 443
resolv-retry infinite
remote-cert-tls server
verify-x509-name <OpenVPN Server FQDN> name
tls-auth ta.key 1
#
# Access Internet through server
dhcp-option DNS 10.10.49.1
redirect-gateway def1
#
# Certificate authority public key
ca ca.crt
#
# Silence repeating messages
mute 10
#
# Silence duplicate packet warnings
mute-replay-warnings
#
# Log file verbosity
# 0   Silent, except for fatal errors
# 4   General usage
# 5-6 Debug connection problems
# 9   Extremely verbose
verb 3

FreeNAS server configuration

Code: Select all

port 443                                                                        
proto udp                                                                       
dev tun                                                                         
ca /mnt/openvpn/keys/ca.crt                                                     
cert /mnt/openvpn/keys/<OpenVPN Server FQDN>.crt                                 
key /mnt/openvpn/keys/<OpenVPN Server FQDN>.key                                  
dh /mnt/openvpn/keys/dh2048.pem                                                 
server 10.10.50.0 255.255.255.0                                                 
ifconfig-pool-persist ipp.txt                                                   
push "route 10.10.49.0 255.255.255.0"                                           
route 10.10.49.12 255.255.255.0 10.10.50.1                                      
keepalive 10 120                                                                
comp-lzo                                                                        
persist-key                                                                     
persist-tun                                                                     
verb 4                                                                          
remote-cert-tls client                                                          
tls-auth /mnt/openvpn/keys/ta.key 0                                             
mute 5
user nobody                                                                     
group nobody                                                                    

[Traffic]

Overall your OpenVPN config looks ok ..

edit:

Code:
route 10.10.49.12 255.255.255.0 10.10.50.1

mask should be 32 bit

Have you ensured NAT is working at the server end ?

[nlucchesi]

Code:
route 10.10.49.12 255.255.255.0 10.10.50.1

mask should be 32 bit[/quote]

So you suggest this instead?

Code: Select all

route 10.10.49.12 255.255.255.255 10.10.50.1

Why? Sorry, I don't understand why this might make a difference on an iOS client and not a OS X client.

Have you ensured NAT is working at the server end ?

How would I do this? Sorry, I don't know what command to use.


Thank you for your suggestions.

- nello

[nlucchesi]

Overall your OpenVPN config looks ok ..

edit:

Code:
route 10.10.49.12 255.255.255.0 10.10.50.1

mask should be 32 bit

Have you ensured NAT is working at the server end ?

Yes, I tried this and it had no effect. OS X continues to work and iOS connects but does not give me access to either the Internet or my LAN. To me this makes sense because 10.10.49.12 255.255.255.0 and 10.10.49.12/24 mean the same thing. It's just a different notation for creating the same mask.

I dug a little deeper on trying to find differences between OS X and iOS after the connection:

iOS
Opened the Settings > WiFi and clicked the little "i" on the right side of the network I'm connected to. It shows that iOS apparently doesn't change it's IP Address, Router, or DNS.

OS X
Opened System Preferences > Network and clicked on the Advanced button. The TCP/IP panel shows the unchanged IP Address and Router. But, in the DNS panel the DNS address has changed; it shows 10.10.49.1, the DNS/DHCP address on my VPN's network.


I conclude that OS X is processing the client command "dhcp-option DNS 10.10.49.1" whereas iOS is not.

Does anyone have any idea why iOS isn't processing the 'dhcp-option DNS' configuration parameter?

Thank you.

- nello