I am troubleshooting issues with OpenVPN on my pfsense appliance.
From my IOS device I could access the internet via OpenVPN. However I could not access anything on my LAN. I was able to ping the tunnel IP.
After troubleshooting we determined it was the OpenVPN IOS client that didn't work. I setup a Windows client on my laptop and loaded the Windows profile in openvpn client. I connected to iPhone hotspot from my laptop and all was working well. routing table OK and I was able to access my LAN.
I did some googling and read a lot of issues with IOS9 and the OpenVPN connect client. Some say disable IPv6, some say FAVOR_LZA (whatever that may be).My question is. Does anybody got a working setup with IOS9 iPhone OpenVPN connect client and can you share what you did to get your setup working.
I run a OpenVPN server on PFsense with traffic forced through the tunnel. I see my routes and DNS servers etc in OpenVPN log on my iPhone.
So it should be working well, but it doesn't
Hope somebody can help.
Kind regards,
Mark
OpenVPN IOS9
-
markb81
- OpenVpn Newbie
- Posts: 8
- Joined: Thu Aug 30, 2012 3:29 pm
Re: OpenVPN IOS9
Some more information (hopefully useful).
When I connect on my laptop through iPhone hotspot I see a default gateway set to the tunnel in my routing table.
When I connect my iPhone to my VPN and then my laptop to iPhone hotspot de default gateway isn't set. So traffic is routed through the default gateway to the internet.
When inspecting the OpenVPN connect log I don't see anything wrong.
2016-08-10 09:35:13 SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-CBC-SHA
2016-08-10 09:35:13 Session is ACTIVE
2016-08-10 09:35:13 EVENT: GET_CONFIG
2016-08-10 09:35:13 Sending PUSH_REQUEST to server...
2016-08-10 09:35:14 OPTIONS:
0 [route] [192.168.20.0] [255.255.255.0]
1 [dhcp-option] [DOMAIN] [argus.local]
2 [dhcp-option] [DNS] [192.168.20.13]
3 [dhcp-option] [DNS] [192.168.20.15]
4 [dhcp-option] [NTP] [192.168.20.13]
5 [redirect-gateway] [def1]
6 [route-gateway] [10.15.10.1]
7 [topology] [subnet]
8 [ping] [10]
9 [ping-restart] [60]
10 [ifconfig] [10.15.10.2] [255.255.255.0]
However (although I cannot see the routing table on my iPhone) it looks like it isn't set.
When I connect on my laptop through iPhone hotspot I see a default gateway set to the tunnel in my routing table.
When I connect my iPhone to my VPN and then my laptop to iPhone hotspot de default gateway isn't set. So traffic is routed through the default gateway to the internet.
When inspecting the OpenVPN connect log I don't see anything wrong.
2016-08-10 09:35:13 SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-CBC-SHA
2016-08-10 09:35:13 Session is ACTIVE
2016-08-10 09:35:13 EVENT: GET_CONFIG
2016-08-10 09:35:13 Sending PUSH_REQUEST to server...
2016-08-10 09:35:14 OPTIONS:
0 [route] [192.168.20.0] [255.255.255.0]
1 [dhcp-option] [DOMAIN] [argus.local]
2 [dhcp-option] [DNS] [192.168.20.13]
3 [dhcp-option] [DNS] [192.168.20.15]
4 [dhcp-option] [NTP] [192.168.20.13]
5 [redirect-gateway] [def1]
6 [route-gateway] [10.15.10.1]
7 [topology] [subnet]
8 [ping] [10]
9 [ping-restart] [60]
10 [ifconfig] [10.15.10.2] [255.255.255.0]
However (although I cannot see the routing table on my iPhone) it looks like it isn't set.
-
markb81
- OpenVpn Newbie
- Posts: 8
- Joined: Thu Aug 30, 2012 3:29 pm
Re: OpenVPN IOS9
Ok I downloaded an app to view the IOS routing table. What I suspected was true. The default gateway when connected to OpenVPN connect isn't set.
