I am trying to configure OpenVPN on iOS and want to clarify what is the expected behavior in this case.
My goal is to force system to use the tunnel for ALL connections. For my lab tests I use Safari.
What I have achieved till now is that my local website (which is not available without VPN) opens in Safari. So the tunnel itself works fine.
However, the issue I see is that the browser bypasses the tunnel for public resources. My VPN network does not have Internet access, so my expectation was that with VPN turned-on I will be able to open only internal websites and all other public websites won't be available.
But it looks like the VPN does not block any connection and only makes internal resources being available in addition to the resources available without VPN tunnel.
So the question is how to force ALL traffic to go through the tunnel?
This is my server conf:
server
port 1194
proto udp
dev tun
server 10.1.0.0 255.255.255.0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
duplicate-cn
keepalive 10 120
cipher AES-256-GCM
ncp-ciphers AES-256-GCM:AES-256-CBC
auth SHA512
script-security 2
auth-user-pass-verify "/etc/openvpn/webapp/manage.py ovpnauth" via-file
persist-key
persist-tun
status openvpn-status.log
verb 3
tls-server
tls-version-min 1.2
tls-auth ta.key 0
crl-verify crl.pem
route 10.1.0.1
push 'route 10.1.0.1'
push 'dhcp-option DNS 1.1.1.1'
push 'dhcp-option DNS 1.1.1.1'
That's the client conf
client
client
dev tun
proto udp
remote s***.***.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA512
auth-user-pass
verb 3
tls-client
tls-version-min 1.2
key-direction 1
explicit-exit-notify 1
redirect-gateway def1 bypass-dhcp
<ca>
-----BEGIN CERTIFICATE-----\nM***0MsB\n-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----\nMI***A=\n-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----\nMI***Jg=\n-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----\n399***4ff\n-----END OpenVPN Static key V1-----
</tls-auth>
Thanks!