tl;dr: Using OpenVPN in road warrior mode on my server, my iOS devices using the OpenVPN client version 3.0.2.(984), the latest version in the app store, can make a VPN connection successfully to my Neth Server. However, they can’t then reach the server manager (connection times out), resolve Internet hostnames (including the hostname of my Neth server itself), or connect to any outside hosts (including pinging by IP address).
I’m wanting to set up a VPN connection for my mobile devices for three reasons:
I want to be able to administer the Neth Server remotely
I want to protect my privacy when on public WiFi
I want to be able to connect to other resources on my home LAN when away from home.
What no doubt complicates this is that my Neth installation is on a Contabo VPS. It’s connected to my home network via an always-on OpenVPN connection to my pfSense router (the router is acting as a server, the Neth box as client). That VPN is on 192.168.3.0/24, my home network is 192.168.1.0/24, and the Roadwarrior OpenVPN configuration with Neth is on 192.168.10.0/24. Having some trouble figuring out where to go from here–thoughts?
Other than pushing a DNS server, this is the only difference I see in our configurations–but I don’t see a control in the GUI to change it. Would you have any idea where that would be? Changing that through the CLI does seem to have resolved the problem, but it’s odd I don’t see it in the GUI.
Yes, that would be it indeed. I could have sworn I’d clicked there when I was just looking at the GUI, but obviously not. The problem, though, is that disabling it would seem to mean that this objective:
…isn’t achieved. When RouteToVPN is disabled, I connect to the VPN using my phone, and then check my public IP address, it shows the public IP address of my home network, not that of my Neth server. Between this fact, and the description of that checkbox, it would appear that traffic isn’t being routed through the VPN unless I specifically request a local IP address.
What’s further strange is that my laptop doesn’t behave this way. With RouteToVPN enabled, it connects, and can reach the Internet without a problem. Whatever the problem is, it appears to be unique to the iPhone/iPad.
Any other thoughts on this? In short, when “Route all client traffic through VPN” is enabled, my mobile devices (iPhone/iPad) can’t communicate through the VPN at all. However, my laptop works just fine. When I turn off that option, the iPhone and iPad communicate just fine; they can reach hosts on the LAN as well as the Internet, but only traffic to the LAN travels over the VPN.
Please check if the OpenVPN client on the phone honors the server configuration for LZO compression. We have seen some cases where the client configuration produced by NethServer correctly have parameters for LZO compression, but the client doesn’t honor it and the VPN goes up, LZO compression is disabled and any type of traffic cannot go through.
Thanks. The client does appear to support LZO, from what I can find on openvpn.net. I also note that it works just fine when “route all traffic” isn’t enabled–but having that disabled defeats a large part of the purpose for using the VPN in the first place.
I also explained myself badly, I sincerely hoped client supported LZO compression; what I meant is to verify that the client instantiates the VPN tunnel with the correct compression, as specified by the .ovpn file, or not. If LZO compression is not turned on/off accordingly to your server configuration, traffic will not be correclty managed by the peers (server and client), thus not enabling traffic in the tunnel.
For example, importing the .ovpn file produced by NethServer inside NetworkManager in GNOME doesn’t always produce the expected results: we often have to manually flag the compression options because they weren’t recognized inside the .ovpn file and not applied (and our server was configured with compression).
