OpenVPN Connect

[gingerbugmeister]

I used Mullvad VPV that is configured to use Swedish DNS. I can confirm that running the OpenVPN Connect app does not work on iOS 9. It will connect but none of the traffic will go through the tunnel.

I can confirm that none of the traffic goes through the tunnel because I have a DNS leak. My IP address is exposed after running the standard DND leak tests.

I would like to file a bug on a necessary fix to correct the iOS 9 behavior of failure to create encrypted tunnel on iOS.

Device logs below.

2015-10-17 16:07:52 ----- OpenVPN Start -----
OpenVPN core 3.0 ios armv7s thumb2 32-bit
2015-10-17 16:07:52 UNUSED OPTIONS
4 [tun-ipv6]
5 [resolv-retry] [infinite]
6 [nobind]
7 [persist-key]
8 [persist-tun]
10 [verb] [3]
13 [script-security] [2]
14 [up] [/etc/openvpn/update-resolv-conf]
15 [down] [/etc/openvpn/update-resolv-conf]

2015-10-17 16:07:52 LZO-ASYM init swap=0 asym=0
2015-10-17 16:07:52 EVENT: RESOLVE
2015-10-17 16:07:53 Contacting 193.138.219.240:1194 via UDP
2015-10-17 16:07:53 EVENT: WAIT
2015-10-17 16:07:53 SetTunnelSocket returned 1
2015-10-17 16:07:53 Connecting to se.mullvad.net:1194 (193.138.219.240) via UDPv4
2015-10-17 16:07:53 EVENT: CONNECTING
2015-10-17 16:07:53 Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
2015-10-17 16:07:53 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
IV_VER=3.0
IV_PLAT=ios
IV_NCP=1
IV_LZO=1

2015-10-17 16:07:55 VERIFY OK: depth=2
cert. version : 3
serial number : 84:68:2E:A0:51:2A:BB:D4
issuer name : C=NA, ST=None, L=None, O=Mullvad, CN=Mullvad CA, emailAddress=info@mullvad.net
subject name : C=NA, ST=None, L=None, O=Mullvad, CN=Mullvad CA, emailAddress=info@mullvad.net
issued on : 2009-03-24 06:47:25
expires on : 2019-03-22 06:47:25
signed using : RSA with SHA1
RSA key size : 2048 bits
basic constraints : CA=true

2015-10-17 16:07:55 VERIFY OK: depth=1
cert. version : 3
serial number : 03
issuer name : C=NA, ST=None, L=None, O=Mullvad, CN=Mullvad CA, emailAddress=info@mullvad.net
subject name : C=NA, ST=None, L=None, O=Mullvad, CN=master.mullvad.net, emailAddress=info@mullvad.net
issued on : 2009-03-24 16:19:48
expires on : 2019-03-22 16:19:48
signed using : RSA with SHA1
RSA key size : 2048 bits
basic constraints : CA=true

2015-10-17 16:07:55 VERIFY OK: depth=0
cert. version : 3
serial number : 12:02:D6
issuer name : C=NA, ST=None, L=None, O=Mullvad, CN=master.mullvad.net, emailAddress=info@mullvad.net
subject name : C=NA, ST=None, L=None, O=Mullvad, CN=se5.mullvad.net, emailAddress=info@mullvad.net
issued on : 2014-10-23 08:49:11
expires on : 2024-10-20 08:49:11
signed using : RSA with SHA1
RSA key size : 2048 bits
basic constraints : CA=false
cert. type : SSL Server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication

2015-10-17 16:07:57 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-AES-256-CBC-SHA
2015-10-17 16:07:57 Session is ACTIVE
2015-10-17 16:07:57 EVENT: GET_CONFIG
2015-10-17 16:07:57 Sending PUSH_REQUEST to server...
2015-10-17 16:07:58 OPTIONS:
0 [ifconfig-ipv6] [fda6:3611:2428:8::1019/112] [fda6:3611:2428:8::]
1 [redirect-gateway] [def1] [bypass-dhcp]
2 [dhcp-option] [DNS] [10.8.0.1]
3 [route-ipv6] [0000::/2]
4 [route-ipv6] [4000::/2]
5 [route-ipv6] [8000::/2]
6 [route-ipv6] [C000::/2]
7 [route-gateway] [10.8.0.1]
8 [topology] [subnet]
9 [ifconfig] [10.8.0.27] [255.255.0.0]

