iPhone can only communicate with OpenVPN server

[rdibley]

I have OpenVPN installed on a router running OpenWRT. For several years now, it’s been configured using tap and bridging (for use with my laptops), and has been working great. I’ve just recently installed OpenVPN Connect on my iPhone, and have added a second configuration section to run another instance of OpenVPN on the router using a routed tun tunnel. The new configuration is very similar to the sample configuration files in the OpenVPN howto, but it doesn’t seem to work. My iPhone connects to the server just fine, and is assigned an IP address of 10.2.3.6, but it can’t connect to the web or anything other than the OpenVPN server at 10.2.3.1. What am I doing wrong?

My intent is to get it set up so that all the client’s traffic is routed through the VPN. I also would like to configure it so that it can connect to other computers on the router’s LAN, on the 10.2.1.0 network.

Here is the server configuration. The formatting is a little different for OpenWRT, but it should be obvious what each line does:

Server Configuration:

Code: Select all

config 'openvpn' 'lan1'                                                         
        option 'enable' '1'                                                     
        option 'port' '1194'                                                   
        option 'proto' 'udp'                                                    
        option 'dev' 'tun'                                                      
                                                                                
        option 'client_to_client' '1'                                           
        option 'keepalive' '10 120'                                             
        option 'cipher' 'AES-256-CBC'                                           
        option 'comp_lzo' '1'                                                   
        option 'persist_key' '1'                                                
        option 'persist_tun' '1'                                                
        option 'verb' '3'                                                       
        option 'ifconfig_pool_persist' '/tmp/ipp_tun.txt'                       
        option 'log' '/tmp/openvpn_tun_status.log'                              
        option 'ca' '/etc/openvpn/ca.crt'                                       
        option 'cert' '/etc/openvpn/server.crt'                                 
        option 'key' '/etc/openvpn/server.key'                                  
        option 'dh' '/etc/openvpn/dh2048.pem'                                   
        option 'server' '10.2.3.0 255.255.255.0'                                
        option 'push' 'route 10.2.3.0 255.255.255.0'                           
        list 'push' 'redirect-gateway def1'                                     
        list 'push' 'dhcp-option DNS 10.2.3.1'              

Client configuration:

Code: Select all

client
dev tun
proto udp
remote <myserverIP> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
cipher AES-256-CBC
comp-lzo
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>

[ecrist]

There is not currently support for the tap adapter on mobile devices.

[rdibley]

That's correct. My original configuration used tap, which I used with my laptops. Now I'm trying to add a second configuration using tun, for use with my iPhone. That's where I'm having trouble with the configuration.

[rdibley]

I figured it out. I had to add the following to my firewall rules:

Code: Select all

iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT

I also removed the line from the server config file:

Code: Select all

option 'push' 'route 10.2.3.0 255.255.255.0'

After that, everything worked perfectly.