[Solved] iOS not adding pushed route

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Locked
xefil
OpenVpn Newbie
Posts: 8
Joined: Thu Mar 28, 2013 10:53 am

[Solved] iOS not adding pushed route

Post by xefil » Mon Aug 06, 2018 12:15 pm

Hello,

I'm having some problems on my IOS client.

IOS: 11.4.1
OpenVPN Client: 1.2.9
OpenVPN Server: 2.4.0-6+deb9u2

OVpn client settings:

Code: Select all

client
dev tun
proto udp
remote MYHOME 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_IQ8uh8u8SJCqMdJy name
cipher AES-256-CBC
auth SHA256
compress lz4
verb 3
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>

<tls-crypt>
#
# 2048 bit OpenVPN static key
#
</tls-crypt>
OpenVPN server

Code: Select all

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_IQ8uh8u8SJCqMdJy.crt
key /etc/openvpn/easy-rsa/pki/private/server_IQ8uh8u8SJCqMdJy.key
dh none
ecdh-curve secp384r1
topology subnet
server 10.8.0.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0 10.8.0.1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
compress lz4
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
My home, local LAN is on 192.168.1.0/24.
Using Windows OVPN client all works well, the route is pushed.
I've noticed that now (I don't know since when) I cannot reach my internal lan using my iPhone.
SEEMS a routing problem. I CAN ping my iphone from the OVPN server. If I'm on tcpdump to check if there is traffic to an internal pc in my lan from a openvon client, I see the traffic only from the Windows openvpn client. From the iphone nothing
How to debug and solve?

Thanks, Simon

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connection problems on IOS

Post by TinCanTech » Mon Aug 06, 2018 12:34 pm

Your client log should have an answer ..

If you do have a routing conflict then change your Home subnet.

Your server log will even show this message:
  • NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
You may need --verb 4 for openvpn to print that message ..

xefil
OpenVpn Newbie
Posts: 8
Joined: Thu Mar 28, 2013 10:53 am

Re: Connection problems on IOS

Post by xefil » Mon Aug 06, 2018 12:54 pm

Here some logs.

client:

Code: Select all

2018-08-06 14:50:37 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit built on Feb 22 2018 12:39:28
2018-08-06 14:50:37 Frame=512/2048/512 mssfix-ctrl=1250
2018-08-06 14:50:37 UNUSED OPTIONS
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
10 [verify-x509-name] [server_IQ8uh8u8SJCqMdJy] [name] 
14 [verb] [3] 

2018-08-06 14:50:37 EVENT: RESOLVE
2018-08-06 14:50:37 Contacting [OPENVPN-IP]:1194/UDP via UDP
2018-08-06 14:50:37 EVENT: WAIT
2018-08-06 14:50:37 Connecting to [OPENVPN-IP]:1194 (OPENVPN-IP) via UDPv4
2018-08-06 14:50:37 EVENT: CONNECTING
2018-08-06 14:50:37 Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client
2018-08-06 14:50:37 Creds: UsernameEmpty/PasswordEmpty
2018-08-06 14:50:37 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.2.9-0
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZ4=1
IV_AUTO_SESS=1

2018-08-06 14:50:37 VERIFY OK : depth=1
cert. version    : 3
serial number    : 98:EF:84:C7:5C:88:59:59
issuer name      : CN=ChangeMe
subject name      : CN=ChangeMe
issued  on        : 2018-06-12 07:15:22
expires on        : 2028-06-09 07:15:22
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true
key usage        : Key Cert Sign, CRL Sign

2018-08-06 14:50:37 VERIFY OK : depth=0
cert. version    : 3
serial number    : 01
issuer name      : CN=ChangeMe
subject name      : CN=server_IQ8uh8u8SJCqMdJy
issued  on        : 2018-06-12 07:15:33
expires on        : 2028-06-09 07:15:33
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
key usage        : Digital Signature, Key Encipherment
ext key usage    : TLS Web Server Authentication

