Opened 6 years ago

Closed 6 years ago

#1030 closed Bug / Defect (notabug)

iOS: DNS is still not working over a tunnel with split DNS

Reported by: vtarrach Owned by: Antonio Quartulli
Priority: major Milestone:
Component: OpenVPN Connect Version: OpenVPN Connect for iOS v1.2.9
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

I installaed the latest version on iPhone / iPad, but its still not working

we are using split tunneling, not all traffic from iOS is routed through the tunnel.
OpenVPN Client get our DNS servers, as I can see in the log. But DNS through the tunnel is still not working.
OpenVPN Version 1.2.9 on iOS.

We get it with a workaround running:
add the following line to the confiog file:

redirect-gateway def1

As VPN Server we are using Watchguard Firewall M4600.

Because our Watchguard distribute the config file, its a lot of manual work to distribute the file manually.

Please check and solve the issue.

If you need further information, please contect me.

Best regards.

Volker Tarrach

Change History (11)

comment:1 Changed 6 years ago by Antonio Quartulli

Status: newassigned
Version: OpenVPN Connect for iOS v1.2.9

Could you please paste here your configs (possibly both client and server) and your client log from the beginning of the connection?

Thanks

comment:2 Changed 6 years ago by vtarrach

sorry for the delay!

here is the log from iOS devices:

2018-04-05 08:17:57 EVENT: RESOLVE
2018-04-05 08:17:57 Contacting [212.184.170.68]:443/TCP via TCP
2018-04-05 08:17:57 EVENT: WAIT
2018-04-05 08:17:57 Connecting to [212.184.170.68]:443 (212.184.170.68) via TCPv4
2018-04-05 08:17:58 EVENT: CONNECTING
2018-04-05 08:17:58 Tunnel Options:V4,dev-type tun,link-mtu 1571,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client
2018-04-05 08:17:58 Creds: Username/Password?
2018-04-05 08:17:58 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.2.9-0
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2

2018-04-05 08:17:58 VERIFY OK : depth=1
cert. version : 3
serial number : 5A:04:63:33
issuer name : O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN (SN 80D602ACDEC1E 2017-11-09 14:16:18 UTC) CA
subject name : O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN (SN 80D602ACDEC1E 2017-11-09 14:16:18 UTC) CA
issued on : 2017-10-10 14:16:19
expires on : 2027-11-07 14:16:19
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true
key usage : Digital Signature, Key Encipherment, Key Cert Sign, CRL Sign

2018-04-05 08:17:58 VERIFY OK : depth=0
cert. version : 3
serial number : 5A:04:63:33
issuer name : O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN (SN 80D602ACDEC1E 2017-11-09 14:16:18 UTC) CA
subject name : O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN Server
issued on : 2017-10-10 14:16:19
expires on : 2027-11-07 14:16:19
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
key usage : Digital Signature
ext key usage : TLS Web Server Authentication

2018-04-05 08:17:58 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2018-04-05 08:17:58 Session is ACTIVE
2018-04-05 08:17:58 EVENT: GET_CONFIG
2018-04-05 08:17:58 Sending PUSH_REQUEST to server...
2018-04-05 08:17:59 OPTIONS:
0 [redirect-gateway] [def1]
1 [route] [192.168.2.0] [255.255.255.0]
2 [route] [192.168.11.0] [255.255.255.0]
3 [route] [192.168.30.0] [255.255.255.0]
4 [route] [192.168.31.0] [255.255.255.0]
5 [route] [192.168.32.0] [255.255.255.0]
6 [route] [192.168.33.0] [255.255.255.0]
7 [route] [192.168.34.0] [255.255.255.0]
8 [route] [192.168.35.0] [255.255.255.0]
9 [route] [192.168.36.0] [255.255.255.0]
10 [route] [192.168.37.0] [255.255.255.0]
11 [route] [192.168.38.0] [255.255.255.0]
12 [route] [192.168.40.0] [255.255.255.0]
13 [route] [192.168.41.0] [255.255.255.0]
14 [route] [192.168.42.0] [255.255.255.0]
15 [route] [192.168.43.0] [255.255.255.0]
16 [route] [192.168.44.0] [255.255.255.0]
17 [route] [192.168.12.0] [255.255.255.0]
18 [dhcp-option] [DOMAIN] [schb.local]
19 [dhcp-option] [DNS] [192.168.2.7]
20 [dhcp-option] [DNS] [192.168.2.15]
21 [route-gateway] [10.10.2.1]
22 [topology] [subnet]
23 [ping] [10]
24 [ping-restart] [60]
25 [ifconfig] [10.10.2.9] [255.255.255.0]

