7 Replies
      Latest reply on Aug 3, 2018 4:11 AM by Ainassine
      WorkingMan2 Level 1 Level 1 (0 points)

        So now that I can establish the sample client to sample server I was so excited to test the connection but I could not browse to any web site or any app access the internet. I can ping without issue but that is using default route's DNS not VPN server supplied DNS. network information looks good (virtual IP is obtained, DNS IP is using the default one).

         

        Did anyone see this issue or have a workaround/fix?

        • Re: Packet Tunnel Provider sample code no internet?
          bprodoehl Level 1 Level 1 (10 points)

          If you have tcpdump or Wireshark available, you should see the packets from your mobile device showing up at the utun0 device on the computer running tunnel_server, so then it should just be a matter of configuring NAT and IP packet forwarding on that computer.  There are some tutorials online on configuring pf to NAT traffic, but I was happy enough to see packets coming out of the utun device, and didn't take it that far.  The utun device doesn't show up in System Preferences, so you can't just share your Wi-Fi or Ethernet to it through the GUI.

            • Re: Packet Tunnel Provider sample code no internet?
              pncbose Level 1 Level 1 (0 points)

              i managed to reach till this point and as @bprodoehl mentioned, the route rules (of utun0) are causing a problem for the phone sample code to allow to connect to internet.

               

              Any help is getting this fixed ? tried looking in internet but was not successful

                • Re: Packet Tunnel Provider sample code no internet?
                  yarshure Level 1 Level 1 (0 points)

                  iOS 192.168.3.2

                  My Mac  192.168.2.62

                  Mac getway 192.168.0.245

                  the packet have reach dns server ,and send replay, but my Mac don't know how to send back to iOS

                  I see /usr/libexec/natpmpd can't support utun device

                  so, Maybe third part NAT pmp can keep nat port map status

                  11:33:48.913322 IP 192.168.3.2.62900 > 192.168.0.245.domain: 65237+ A? p08-imap.mail.me.com. (38)
                  11:33:48.913350 IP 192.168.2.62.44368 > 192.168.0.245.domain: 65237+ A? p08-imap.mail.me.com. (38)
                  11:33:48.915036 IP 192.168.0.245.domain > 192.168.2.62.44368: 65237 2/0/0 CNAME p08-imap.mail.me.com.akadns.net., A 17.133.231.9 (99)
                  11:33:48.915089 IP 192.168.2.62 > 192.168.0.245: ICMP 192.168.2.62 udp port 44368 unreachable, length 36
                  
                    • Re: Packet Tunnel Provider sample code no internet?
                      locksleyu Level 1 Level 1 (0 points)

                      I am having a very similar problem. I can establish the tunnel and see the interface created (utun2 on my Macbook), but I cannot access anything through tunnel except the tunnel machine itself. For example if I try to ping some IP address I don't even see the traffic come onto the server, which I am viewing using WireShark on utun2.

                       

                      Since there is almost no traffic getting to the tunnel_server, I feel this must be a problem on the client (iPhone) side, but not sure how to triage.

                       

                      I verified that SimpleTunnel is adding the default route, and oddly enough all IP traffic on iPhone is being blocked or redirected somewhere (for example, I cannot access sites with Safari), but it is not going to the tunnel_server.

                       

                      If anyone has success with this, please let me know if you have any further triage steps.

                • Re: Packet Tunnel Provider sample code no internet?
                  garyLiu Level 1 Level 1 (0 points)

                  It is OK when make the below two changes.

                   

                  1.tunnel_server/config.plist

                   

                  <?xml version="1.0" encoding="UTF-8"?>
                  <!DOCTYPE plist PUBLIC "-/
                  <plist version="1.0">
                  <dict>
                    <key>IPv4</key>
                    <dict>
                    <key>Routes</key>
                    <array>
                    <dict>
                    <key>Netmask</key>
                    <string>255.255.255.0</string>
                    <key>Address</key>
                    <string>10.10.5.0</string>
                    </dict>
                    </array>
                    <key>Pool</key>
                    <dict>
                    <key>EndAddress</key>
                    <string>10.10.5.10</string>
                    <key>StartAddress</key>
                    <string>10.10.5.3</string>
                    </dict>
                    </dict>
                  </dict>
                  </plist>
                  
                  

                   

                  The routes is very important. If have no this, the default routes will be used according to below code. Default routes is (0.0.0.0/0.0.0.0) and it always route to default gateway.

                  newSettings.IPv4Settings?.includedRoutes = [NEIPv4Route.defaultRoute()]
                  

                   

                  2. configure NAT

                  garyliumac$ sudo vi /etc/pf.conf

                  add

                  nat-anchor "simpleTunnel"
                  load anchor "simpleTunnel" from "/etc/pf.anchors/simpleTunnel"
                  
                  

                   

                  garyliumac$ sudo vi /etc/pf.anchors/simpleTunnel

                  add

                  nat on en0 from 10.10.0.0/16 to any -> en0
                  
                  

                   

                  Run command to make them work

                  sudo sysctl net.inet.ip.forwarding=1
                  sudo sysctl net.inet.ip.fw.enable=1
                  sudo pfctl -evf /etc/pf.conf
                  
                  

                   

                  Over this, the response data can arrive at en0 correctly.

                    • Re: Packet Tunnel Provider sample code no internet?
                      ohonen Level 1 Level 1 (0 points)

                      Hi,


                      I  did all your configuration you mentioned above and I got the following behavior:

                      1.       Client connects tunnel_server (VPN server)

                      2.       We start browsing at the client

                      3.       Client sends TCP data to tunnel_server

                      4.       Tunnel_server sends DNS query to DNS server, source IP allocated by tunnel_server

                      5.       Tunnel_server gets DNS reply

                      6.       Tunnel_server drops the reply and wireshark shows: "Destination unreachable (Port unreachable), ICMP packet

                       

                      Our configuration :

                      Client IP: 192.168.1.103

                      Tunnel_server (VPN server): 192.168.1.100

                      config.plist:

                      <?xml version="1.0" encoding="UTF-8"?>

                      <!DOCTYPE plist PUBLIC "-/

                      <plist version="1.0">

                      <dict>

                        <key>IPv4</key>

                        <dict>

                              <key>Routes</key>

                              <array>

                                  <dict>

                                      <key>Netmask</key>

                                      <string>255.255.255.0</string>

                                      <key>Address</key>

                                      <string>192.168.2.0</string>

                                  </dict>

                              </array>

                              <key>Pool</key>

                        <dict>

                        <key>EndAddress</key>

                        <string>192.168.2.205</string>

                        <key>StartAddress</key>

                        <string>192.168.2.201</string>

                        </dict>

                        </dict>

                      </dict>

                      </plist>

                       

                      sudo vi /etc/pf.anchors/simpleTunnel

                      nat on en0 from 192.168.0.0/16 to any -> en0


                      Please help me!!!


                      Thanks

                      • Re: Packet Tunnel Provider sample code no internet?
                        Ainassine Level 1 Level 1 (0 points)

                        When I run “sudo sysctl net.inet.ip.fw.enable=1” I got a "sysctl: unknown oid 'net.inet.ip.fw.enable'". Do you have some solutions?

                        My MacOS version is 10.13.6.

                        Thank you if you could help me!