2018-08-06 14:50:37 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2018-08-06 14:50:37 Session is ACTIVE
2018-08-06 14:50:37 EVENT: GET_CONFIG
2018-08-06 14:50:37 Sending PUSH_REQUEST to server...
2018-08-06 14:50:37 OPTIONS:
0 [route] [192.168.1.0] [255.255.255.0] [10.8.0.1] 
1 [route-gateway] [10.8.0.1] 
2 [topology] [subnet] 
3 [ping] [1800] 
4 [ping-restart] [3600] 
5 [ifconfig] [10.8.0.3] [255.255.255.0] 
6 [peer-id] [0] 
7 [cipher] [AES-256-GCM] 

2018-08-06 14:50:37 PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA256
  compress: LZ4
  peer ID: 0
2018-08-06 14:50:37 EVENT: ASSIGN_IP
2018-08-06 14:50:37 NIP: preparing TUN network settings
2018-08-06 14:50:37 NIP: init TUN network settings with endpoint: OPENVPN-IP
2018-08-06 14:50:37 NIP: adding IPv4 address to network settings 10.8.0.3/255.255.255.0
2018-08-06 14:50:37 NIP: adding (included) IPv4 route 10.8.0.0/24
2018-08-06 14:50:37 Connected via NetworkExtensionTUN
2018-08-06 14:50:37 LZ4 init asym=0
2018-08-06 14:50:37 EVENT: CONNECTED @OPENVPN-IP:1194 (OPENVPN-IP) via /UDPv4 on NetworkExtensionTUN/10.8.0.3/ gw=[/]
server:

Code: Select all

Aug  6 14:50:37 localhost ovpn-server[518]: REMOTE-IP:13820 TLS: Initial packet from [AF_INET]REMOTE-IP:13820, sid=e362736e 49e46344
Aug  6 14:50:37 localhost ovpn-server[518]: REMOTE-IP:13820 VERIFY OK: depth=1, CN=ChangeMe
Aug  6 14:50:37 localhost ovpn-server[518]: REMOTE-IP:13820 Validating certificate key usage
Aug  6 14:50:37 localhost ovpn-server[518]: REMOTE-IP:13820 ++ Certificate has key usage  0080, expects 0080
Aug  6 14:50:37 localhost ovpn-server[518]: REMOTE-IP:13820 VERIFY KU OK
Aug  6 14:50:37 localhost ovpn-server[518]: REMOTE-IP:13820 Validating certificate extended key usage
Aug  6 14:50:37 localhost ovpn-server[518]: REMOTE-IP:13820 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Aug  6 14:50:37 localhost ovpn-server[518]: REMOTE-IP:13820 VERIFY EKU OK
Aug  6 14:50:37 localhost ovpn-server[518]: REMOTE-IP:13820 VERIFY OK: depth=0, CN=xefilphone
Aug  6 14:50:37 localhost ovpn-server[518]: REMOTE-IP:13820 peer info: IV_GUI_VER=net.openvpn.connect.ios_1.2.9-0
Aug  6 14:50:37 localhost ovpn-server[518]: REMOTE-IP:13820 peer info: IV_VER=3.2
Aug  6 14:50:37 localhost ovpn-server[518]: REMOTE-IP:13820 peer info: IV_PLAT=ios
Aug  6 14:50:37 localhost ovpn-server[518]: REMOTE-IP:13820 peer info: IV_NCP=2
Aug  6 14:50:37 localhost ovpn-server[518]: REMOTE-IP:13820 peer info: IV_TCPNL=1
Aug  6 14:50:37 localhost ovpn-server[518]: REMOTE-IP:13820 peer info: IV_PROTO=2
Aug  6 14:50:37 localhost ovpn-server[518]: REMOTE-IP:13820 peer info: IV_LZ4=1
Aug  6 14:50:37 localhost ovpn-server[518]: REMOTE-IP:13820 peer info: IV_AUTO_SESS=1
Aug  6 14:50:37 localhost ovpn-server[518]: REMOTE-IP:13820 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Aug  6 14:50:37 localhost ovpn-server[518]: REMOTE-IP:13820 [xefilphone] Peer Connection Initiated with [AF_INET]REMOTE-IP:13820
Aug  6 14:50:37 localhost ovpn-server[518]: xefilphone/REMOTE-IP:13820 MULTI_sva: pool returned IPv4=10.8.0.3, IPv6=(Not enabled)
Aug  6 14:50:37 localhost ovpn-server[518]: xefilphone/REMOTE-IP:13820 MULTI: Learn: 10.8.0.3 -> xefilphone/REMOTE-IP:13820
Aug  6 14:50:37 localhost ovpn-server[518]: xefilphone/REMOTE-IP:13820 MULTI: primary virtual IP for xefilphone/REMOTE-IP:13820: 10.8.0.3
Aug  6 14:50:37 localhost ovpn-server[518]: xefilphone/REMOTE-IP:13820 PUSH: Received control message: 'PUSH_REQUEST'
Aug  6 14:50:37 localhost ovpn-server[518]: xefilphone/REMOTE-IP:13820 SENT CONTROL [xefilphone]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 10.8.0.1,route-gateway 10.8.0.1,topology subnet,ping 1800,ping-restart 3600,ifconfig 10.8.0.3 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Aug  6 14:50:37 localhost ovpn-server[518]: xefilphone/REMOTE-IP:13820 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug  6 14:50:37 localhost ovpn-server[518]: xefilphone/REMOTE-IP:13820 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Nothing useful from my point of view.
Now?