2018-04-05 08:17:59 PROTOCOL OPTIONS:

cipher: AES-256-CBC
digest: SHA256
compress: NONE
peer ID: -1

2018-04-05 08:17:59 EVENT: ASSIGN_IP
2018-04-05 08:17:59 NIP: preparing TUN network settings
2018-04-05 08:17:59 NIP: init TUN network settings with endpoint: 212.184.170.68
2018-04-05 08:17:59 NIP: adding IPv4 address to network settings 10.10.2.9/255.255.255.0
2018-04-05 08:17:59 NIP: adding (included) IPv4 route 10.10.2.0/24
2018-04-05 08:17:59 NIP: adding (included) IPv4 route 192.168.2.0/24
2018-04-05 08:17:59 NIP: adding (included) IPv4 route 192.168.11.0/24
2018-04-05 08:17:59 NIP: adding (included) IPv4 route 192.168.30.0/24
2018-04-05 08:17:59 NIP: adding (included) IPv4 route 192.168.31.0/24
2018-04-05 08:17:59 NIP: adding (included) IPv4 route 192.168.32.0/24
2018-04-05 08:17:59 NIP: adding (included) IPv4 route 192.168.33.0/24
2018-04-05 08:17:59 NIP: adding (included) IPv4 route 192.168.34.0/24
2018-04-05 08:17:59 NIP: adding (included) IPv4 route 192.168.35.0/24
2018-04-05 08:17:59 NIP: adding (included) IPv4 route 192.168.36.0/24
2018-04-05 08:17:59 NIP: adding (included) IPv4 route 192.168.37.0/24
2018-04-05 08:17:59 NIP: adding (included) IPv4 route 192.168.38.0/24
2018-04-05 08:17:59 NIP: adding (included) IPv4 route 192.168.40.0/24
2018-04-05 08:17:59 NIP: adding (included) IPv4 route 192.168.41.0/24
2018-04-05 08:17:59 NIP: adding (included) IPv4 route 192.168.42.0/24
2018-04-05 08:17:59 NIP: adding (included) IPv4 route 192.168.43.0/24
2018-04-05 08:17:59 NIP: adding (included) IPv4 route 192.168.44.0/24
2018-04-05 08:17:59 NIP: adding (included) IPv4 route 192.168.12.0/24
2018-04-05 08:17:59 NIP: redirecting all IPv4 traffic to TUN interface
2018-04-05 08:17:59 NIP: adding match domain schb.local
2018-04-05 08:17:59 NIP: adding DNS 192.168.2.7
2018-04-05 08:17:59 NIP: adding DNS 192.168.2.15
2018-04-05 08:17:59 Connected via NetworkExtensionTUN
2018-04-05 08:17:59 EVENT: CONNECTED tr@212.184.170.68:443 (212.184.170.68) via /TCPv4 on NetworkExtensionTUN/10.10.2.9/ gw=/
2018-04-05 08:18:02 EVENT: DISCONNECTED
2018-04-05 08:18:02 Raw stats on disconnect:

BYTES_IN : 3693
BYTES_OUT : 2694
PACKETS_IN : 13
PACKETS_OUT : 13
TUN_BYTES_IN : 244
TUN_BYTES_OUT : 588
TUN_PACKETS_IN : 4
TUN_PACKETS_OUT : 4

2018-04-05 08:18:02 Performance stats on disconnect:

CPU usage (microseconds): 153533
Tunnel compression ratio (uplink): 11.041
Tunnel compression ratio (downlink): 6.28061
Network bytes per CPU second: 41600
Tunnel bytes per CPU second: 5419

2018-04-05 08:18:10 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit built on Feb 22 2018 12:39:28
2018-04-05 08:18:10 Frame=512/2048/512 mssfix-ctrl=1250
2018-04-05 08:18:10 UNUSED OPTIONS
8 [persist-key]
9 [persist-tun]
10 [verb] [3]
11 [mute] [20]
17 [nobind]
18 [mute-replay-warnings]

2018-04-05 08:18:10 EVENT: RESOLVE
2018-04-05 08:18:10 Contacting [212.184.170.68]:443/TCP via TCP
2018-04-05 08:18:10 EVENT: WAIT
2018-04-05 08:18:10 Connecting to [212.184.170.68]:443 (212.184.170.68) via TCPv4
2018-04-05 08:18:11 EVENT: CONNECTING
2018-04-05 08:18:11 Tunnel Options:V4,dev-type tun,link-mtu 1571,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client
2018-04-05 08:18:11 Creds: Username/Password?
2018-04-05 08:18:11 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.2.9-0
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2