It's set to the normal gateway I get from connecting to my 4G net.
Routing tables:
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 100.85.55.7 UGSc 193 3 pdp_ip0
It's set to the normal gateway I get from connecting to my 4G net.
Routing tables:
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 100.85.55.7 UGSc 193 3 pdp_ip0
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11139
- Joined: Fri Jun 03, 2016 1:17 pm
Re: OpenVPN IOS9
Perhaps you should read how --redirect-gateway def1 works .. it does not wipe out your current gateway, so the 4G gateway is the right one to see.
I suspect IPv6 is the real problem.
I suspect IPv6 is the real problem.
-
markb81
- OpenVpn Newbie
- Posts: 8
- Joined: Thu Aug 30, 2012 3:29 pm
Re: OpenVPN IOS9
Hi,
Thanks for your reply. What I noticed on my laptop is I got an additional gateway. On my iPhone I only see the 4G gateway.
I read about IPv6 as well. How can I disable it in openvpn?
Can you guide me to a working solution?
Kind regards,
Mark
Thanks for your reply. What I noticed on my laptop is I got an additional gateway. On my iPhone I only see the 4G gateway.
I read about IPv6 as well. How can I disable it in openvpn?
Can you guide me to a working solution?
Kind regards,
Mark
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11139
- Joined: Fri Jun 03, 2016 1:17 pm
Re: OpenVPN IOS9
Unless you enabled IPv6 in your server config, IPv6 is disabled in OpenVPN by default ..markb81 wrote:I read about IPv6 as well. How can I disable it in openvpn?
Is this IPv4 or IPv6 gateway ?markb81 wrote:On my iPhone I only see the 4G gateway
If it is IPv6 (which I suspect) then you probably need IPv6 inside OpenVPN Tunnel:
https://community.openvpn.net/openvpn/wiki/IPv6
The more details you can supply, the easier it is to help ..
This is the best place to start:markb81 wrote:Can you guide me to a working solution?
HOWTO: For OpenVPN Community Edition
-
markb81
- OpenVpn Newbie
- Posts: 8
- Joined: Thu Aug 30, 2012 3:29 pm
Re: OpenVPN IOS9
Hi,
On my iPhone I both see an IPV4 gateway as an IPv6 gateway. I'm not sure which one is used. If I visit whatsmyip with VPN connected I see the public IP of my mobile provider. I included my OpenVPN config like it is now, because I'm not sure what I need to modify.
Hope you can help. Thanks very much!
dev ovpns1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local <<IP_openvpn>>
tls-server
server 10.15.10.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'MY AD' false server1" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.external.nl' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 10
push "route 192.168.20.0 255.255.255.0" --> internal route to server vlan
push "dhcp-option DOMAIN argus.local"
push "dhcp-option DNS 192.168.20.13" --> internal dns server
push "dhcp-option DNS 192.168.20.15" --> internal dns server
push "dhcp-option NTP 192.168.20.13"
push "redirect-gateway def1"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float
topology subnet
push "redirect-gateway def1" --> these are additional options I pushed, but they don't seem to do the trick
push "redirect-gateway local def1" --> these are additional options I pushed, but they don't seem to do the trick
push "redirect-gateway ipv6" --> these are additional options I pushed, but they don't seem to do the trick
On my iPhone I both see an IPV4 gateway as an IPv6 gateway. I'm not sure which one is used. If I visit whatsmyip with VPN connected I see the public IP of my mobile provider. I included my OpenVPN config like it is now, because I'm not sure what I need to modify.