FYI: the local lan where the iphone is connected in WiFi and tries to connect at home, is not on 192.168.1.0/24, so there are no conflicts.
Even tried with 3G/4G mobile connection. I can remember this has worked time ago.

Thanks!

Simon

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connection problems on IOS

Post by TinCanTech » Mon Aug 06, 2018 1:36 pm

xefil wrote:
Mon Aug 06, 2018 12:54 pm
2018-08-06 14:50:37 Sending PUSH_REQUEST to server...
2018-08-06 14:50:37 OPTIONS:
0 [route] [192.168.1.0] [255.255.255.0] [10.8.0.1]
Your server has pushed and your client has pulled the route for your server LAN.
xefil wrote:
Mon Aug 06, 2018 12:54 pm
2018-08-06 14:50:37 EVENT: ASSIGN_IP
2018-08-06 14:50:37 NIP: preparing TUN network settings
2018-08-06 14:50:37 NIP: init TUN network settings with endpoint: OPENVPN-IP
2018-08-06 14:50:37 NIP: adding IPv4 address to network settings 10.8.0.3/255.255.255.0
2018-08-06 14:50:37 NIP: adding (included) IPv4 route 10.8.0.0/24 2018-08-06 14:50:37 Connected via NetworkExtensionTUN
2018-08-06 14:50:37 LZ4 init asym=0
I don't know if the route should be added here ? The log does not show it ..

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connection problems on IOS

Post by TinCanTech » Mon Aug 06, 2018 1:43 pm

It is possible iOS does not recognise this correctly:
xefil wrote:
Mon Aug 06, 2018 12:15 pm
push "route 192.168.1.0 255.255.255.0 10.8.0.1"
Please try changing to this:

Code: Select all

push "route 192.168.1.0 255.255.255.0"
The gateway parameter is 10.8.0.1 by default (or whatever you set your VPN IP to in the server)

xefil
OpenVpn Newbie
Posts: 8
Joined: Thu Mar 28, 2013 10:53 am

Re: Connection problems on IOS

Post by xefil » Mon Aug 06, 2018 1:50 pm

Seems not changing:

Code: Select all

Mon Aug  6 15:49:00 2018 us=65698 xefilphone/remote-ip:13789 PUSH: Received control message: 'PUSH_REQUEST'
Mon Aug  6 15:49:00 2018 us=66009 xefilphone/remote-ip:13789 SENT CONTROL [xefilphone]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 1800,ping-restart 3600,ifconfig 10.8.0.3 255.255.255.0,peer-id 1,cipher AES-256-GCM' (status=1)
Does the status=1 mean something went wrong?

