Able to make a VPN connection from client to the tunnel_server (both built using the SimpleTunnel Sample app) but unable to browse the internet on the device

Question

I built the SimpleTunnel sample app and am running the VPN client on a IOS device and the VPN server (tunnel_server) on a MAC running OS 10.11 (OS X El Capitan)

Steps

On MAC :-

$ sudo ./tunnel_server 550 ../../tunnel_server/config.plist

Response :-

tunnel_server[87725:2604682] Starting network service on port 550

tunnel_server[87725:2604682] Network service published successfully

On IOS device :-

Next I ran the PacketTunnel app on my IOS device. Added a VPN configuration with the correct IP address (the IP address of the MAC running the tunnel_server) and the port number (port number for the tunnel_server which is 550). Next I try to connect to the VPN from the IOS device and this seems to go through fine as I see the VPN sign in status bar.

Response on the screen running tunnel_server :-

tunnel_server[87739:2606312] Accepted a new connection

tunnel_server[87739:2606312] Allocated address Optional("10.8.0.15")

However I am not able to browse the internet using Safari on the ios device (it times out), but am able to do the same from the MAC

Any insights on what I might be missing ?

Please note that my MAC doesn't have OS X server installed. Also I did run the following two comands from a terminal before starting the tunnel_server on the MAC

sudo sysctl net.inet.ip.forwarding=1

sudo sysctl net.inet.ip.fw.enable=1

Network

3.5k

Posted by

mtc9517

Reply

Add a Comment

Answer 1

I have exactly the same problem

Posted by

roee84

Add a Comment

Answer 2

Looks like apart from enabling ip forwarding (using the commands $ sudo sysctl net.inet.ip.forwarding=1 and $ sudo sysctl net.inet.ip.fw.enable=1) one also needs to configure NAT on the machine running the tunnel_server.

This I did by creating a temporary pf.conf file (at the location /tmp/pf.conf) and then added the following lines to this new pf.conf file (I didn't mess around with the original pf.conf file at /etc/pf.conf) :-

vpn_net = "10.8.0.0/24"

nat on en0 from $vpn_net to any -> (en0)

After saving this file I ran the following command. (en0 is the external interface)

$ sudo pfctl -evf /tmp/pf.conf

But still not much luck with this so far. (Looks like the outgoing packets from the device does get "NAT'ed" out but "NAT in" may not be happening i.e. packets intended for the device may not be making its way to the device on the utun0 interface). Wondering if I am missing something in my pf.conf file. (P.S :- I did come across other similar issues on this forum and tried the suggestions listed there, but no definitive resolution yet.)

Posted by

mtc9517

Add a Comment

Answer 3

OSX nat pmp port maping don't support utun device，packet can send by pf，but pf don't know process recved packet

Posted by

yarshure

Add a Comment

Answer 4

Hi yarshure, thanks for your input. So you are sayng that the NAT-Port Mapping Protocol on OSX doesn't support a utun device. If that is the case then how could we get the tunnel_server to work ? Were you able to get the tunnel_server to work on something other than OSX ? Is there a way to configure the NAT-PMP on the OS X to work (like for example by upgrading to OS X server) ? Thanks in advance for any inputs.

Posted by

mtc9517

Add a Comment

Answer 5

The answer was given on another thread:

garyLiuMar 24, 2016 6:59 AM(

in response to WorkingMan2)

It is OK when make the below two changes.

1.tunnel_server/config.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-/
<plist version="1.0">
<dict>
<key>IPv4</key>
<dict>
<key>Routes</key>
<array>
<dict>
<key>Netmask</key>
<string>255.255.255.0</string>
<key>Address</key>
<string>10.10.5.0</string>
</dict>
</array>
<key>Pool</key>
<dict>
<key>EndAddress</key>
<string>10.10.5.10</string>
<key>StartAddress</key>
<string>10.10.5.3</string>
</dict>
</dict>
</dict>
</plist>

The routes is very important. If have no this, the default routes will be used according to below code. Default routes is (0.0.0.0/0.0.0.0) and it always route to default gateway.

newSettings.IPv4Settings?.includedRoutes = [NEIPv4Route.defaultRoute()]