2018-04-05 08:18:11 VERIFY OK : depth=1
cert. version : 3
serial number : 5A:04:63:33
issuer name : O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN (SN 80D602ACDEC1E 2017-11-09 14:16:18 UTC) CA
subject name : O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN (SN 80D602ACDEC1E 2017-11-09 14:16:18 UTC) CA
issued on : 2017-10-10 14:16:19
expires on : 2027-11-07 14:16:19
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true
key usage : Digital Signature, Key Encipherment, Key Cert Sign, CRL Sign

2018-04-05 08:18:11 VERIFY OK : depth=0
cert. version : 3
serial number : 5A:04:63:33
issuer name : O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN (SN 80D602ACDEC1E 2017-11-09 14:16:18 UTC) CA
subject name : O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN Server
issued on : 2017-10-10 14:16:19
expires on : 2027-11-07 14:16:19
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
key usage : Digital Signature
ext key usage : TLS Web Server Authentication

2018-04-05 08:18:11 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2018-04-05 08:18:11 Session is ACTIVE
2018-04-05 08:18:11 EVENT: GET_CONFIG
2018-04-05 08:18:11 Sending PUSH_REQUEST to server...
2018-04-05 08:18:11 OPTIONS:
0 [route] [192.168.2.0] [255.255.255.0]
1 [route] [192.168.11.0] [255.255.255.0]
2 [route] [192.168.30.0] [255.255.255.0]
3 [route] [192.168.31.0] [255.255.255.0]
4 [route] [192.168.32.0] [255.255.255.0]
5 [route] [192.168.33.0] [255.255.255.0]
6 [route] [192.168.34.0] [255.255.255.0]
7 [route] [192.168.35.0] [255.255.255.0]
8 [route] [192.168.36.0] [255.255.255.0]
9 [route] [192.168.37.0] [255.255.255.0]
10 [route] [192.168.38.0] [255.255.255.0]
11 [route] [192.168.40.0] [255.255.255.0]
12 [route] [192.168.41.0] [255.255.255.0]
13 [route] [192.168.42.0] [255.255.255.0]
14 [route] [192.168.43.0] [255.255.255.0]
15 [route] [192.168.44.0] [255.255.255.0]
16 [route] [192.168.12.0] [255.255.255.0]
17 [dhcp-option] [DOMAIN] [schb.local]
18 [dhcp-option] [DNS] [192.168.2.7]
19 [dhcp-option] [DNS] [192.168.2.15]
20 [route-gateway] [10.10.2.1]
21 [topology] [subnet]
22 [ping] [10]
23 [ping-restart] [60]
24 [ifconfig] [10.10.2.9] [255.255.255.0]

2018-04-05 08:18:11 PROTOCOL OPTIONS:

cipher: AES-256-CBC
digest: SHA256
compress: NONE
peer ID: -1

2018-04-05 08:18:11 EVENT: ASSIGN_IP
2018-04-05 08:18:11 NIP: preparing TUN network settings
2018-04-05 08:18:11 NIP: init TUN network settings with endpoint: 212.184.170.68
2018-04-05 08:18:11 NIP: adding IPv4 address to network settings 10.10.2.9/255.255.255.0
2018-04-05 08:18:11 NIP: adding (included) IPv4 route 10.10.2.0/24
2018-04-05 08:18:11 NIP: adding (included) IPv4 route 192.168.2.0/24
2018-04-05 08:18:11 NIP: adding (included) IPv4 route 192.168.11.0/24
2018-04-05 08:18:11 NIP: adding (included) IPv4 route 192.168.30.0/24
2018-04-05 08:18:11 NIP: adding (included) IPv4 route 192.168.31.0/24
2018-04-05 08:18:11 NIP: adding (included) IPv4 route 192.168.32.0/24
2018-04-05 08:18:11 NIP: adding (included) IPv4 route 192.168.33.0/24
2018-04-05 08:18:11 NIP: adding (included) IPv4 route 192.168.34.0/24
2018-04-05 08:18:11 NIP: adding (included) IPv4 route 192.168.35.0/24
2018-04-05 08:18:11 NIP: adding (included) IPv4 route 192.168.36.0/24
2018-04-05 08:18:11 NIP: adding (included) IPv4 route 192.168.37.0/24
2018-04-05 08:18:11 NIP: adding (included) IPv4 route 192.168.38.0/24
2018-04-05 08:18:11 NIP: adding (included) IPv4 route 192.168.40.0/24
2018-04-05 08:18:11 NIP: adding (included) IPv4 route 192.168.41.0/24
2018-04-05 08:18:11 NIP: adding (included) IPv4 route 192.168.42.0/24
2018-04-05 08:18:11 NIP: adding (included) IPv4 route 192.168.43.0/24
2018-04-05 08:18:11 NIP: adding (included) IPv4 route 192.168.44.0/24
2018-04-05 08:18:11 NIP: adding (included) IPv4 route 192.168.12.0/24
2018-04-05 08:18:11 NIP: adding match domain schb.local
2018-04-05 08:18:11 NIP: adding DNS 192.168.2.7
2018-04-05 08:18:11 NIP: adding DNS 192.168.2.15
2018-04-05 08:18:11 NIP: adding DNS specific routes:
2018-04-05 08:18:11 NIP: adding (included) IPv4 route 192.168.2.7/32
2018-04-05 08:18:11 NIP: adding (included) IPv4 route 192.168.2.15/32
2018-04-05 08:18:11 Connected via NetworkExtensionTUN
2018-04-05 08:18:11 EVENT: CONNECTED tr@212.184.170.68:443 (212.184.170.68) via /TCPv4 on NetworkExtensionTUN/10.10.2.9/ gw=/