Thanks, Simon

EDIT:

Sorry, no diff from logs, but so seems to work!!
Many thanks!!

Simon

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connection problems on IOS

Post by TinCanTech » Mon Aug 06, 2018 2:01 pm

xefil wrote:
Mon Aug 06, 2018 1:50 pm
Does the status=1 mean something went wrong?
I don't know what it means but it is not an error of any type, I see it in all my server logs.
xefil wrote:
Mon Aug 06, 2018 1:50 pm
Sorry, no diff from logs, but so seems to work!!
It is good that it works but the log should show the route addition, I think.

Somebody will take a look to see if something is wrong.

Thanks for testing 8-)

xefil
OpenVpn Newbie
Posts: 8
Joined: Thu Mar 28, 2013 10:53 am

Re: Connection problems on IOS

Post by xefil » Mon Aug 06, 2018 2:06 pm

Thanks you for pointing me to the right solution ;-)

Simon

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connection problems on IOS

Post by TinCanTech » Mon Aug 06, 2018 2:26 pm

Can you please post your client log so that we can verify what it actually shows now that "it works"

Thanks

xefil
OpenVpn Newbie
Posts: 8
Joined: Thu Mar 28, 2013 10:53 am

Re: Connection problems on IOS

Post by xefil » Mon Aug 06, 2018 2:33 pm

Of course, here:

Code: Select all

2018-08-06 16:30:47 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit built on Feb 22 2018 12:39:28
2018-08-06 16:30:47 Frame=512/2048/512 mssfix-ctrl=1250
2018-08-06 16:30:47 UNUSED OPTIONS
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
10 [verify-x509-name] [server_IQ8uh8u8SJCqMdJy] [name] 
14 [verb] [3] 

2018-08-06 16:30:47 EVENT: RESOLVE
2018-08-06 16:30:47 Contacting [OpenVPN-ServerIP]:1194/UDP via UDP
2018-08-06 16:30:47 EVENT: WAIT
2018-08-06 16:30:47 Connecting to [OpenVPN-ServerIP]:1194 (OpenVPN-ServerIP) via UDPv4
2018-08-06 16:30:47 EVENT: CONNECTING
2018-08-06 16:30:47 Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client
2018-08-06 16:30:47 Creds: UsernameEmpty/PasswordEmpty
2018-08-06 16:30:47 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.2.9-0
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZ4=1
IV_AUTO_SESS=1

2018-08-06 16:30:47 VERIFY OK : depth=1
cert. version    : 3
serial number    : 98:EF:84:C7:5C:88:59:59
issuer name      : CN=ChangeMe
subject name      : CN=ChangeMe
issued  on        : 2018-06-12 07:15:22
expires on        : 2028-06-09 07:15:22
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true
key usage        : Key Cert Sign, CRL Sign

2018-08-06 16:30:47 VERIFY OK : depth=0
cert. version    : 3
serial number    : 01
issuer name      : CN=ChangeMe
subject name      : CN=server_IQ8uh8u8SJCqMdJy
issued  on        : 2018-06-12 07:15:33
expires on        : 2028-06-09 07:15:33
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
key usage        : Digital Signature, Key Encipherment
ext key usage    : TLS Web Server Authentication

2018-08-06 16:30:47 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2018-08-06 16:30:47 Session is ACTIVE
2018-08-06 16:30:47 EVENT: GET_CONFIG
2018-08-06 16:30:47 Sending PUSH_REQUEST to server...
2018-08-06 16:30:47 OPTIONS:
0 [route] [192.168.1.0] [255.255.255.0] 
1 [route-gateway] [10.8.0.1] 
2 [topology] [subnet] 
3 [ping] [1800] 
4 [ping-restart] [3600] 
5 [ifconfig] [10.8.0.3] [255.255.255.0] 
6 [peer-id] [1] 
7 [cipher] [AES-256-GCM] 

