Results 1 to 5 of 5
  1. #1
    Untangler
    Join Date
    Sep 2019
    Location
    Canada
    Posts
    39

    Question OpenVPN + iPhone = sore forehead

    So first off, I'm sure this is a config error on my part but wondering if anyone else had this issue and/or able to help me.

    What I want:
    Access to my home network from remote locations while I travel both on my iphone and laptop. Also, I want all traffic to route via the tunnel using my pi-hole dns servers -- so no split tunneling.

    What is happening:
    -on MacOS 10.15.4 using tunnelblick everything is working perfectly.
    -on my iphone iOS 13.5 doesn't seem to resolve anything. Google works but suspect there's some DNS over HTTPs magic happening. Any other site external or internal no access. I am using the openvpn app
    -Untangle 15.0.0

    Error Messages:

    Tunnelblick Connection Errors noticed on laptop but still successful connection:
    Code:
    Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: register-dns (2.4.8)
    Code:
    Tunnelblick:  NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
    iPhone Errors:
    None that that i've seen. Shows that I'm connected with a few kb's of traffic but doesn't go anywhere. Almost like it's refusing to push dns, but I see the entries there. No access to internet except google. No access to internal resources like webpages/apps on my LAN

    What I did:
    -RTFW for OPVN untangle
    -forwarded my port to untangle UDP 1194 (don't need 443 as far as I can tell as no one will need to download configs)
    -setup openvpn

    Server Config:
    Screen Shot 2020-05-21 at 10.57.10 AM.jpg

    Client Config:
    Screen Shot 2020-05-21 at 10.58.57 AM.jpg

    Group Policy:
    Note: I did try with an external DNS to see if I could at least get external website access but still through the tunnel. Still no go. I would prefer the setup that is "enabled" in the photo below:

    Screen Shot 2020-05-21 at 11.19.02 AM.jpg

    Exported Networks:
    -it's the internal subnet x.x.x.x/24

    My apologies if the answer to this is posted elsewhere. Any help or pointers would be greatly appreciated.
    Last edited by propellherhead333; 05-21-2020 at 08:21 AM.

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,442

    Default

    Quote Originally Posted by propellherhead333 View Post
    What I want:
    Access to my home network from remote locations while I travel both on my iphone and laptop. Also, I want all traffic to route via the tunnel using my pi-hole dns servers -- so no split tunneling.
    This is a noble goal!


    Error Messages:
    Tunnelblick Connection Errors noticed on laptop but still successful connection:
    Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: register-dns (2.4.8)
    Tunnelblick: NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
    "It is always DNS."
    https://openvpn.net/vpn-server-resources/troubleshooting-dns-resolution-problems/

    To get something out of the way here, Google probably isn't doing DoH yet unless you tell it to, the dust hasn't settled, but they are experimenting cautiously. I have seen that Google's stuff has 8.8.8.8 hard-coded in it, and prefers to use Google DNS it unless you convince it otherwise.

    The fact that a lot of things are broken is a good sign, it shows that you have taken over your network.

    What to do:
    Well, you are going to have to learn more than you ever wanted to know about Domain Name Service (DNS). The headache will make you forget about the sore forehead.

    My contribution here is going to be minimal for now, because no, it is not a simple configuration error. You are going to have to grok the architecture of this, because you are doing something custom. I suspect the PiHole isn't helping you as much as you think.

    I have some questions & requests:
    1. What do you use for the Internet DNS servers?
    2. What is your goal for using PiHole?
    3. Do you have a subscription for NGFW?
    4. Please post the readable text of an actual .ovpn or .conf file; leave out the certificates. The NGFW screen is just the template for creating them.
    5. Post the screen shots of the config for the OpenVPN group you are using at #service/openvpn/server/groups


    I am also going to take a deeper dive with my understanding of this. OpenVPN has worked well for me, so I ignored the DNS component. Therefore, I don't have any ready answers.

    But, we'll see what we can do!
    Last edited by Jim.Alles; 05-21-2020 at 03:10 PM. Reason: grammar

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,949

    Default

    The problem isn't DNS, the problem is client config "compress".

    That directive causes all mobile clients to fail, until you manually enable compression support on the mobile device. It was my understanding that the OpenVPN module in v15.1 was supposed to change its defaults to remove this directive. Compression + Encryption = bad after all.

    Anyway, if you don't tell the mobile client to enable compression manually, it's not that DNS doesn't work, it's that NOTHING works. No traffic will transit the tunnel.

    If your OpenVPN module is new, and doesn't have too many clients, hit up the advanced tab and exclude the compress directive from both the client and server section. Then redistribute the clients, you'll find the mobile device likely just works.

    If you need to migrate from compressed to non-compressed due to a ton of clients, read here: https://forums.untangle.com/openvpn/...directive.html
    Last edited by sky-knight; 05-21-2020 at 09:51 AM.
    Jim.Alles and f1assistance like this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangler
    Join Date
    Sep 2019
    Location
    Canada
    Posts
    39

    Default

    Quote Originally Posted by sky-knight View Post
    The problem isn't DNS, the problem is client config "compress".
    How the heck do you know these things by just a glance. You're not human! lol So yep, my "want" list is completely satisfied. Everything works 10000%. Thank you so much Sky-Knight!!!!!!!! I'm happier than a pig in poo right now.

    Also thank you Jim for spending your time looking at this. Pi-Hole is 90% of the reason I've setup the VPN. My online life has changed completely by it and can compare it to when I stopped watching cable tv for a few years and then watched it one day at a friends house. I couldn't get over how many commercials there was. It's the same with pi-hole. It's like I'm surfing back in 1991 or the BBS days before that. No software on the clients. Out of 40k of queries today, 5k were ad related. My white list consists of 5 lines of regex's. I have no issues with false positives. I have two pi-hole internal servers that point to DNS Watch. I tunnel those queries through expressvpn so that at least my ISP can't hi-jack / record port 53 unencrypted queries --- I choose expressvpn to record this instead.

    My next project for my home network is to look into DNSsec more and DoH. I do a lot of packet sniffing. I've been noticing some crazy stuff with Symantec products hard coded to use google DNS, bypassing my firewall rules... so what you said around this really hits home. It's not that I have anything to hide as in I do anything illegal... it's more of a security fetish I have getting a stronger grasp of my privacy and learning how folks bypass things. I'm lucky enough to work in security for my day job. It allows me to have Qradar deployment to play with on my home network. I have a home NGFW subscription. The best $50/year money can buy. I'm a long time pfSense user and it's a treat to have so many things streamlined in the way the Untangle folks have made it.
    Last edited by propellherhead333; 05-21-2020 at 01:43 PM.
    Jim.Alles and f1assistance like this.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,949

    Default

    How do I do it?

    Look at the joined date to the left of this post...

    I've been at this awhile... It's all practice... Working on a decade and a half of it.

    For the rest... well I've personally fallen into this trap so I know it well.

    So 12 years of the school of hard knocks... that's your answer.
    Last edited by sky-knight; 05-21-2020 at 01:48 PM.
    f1assistance likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2