2. configure NAT

garyliumac$ sudo vi /etc/pf.confadd

nat-anchor "simpleTunnel"
load anchor "simpleTunnel" from "/etc/pf.anchors/simpleTunnel"

garyliumac$ sudo vi /etc/pf.anchors/simpleTunnel

add

nat on en0 from 10.10.0.0/16 to any -> en0

Run command to make them work

sudo sysctl net.inet.ip.forwarding=1
sudo sysctl net.inet.ip.fw.enable=1
sudo pfctl -evf /etc/pf.conf

Over this, the response data can arrive at en0 correctly.

Posted by

dorig

Add a Comment

Answer 6

Thanks a lot. Work for me.

Posted by

flowerwrong

Add a Comment

Answer 7

But I found that all traffic not through tunnel. It is not correct way.

Posted by

garyLiu

Add a Comment

Answer 8

Hi,

I did all your configuration you mentioned above and I got the following behavior:

1. Client connects tunnel_server (VPN server)

2. We start browsing at the client

3. Client sends TCP data to tunnel_server

4. Tunnel_server sends DNS query to DNS server, source IP allocated by tunnel_server

5. Tunnel_server gets DNS reply

6. Tunnel_server drops the reply and wireshark shows: "Destination unreachable (Port unreachable), ICMP packet

Our configuration :

Client IP: 192.168.1.103

Tunnel_server (VPN server): 192.168.1.100

config.plist:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-/

<dict>

<dict>

<key>Routes</key>

<array>

<dict>

<key>Netmask</key>

<key>Address</key>

</dict>

</array>

<dict>

<key>EndAddress</key>

<key>StartAddress</key>

</dict>

</plist>

sudo vi /etc/pf.anchors/simpleTunnel

nat on en0 from 192.168.0.0/16 to any -> en0

Please help me!!!

Thanks 🙂

Posted by

ohonen

Add a Comment

Answer 9

I found that the traffic are all go through the origial route. The tunnel_server didn't do anything about NAT. How to solve the problem?

My tunnel_server IP is 192.168.1.20

My client IP is 192.168.3.x which connected to a router(LAN is 192.168.3.1, WAN is 192.168.1.121)

config.plist:

...

<key>Routes</key>

<array>

<dict>

<key>Netmask</key>

<key>Address</key>

</dict>

</array>

...

# vi /etc/pf.conf

nat-anchor "simpleTunnel"

load anchor "simpleTunnel" from "/etc/pf.anchors/simpleTunnel"

# vi /etc/pf.anchors/simpleTunnel

nat on en0 from 192.168.2.0/24 to any -> en0

Run command to make them work

# sysctl net.inet.ip.forwarding=1

# sudo sysctl net.inet.ip.fw.enable=1

# sudo pfctl -evf /etc/pf.conf

When my iPhone connected to the tunnel_server(192.168.2.2 is allocated) and I visited my web server http://192.168.1.12. The web server access log showed that the source IP is 192.168.1.121, not 192.168.1.20 as I expected.

Posted by

shuzhi

Add a Comment

Answer 10

Hi Ohonen,

I was wondering if you managed to solve the issue in the end? I am facing the same problem at point 6 where the DNS response doesn't seem to "know" how to route back from the server to the client via the tunnel and it fails with a "Destination Unreachable" ICMP packet.

Posted by

m.digimat

Add a Comment

Answer 11

I know I shouldn't be bumping this thread but was anybody able to solve this?

I have searched for all solutions on the web for this but it just fails with ICMP packet (Port/Destination Unreachable). If I add the Routes key in config.plist as described above, the traffic is not tunneled at all.

Thanks

Posted by

asadm

Add a Comment

Answer 12

Well, seeing as you bumped the thread…

I want to be clear that the server included with the SimpleTunnel sample code is not designed to support routing off the Mac. It may be possible to make this work via deep

pf

skullduggery, but it’s not something we officially support.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Posted by

eskimo

Add a Comment

Able to make a VPN connection from client to the tunnel_server (both built using the SimpleTunnel Sample app) but unable to browse the internet on the device

Replies