Hope you can help. Thanks very much!
dev ovpns1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local <<IP_openvpn>>
tls-server
server 10.15.10.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'MY AD' false server1" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.external.nl' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 10
push "route 192.168.20.0 255.255.255.0" --> internal route to server vlan
push "dhcp-option DOMAIN argus.local"
push "dhcp-option DNS 192.168.20.13" --> internal dns server
push "dhcp-option DNS 192.168.20.15" --> internal dns server
push "dhcp-option NTP 192.168.20.13"
push "redirect-gateway def1"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float
topology subnet
push "redirect-gateway def1" --> these are additional options I pushed, but they don't seem to do the trick
push "redirect-gateway local def1" --> these are additional options I pushed, but they don't seem to do the trick
push "redirect-gateway ipv6" --> these are additional options I pushed, but they don't seem to do the trick
-
markb81
- OpenVpn Newbie
- Posts: 8
- Joined: Thu Aug 30, 2012 3:29 pm
Re: OpenVPN IOS9
My iPhone's routing table:
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 100.85.55.7 UGSc 193 3 pdp_ip0
default link#11 UCSI 1 0 utun0
10.15.10/24 link#11 UCS 1 0 utun0
10.15.10.2 10.15.10.2 UH 1 0 utun0
100.85.55.7 100.85.55.7 UHr 192 0 pdp_ip0
100.85.55.7/32 link#2 UCS 1 0 pdp_ip0
127 127.0.0.1 UCS 1 0 lo0
127.0.0.1 127.0.0.1 UH 2 0 lo0
<<my external ip>> 100.85.55.7 UGHS 1 0 pdp_ip0
224.0.0 link#2 UmCS 2 0 pdp_ip0
224.0.0.251 link#2 UHmWI 1 0 pdp_ip0
255.255.255.255/32 link#2 UCS 1 0 pdp_ip0
Internet6:
Destination Gateway Flags Netif Expire
::1 ::1 UHL lo0
fe80::%lo0/64 fe80::1%lo0 UcI lo0
fe80::1%lo0 link#1 UHLI lo0
fe80::%awdl0/64 link#10 UCI awdl0
fe80::2087:f2ff:fe5a:91d3%awdl0 22:87:f2:5a:aa:bb UHLI lo0
ff01::%lo0/32 ::1 UmCI lo0
ff01::%en0/32 link#8 UmCI en0
ff01::%awdl0/32 link#10 UmCI awdl0
ff02::%lo0/32 ::1 UmCI lo0
ff02::%en0/32 link#8 UmCI en0
ff02::%awdl0/32 link#10 UmCI awdl0
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 100.85.55.7 UGSc 193 3 pdp_ip0
default link#11 UCSI 1 0 utun0
10.15.10/24 link#11 UCS 1 0 utun0
10.15.10.2 10.15.10.2 UH 1 0 utun0
100.85.55.7 100.85.55.7 UHr 192 0 pdp_ip0
100.85.55.7/32 link#2 UCS 1 0 pdp_ip0
127 127.0.0.1 UCS 1 0 lo0
127.0.0.1 127.0.0.1 UH 2 0 lo0
<<my external ip>> 100.85.55.7 UGHS 1 0 pdp_ip0
224.0.0 link#2 UmCS 2 0 pdp_ip0
224.0.0.251 link#2 UHmWI 1 0 pdp_ip0
255.255.255.255/32 link#2 UCS 1 0 pdp_ip0
Internet6:
Destination Gateway Flags Netif Expire
::1 ::1 UHL lo0
fe80::%lo0/64 fe80::1%lo0 UcI lo0
fe80::1%lo0 link#1 UHLI lo0
fe80::%awdl0/64 link#10 UCI awdl0
fe80::2087:f2ff:fe5a:91d3%awdl0 22:87:f2:5a:aa:bb UHLI lo0
ff01::%lo0/32 ::1 UmCI lo0
ff01::%en0/32 link#8 UmCI en0
ff01::%awdl0/32 link#10 UmCI awdl0
ff02::%lo0/32 ::1 UmCI lo0
ff02::%en0/32 link#8 UmCI en0
ff02::%awdl0/32 link#10 UmCI awdl0
-
markb81
- OpenVpn Newbie
- Posts: 8
- Joined: Thu Aug 30, 2012 3:29 pm
Re: OpenVPN IOS9
Hi,
Hope somebody can help me with this one. Issue still persists.
Kind regards,
Mark
Hope somebody can help me with this one. Issue still persists.
Kind regards,
Mark