iOS VPN on Demand and pushed DNS

[gdanielv]

Hi. Can anyone confirm if the current version of OpenVPN Connect for iOS uses the OpenVPN server supplied DNS?

push "dhcp-option DNS x.x.x.x"

This needs to work for proper VPN on Demand operation, but from what I've seen, the iPhone continues using the 3G/Wifi supplied DNS.

Thanks.

[jamesyonan]

There is a known bug in 1.0.0 of the iOS client where if redirect-gateway is not pushed, DNS requests will only be routed to specific search domains, such as:

Code: Select all

push "dhcp-option DOMAIN foo.tld"
push "dhcp-option DOMAIN bar.tld"

We plan to fix this in 1.0.1 as follows:

On a split-tunnel, where redirect-gateway is not pushed by the server,
and at least one pushed DNS server is present

* route all DNS requests through pushed DNS server(s) if no added search domains.
* route DNS requests for added search domains only, if at least one added search domain.

[gdanielv]

Thank you James. Pushing the DOMAIN option works great for split-tunnel as now I have quick DNS responses for any domain from the ISP DNS servers, and internal DNS only for the domains I need to fire the On Demand VPN.

The only issue I'm seeing, which I guess is more an iOS issue, is that some apps don't trigger the VPN on Demand, while others do. For example Safari works fine, but Bria apparently doesn't...

Thanks again.

[jamesyonan]

When you try to trigger the VPN-on-Demand with Bria, are there any messages in the iOS console log from OpenVPN that might indicate that it is being triggered but is failing to connect for any reason?

If not, you might want to submit a bug report to Apple about this, as I'm sure they are keen to know if there are issues with certain apps failing to trigger VPN-on-Demand.

James

[gdanielv]

James, yes it looks like an iOS or Bria issue. Bria immediately gives me a DNS Error, which means its using the DNS Server, noticing there are no results for the request and not going through the VoD domains defined on the VoD Profile. There's no activity on the OpenVPN logs for this. Perhaps Bria uses a different method to query for DNSs results instead of "asking" the OS, but thats conjecture on my part... I'll see if I can get more info from Bria.

[megashub]

This is a problem for me still, and I'm using 1.0.1 build 88 (IOS).

Any idea if this did get fixed, as anticipated? If on the IOS device, while connected to the VPN, I specify the name server to query, it responds properly. If I let the device choose the server to query, it chooses one I did not push. My configuration matches the one in this thread (split routing, pushing name servers).

[sliderbook]

I have the same problem too. My Iphone still uses DNS of my Wifi.
Hope the problem will be solved in next build.

[redradioflyer]

Same issue... iPhone 5 with VPN on demand (via iPhone configuration utility). Set to always on for certain web-domains. Worked perfectly in iOS 6, but will not auto-initiate VPN in iOS 7 (doesn't seem to matter if I use safari, mail, or any other app that connects to an always-on domain.

[lucac]

I've been trying to make my iPhone working with OpenVPN, but I have a similar issue with the DNS resolution.
Is this bug fixed in the 1.0.4 iOS build?

Same server/client configuration works on Mac and Windows. iOS doesn't set the DNS correctly, although the connection works.

On the server:

Code: Select all

...
push "dhcp-option DNS 10.8.0.1"
push "redirect-gateway def1 bypass-dhcp"
...

Other details:
- I've dnsmasq to forward all DNS requests
- 10.8.0.1 is the vpn gateway
- 10.8.0.6 is the vpn client

Using a Mac/Windows client, capturing the network traffic shows the following:

Code: Select all

07:47:12.949387 IP 10.8.0.6.56521 > google-public-dns-a.google.com.domain: 4249+ A? www.amazon.com. (32)
...
DNS response with IP

Instead, using iOS, I get the following:

Code: Select all

07:44:50.310893 IP 10.8.0.6.64316 > 10.8.0.1.domain: 23194+ A? www.google.com. (32)

Note the 10.8.0.1.domain

Any workaround/suggestion? Thanks in advance

[lucac]

Just tested on 1.0.5 build 177, and the bug is still there.
Any ideas/workarounds?

Thanks,
Luca

[mikelinehan]

I have this issue as well. Is there going to ever be a fix?