comment:3 Changed 6 years ago by vtarrach

Client config file:

hint: I deleted the certificates!

dev tun
client
proto tcp
<ca>

</ca>
<cert>

</cert>
<key>

</key>
remote-cert-eku "TLS Web Server Authentication"
remote 212.184.170.68 443
persist-key
persist-tun
verb 3
mute 20
keepalive 10 60
cipher AES-256-CBC
auth SHA256
float
reneg-sec 3660
nobind
mute-replay-warnings
auth-user-pass
;remember_connection 0
;auto_reconnect 1

comment:4 Changed 6 years ago by Antonio Quartulli

You are pushing this to the client:

 2018-04-05 08:18:11 NIP: adding match domain schb.local

therefore only hostnames of the form *.schb.local will be resolved using the VPN DNS.

comment:6 Changed 6 years ago by vtarrach

Server config:

we are using Watchguard Firewall M4600 as VPN Gateway. I extract from Firewall config the part for SSLVPN configuration. I hope this helps:

<sslvpn>

<name>SSL-VPN</name>
<description></description>
<property>0</property>
<enable>1</enable>
<remember-connection>0</remember-connection>
<auto-reconnect>1</auto-reconnect>
<mode>3</mode>
<networking-mode>1</networking-mode>
<gateway>

<listen-to></listen-to>
<ip-domain-list>

<ip-domain>xxx.xxx.xxx.xxx</ip-domain>

</ip-domain-list>
<port>443</port>
<mtu>1500</mtu>
<protocol>2</protocol>
<compression>1</compression>
<reneg-datachannel>3660</reneg-datachannel>

</gateway>
<auth>

<dh>1</dh>
<hash>3</hash>
<cipher>5</cipher>
<force-auth-reconnect>0</force-auth-reconnect>
<require-client-cert>1</require-client-cert>