2018-08-06 16:30:47 PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA256
  compress: LZ4
  peer ID: 1
2018-08-06 16:30:47 EVENT: ASSIGN_IP
2018-08-06 16:30:47 NIP: preparing TUN network settings
2018-08-06 16:30:47 NIP: init TUN network settings with endpoint: OpenVPN-ServerIP
2018-08-06 16:30:47 NIP: adding IPv4 address to network settings 10.8.0.3/255.255.255.0
2018-08-06 16:30:47 NIP: adding (included) IPv4 route 10.8.0.0/24
2018-08-06 16:30:47 NIP: adding (included) IPv4 route 192.168.1.0/24
2018-08-06 16:30:47 Connected via NetworkExtensionTUN
2018-08-06 16:30:47 LZ4 init asym=0
2018-08-06 16:30:47 EVENT: CONNECTED @OpenVPN-ServerIP:1194 (OpenVPN-ServerIP) via /UDPv4 on NetworkExtensionTUN/10.8.0.3/ gw=[/]
This line was missing, actually is here:

Code: Select all

NIP: adding (included) IPv4 route 192.168.1.0/24
And I think it's really important ;-)

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connection problems on IOS

Post by TinCanTech » Mon Aug 06, 2018 3:18 pm

We agree ..

That this initially did not show an error when the original pushed route statement failed will be looked into.
Your log should have informed you of the error not silently ignore it.

xefil
OpenVpn Newbie
Posts: 8
Joined: Thu Mar 28, 2013 10:53 am

Re: [Solved] iOS not adding pushed route

Post by xefil » Mon Aug 06, 2018 3:28 pm

My 5 cents identifying a little bug not reporting errors ;-)

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: [Solved] iOS not adding pushed route

Post by TinCanTech » Wed Aug 08, 2018 12:07 am


xefil
OpenVpn Newbie
Posts: 8
Joined: Thu Mar 28, 2013 10:53 am

Re: [Solved] iOS not adding pushed route

Post by xefil » Wed Aug 08, 2018 6:57 am

Oh great, I'll follow my first, unattended bug discovering :-D

lg_alex
OpenVpn Newbie
Posts: 1
Joined: Tue Jul 02, 2019 3:06 am

Re: Connection problems on IOS

Post by lg_alex » Tue Jul 02, 2019 3:09 am

TinCanTech wrote:
Mon Aug 06, 2018 1:43 pm
It is possible iOS does not recognise this correctly:
xefil wrote:
Mon Aug 06, 2018 12:15 pm
push "route 192.168.1.0 255.255.255.0 10.8.0.1"
Please try changing to this:

Code: Select all

push "route 192.168.1.0 255.255.255.0"
The gateway parameter is 10.8.0.1 by default (or whatever you set your VPN IP to in the server)
;) Thanx a lot! That's worked for me))

kvn
OpenVpn Newbie
Posts: 1
Joined: Thu May 07, 2020 6:39 pm

Re: [Solved] iOS not adding pushed route

Post by kvn » Thu May 07, 2020 6:40 pm

Is there any update on when a fix for this will arrive in the iOS client and will the fix be to allow for the GW being specified or are we going to have to update the server and possibly have a special server configured for iOS devices in that case as other clients may depend on the GW being provided.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: [Solved] iOS not adding pushed route

Post by TinCanTech » Thu May 07, 2020 6:57 pm

Specifying the gateway parameter to an iOS client is a user error. The Openvpn client for iOS does not allow for this parameter to be used.

The bug here is, that the Openvpn client for iOS does not log the error when the route is not added and is therefore silently ignored, leaving the user completely in the dark as to what has happened.

So, you will probably have to run an iOS specific server if you have problems with iOS or report the problem and see what the developers think.

Locked