2015-10-17 16:07:58 LZO-ASYM init swap=0 asym=0
2015-10-17 16:07:58 EVENT: ASSIGN_IP
2015-10-17 16:07:58 Connected via tun
2015-10-17 16:07:58 EVENT: CONNECTED @se.mullvad.net:1194 (193.138.219.240) via /UDPv4 on tun/10.8.0.27/fda6:3611:2428:8::1019
2015-10-17 16:07:58 SetStatus Connected
2015-10-17 16:12:20 TUN reset routes
2015-10-17 16:12:20 EVENT: DISCONNECTED
2015-10-17 16:12:20 Raw stats on disconnect:
BYTES_IN : 678762
BYTES_OUT : 96050
PACKETS_IN : 774
PACKETS_OUT : 735
TUN_BYTES_IN : 69379
TUN_BYTES_OUT : 649491
TUN_PACKETS_IN : 657
TUN_PACKETS_OUT : 698
2015-10-17 16:12:20 Performance stats on disconnect:
CPU usage (microseconds): 554198
Tunnel compression ratio (uplink): 1.38442
Tunnel compression ratio (downlink): 1.04507
Network bytes per CPU second: 1398077
Tunnel bytes per CPU second: 1297135
2015-10-17 16:12:20 ----- OpenVPN Stop -----
2015-10-20 00:55:11 ----- OpenVPN Start -----
OpenVPN core 3.0 ios armv7s thumb2 32-bit
2015-10-20 00:55:11 UNUSED OPTIONS
4 [tun-ipv6]
5 [resolv-retry] [infinite]
6 [nobind]
7 [persist-key]
8 [persist-tun]
10 [verb] [3]
13 [script-security] [2]
14 [up] [/etc/openvpn/update-resolv-conf]
15 [down] [/etc/openvpn/update-resolv-conf]

2015-10-20 00:55:11 LZO-ASYM init swap=0 asym=0
2015-10-20 00:55:11 EVENT: RESOLVE
2015-10-20 00:55:12 Contacting 193.138.219.227:1194 via UDP
2015-10-20 00:55:12 EVENT: WAIT
2015-10-20 00:55:12 SetTunnelSocket returned 1
2015-10-20 00:55:12 Connecting to se.mullvad.net:1194 (193.138.219.227) via UDPv4
2015-10-20 00:55:13 EVENT: CONNECTING
2015-10-20 00:55:13 Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
2015-10-20 00:55:13 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
IV_VER=3.0
IV_PLAT=ios
IV_NCP=1
IV_LZO=1

2015-10-20 00:55:15 VERIFY OK: depth=2
cert. version : 3
serial number : 84:68:2E:A0:51:2A:BB:D4
issuer name : C=NA, ST=None, L=None, O=Mullvad, CN=Mullvad CA, emailAddress=info@mullvad.net
subject name : C=NA, ST=None, L=None, O=Mullvad, CN=Mullvad CA, emailAddress=info@mullvad.net
issued on : 2009-03-24 06:47:25
expires on : 2019-03-22 06:47:25
signed using : RSA with SHA1
RSA key size : 2048 bits
basic constraints : CA=true

2015-10-20 00:55:15 VERIFY OK: depth=1
cert. version : 3
serial number : 03
issuer name : C=NA, ST=None, L=None, O=Mullvad, CN=Mullvad CA, emailAddress=info@mullvad.net
subject name : C=NA, ST=None, L=None, O=Mullvad, CN=master.mullvad.net, emailAddress=info@mullvad.net
issued on : 2009-03-24 16:19:48
expires on : 2019-03-22 16:19:48
signed using : RSA with SHA1
RSA key size : 2048 bits
basic constraints : CA=true