</auth>
<peer>

<local-routes>

<route>

<ip>192.168.2.0</ip>
<netmask>255.255.255.0</netmask>

</route>
<route>

<ip>192.168.11.0</ip>
<netmask>255.255.255.0</netmask>

</route>
<route>

<ip>192.168.30.0</ip>
<netmask>255.255.255.0</netmask>

</route>
<route>

<ip>192.168.31.0</ip>
<netmask>255.255.255.0</netmask>

</route>
<route>

<ip>192.168.32.0</ip>
<netmask>255.255.255.0</netmask>

</route>
<route>

<ip>192.168.33.0</ip>
<netmask>255.255.255.0</netmask>

</route>
<route>

<ip>192.168.34.0</ip>
<netmask>255.255.255.0</netmask>

</route>
<route>

<ip>192.168.35.0</ip>
<netmask>255.255.255.0</netmask>

</route>
<route>

<ip>192.168.36.0</ip>
<netmask>255.255.255.0</netmask>

</route>
<route>

<ip>192.168.37.0</ip>
<netmask>255.255.255.0</netmask>

</route>
<route>

<ip>192.168.38.0</ip>
<netmask>255.255.255.0</netmask>

</route>
<route>

<ip>192.168.40.0</ip>
<netmask>255.255.255.0</netmask>

</route>
<route>

<ip>192.168.41.0</ip>
<netmask>255.255.255.0</netmask>

</route>
<route>

<ip>192.168.42.0</ip>
<netmask>255.255.255.0</netmask>

</route>
<route>

<ip>192.168.43.0</ip>
<netmask>255.255.255.0</netmask>

</route>
<route>

<ip>192.168.44.0</ip>
<netmask>255.255.255.0</netmask>

</route>
<route>

<ip>192.168.12.0</ip>
<netmask>255.255.255.0</netmask>

</route>

</local-routes>
<remote-routes />
<pool-list>

<pool>

<network>10.10.2.0</network>
<netmask>255.255.255.0</netmask>

</pool>

</pool-list>
<dns>

<dns-domain>schb.local</dns-domain>
<ip-list>

<ip>192.168.2.7</ip>
<ip>192.168.2.15</ip>

</ip-list>

</dns>
<wins />
<redirect-gateway>0</redirect-gateway>
<use-firebox-routes>0</use-firebox-routes>
<client-to-client>0</client-to-client>
<keepalive>

<interval>10</interval>
<timeout>60</timeout>

</keepalive>

</peer>
<server-mode>1</server-mode>

</sslvpn>

comment:7 in reply to:  4 ; Changed 6 years ago by vtarrach

Replying to ordex:

You are pushing this to the client:

 2018-04-05 08:18:11 NIP: adding match domain schb.local

therefore only hostnames of the form *.schb.local will be resolved using the VPN DNS.

for my understanding:
if I adding this domain (schb.local), DNS is only working for hostnames belong to that domain?
the DNS servers pushed from SSLVPN are not taking precedens over DNS servers from the internet, so I can resolve internal hostnames using other domains?

comment:8 in reply to:  7 Changed 6 years ago by Antonio Quartulli

Replying to vtarrach:

Replying to ordex:

You are pushing this to the client:

 2018-04-05 08:18:11 NIP: adding match domain schb.local

therefore only hostnames of the form *.schb.local will be resolved using the VPN DNS.

for my understanding:
if I adding this domain (schb.local), DNS is only working for hostnames belong to that domain?

yes

the DNS servers pushed from SSLVPN are not taking precedens over DNS servers from the internet,

Correct.
Unless you do NOT specify any domain: in that case the VPN DNS will be used for every domain.

so I can resolve internal hostnames using other domains?

other domains? Sorry this question is not clear.
But basically, with your configurations, any hostname that does NOT end with "*.schb.local" will be resolved using the original system DNS.

Please have a look at the FAQ link, because it should explain this mechanism a bit better.

comment:9 Changed 6 years ago by vtarrach

I removed the domain schb.local from Watchguard config, I checked behavior on some iPhones and it seems to be working. Thanks for your very fast support!!

I will check it on other iOS devices in the next days.
best regards,
Volker

comment:10 Changed 6 years ago by vtarrach

my new config:

2018-04-05 08:56:04 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2018-04-05 08:56:04 Session is ACTIVE
2018-04-05 08:56:04 EVENT: GET_CONFIG
2018-04-05 08:56:04 Sending PUSH_REQUEST to server...
2018-04-05 08:56:04 OPTIONS:
0 [route] [192.168.2.0] [255.255.255.0]
1 [route] [192.168.11.0] [255.255.255.0]
2 [route] [192.168.30.0] [255.255.255.0]
3 [route] [192.168.31.0] [255.255.255.0]
4 [route] [192.168.32.0] [255.255.255.0]
5 [route] [192.168.33.0] [255.255.255.0]
6 [route] [192.168.34.0] [255.255.255.0]
7 [route] [192.168.35.0] [255.255.255.0]
8 [route] [192.168.36.0] [255.255.255.0]
9 [route] [192.168.37.0] [255.255.255.0]
10 [route] [192.168.38.0] [255.255.255.0]
11 [route] [192.168.40.0] [255.255.255.0]
12 [route] [192.168.41.0] [255.255.255.0]
13 [route] [192.168.42.0] [255.255.255.0]
14 [route] [192.168.43.0] [255.255.255.0]
15 [route] [192.168.44.0] [255.255.255.0]
16 [route] [192.168.12.0] [255.255.255.0]
17 [dhcp-option] [DNS] [192.168.2.7]
18 [dhcp-option] [DNS] [192.168.2.15]
19 [route-gateway] [10.10.2.1]
20 [topology] [subnet]
21 [ping] [10]
22 [ping-restart] [60]
23 [ifconfig] [10.10.2.3] [255.255.255.0]

comment:11 Changed 6 years ago by Antonio Quartulli

Resolution: notabug
Status: assignedclosed

Glad it works now!

Please feel free to use the forum is you need additional support. I am closing this ticket as it was not a bug.

Note: See TracTickets for help on using tickets.