2015-10-20 00:55:15 VERIFY OK: depth=0
cert. version : 3
serial number : 0F:CD:86
issuer name : C=NA, ST=None, L=None, O=Mullvad, CN=master.mullvad.net, emailAddress=info@mullvad.net
subject name : C=NA, ST=None, L=None, O=Mullvad, CN=se4.mullvad.net, emailAddress=info@mullvad.net
issued on : 2014-04-08 19:03:33
expires on : 2024-04-05 19:03:33
signed using : RSA with SHA1
RSA key size : 2048 bits
basic constraints : CA=false
cert. type : SSL Server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication

2015-10-20 00:55:16 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-AES-256-CBC-SHA
2015-10-20 00:55:16 Session is ACTIVE
2015-10-20 00:55:16 EVENT: GET_CONFIG
2015-10-20 00:55:16 Sending PUSH_REQUEST to server...
2015-10-20 00:55:17 Sending PUSH_REQUEST to server...
2015-10-20 00:55:18 OPTIONS:
0 [ifconfig-ipv6] [fdfe:d671:bd23:8::100d/112] [fdfe:d671:bd23:8::]
1 [redirect-gateway] [def1] [bypass-dhcp]
2 [dhcp-option] [DNS] [10.8.0.1]
3 [route-ipv6] [0000::/2]
4 [route-ipv6] [4000::/2]
5 [route-ipv6] [8000::/2]
6 [route-ipv6] [C000::/2]
7 [route-gateway] [10.8.0.1]
8 [topology] [subnet]
9 [ifconfig] [10.8.0.15] [255.255.0.0]

2015-10-20 00:55:18 LZO-ASYM init swap=0 asym=0
2015-10-20 00:55:18 EVENT: ASSIGN_IP
2015-10-20 00:55:18 Connected via tun
2015-10-20 00:55:18 EVENT: CONNECTED @se.mullvad.net:1194 (193.138.219.227) via /UDPv4 on tun/10.8.0.15/fdfe:d671:bd23:8::100d
2015-10-20 00:55:18 SetStatus Connected




Sent from my iPhone using Tapatalk

[Traffic]

While this forum does not provide support for Mullvad-VPN .. I will comment on this:

2015-10-17 16:07:57 Sending PUSH_REQUEST to server...
2015-10-17 16:07:58 OPTIONS:
0 [ifconfig-ipv6] [fda6:3611:2428:8::1019/112] [fda6:3611:2428:8::]
1 [redirect-gateway] [def1] [bypass-dhcp]
2 [dhcp-option] [DNS] [10.8.0.1]

iOS seems to accept this OK .. perhaps Mullvad have something wrong their end .. you will have to ask Mullvad about that.

2015-10-17 16:07:52 UNUSED OPTIONS
4 [tun-ipv6]
5 [resolv-retry] [infinite]
6 [nobind]
7 [persist-key]
8 [persist-tun]
10 [verb] [3]
13 [script-security] [2]
14 [up] [/etc/openvpn/update-resolv-conf]
15 [down] [/etc/openvpn/update-resolv-conf]

update-resolv-conf is for Linux distros to set the DNS servers to the pushed options. Clearly OpenVPN Connect app does not support this method.

Personally, I cannot help much with this as I do not have access to iOS, however ..
If you want to spend some time searching the Forum to find answers try this:

Try this in google (example):

• Code: Select all

  site:forums.openvpn.net iOS dhcp-option DNS

https://support.google.com/websearch/answer/35890

[gingerbugmeister]

This is the default iOS config which one downloads from the VPN client site. The [update-resolve-conf] config for Linux you mentioned is unrelated to OpenVPN failing to create an encrypted tunnel. Again this setting remains is set by default in the config file and works fine on Windows 10. I do think it's bug 614 related to double stack traffic v6/v4 traffic and IPv4 leakage.


Sent from my Arch LinuxPhone using Tapatalk