2 Replies
      Latest reply: Jan 3, 2017 1:40 AM by m.digimat RSS
      m.digimat Level 1 Level 1 (0 points)

        Hi all,

        there are a variety of posts disseminated around about this, but I didn't find any of the suggested solution working neither it's clear if anyone has managed to make this work (see at the end of the posts for a variety of non resolutive answers in realted posts).

         

        I am running SimpleTunnel on iOS and I am able to route the web traffic via the tunnel to my Mac where  tunnel_server runs: while browsing Safari, I can see the DNS queries reaching the server end of the tunnel on utun2, leaving the Mac's wi-fi interface en0 towards the WI-FI router, the DNS response coming back from the router but I have never been able to get the response back into the tunnel and to the client (therefore the iPhone cannot display any web content).

         

        Configuration: with iPhone and Mac sitting in the same Wi-Fi home network that communicated to the internet via the NetGear router.

         

        NetGear router IP: 10.0.0.1

        Mac WIFI adapter: en0

        Mac IP: 10.0.0.11

        Tunnel Virtual interface: utun2

        Tunnel IP: 192.168.2.2 (as defined by the tunnel server's config.plist start address)

        iPhone IP: 10.0.0.15

         

        NAT

        I have setup nat port forwarding on the Mac. I have tried a variation of configurations there, among the ones working I have set for the following:

         

        mc-lon-mb8633:Debug mmanni$ cat /etc/pf.anchors/simpleTunnel

                                                                nat on en0 inet from 192.168.2.0/24 to any -> en0

         

        Config.plist

        the file in tunnel_server is left as for the original project, therefore specyfying only the POOL dictionary with start address of 192.168.2.2 and end address of 192.168.2.10.

        P.s: I have tried over time a few different configurations, including what suggested in a related post: setting the ROOT with Netmask and Address, but I have found that the latter would stop the traffic going through the tunnel. You would get the iPhone to browse normally, but that was because we would be bypassing the tunnel alltogether -

         

        The following is the sequence of step to reproduce my problem (assume tunnel_server is already running adn assume the the entry in SimpleTunnel created):

        1) I toggle the VPN on in SimpleTunnel. The server accepts a new connection and logs:

                  Accepted a new connection

                Tunnel received Open command

                Allocated address Optional("192.168.2.2")

                *** Virtual Interface setup: ("utun2", "192.168.2.2")

         

        2) The VPN symbol appears on the iPhone.

        3) I open the browser and type: www.bbc.co.uk.

        4) WireShark on utun2 show the following entry: 192.168.2.2  10.0.0.1  DNS   Standard query 0x86d1 A www.bbc.co.uk - (this confirms the request is tunnelled)

        5) WireShark on en0 shows the following entries:

        • 10.0.0.11    10.0.0.1  DNS    Standard query 0x61dd A www.bbc.co.uk  - (etun2 natted to en0 / Mac WiFi interface)
        • 10.0.0.1      10.0.0.11 DNS    Standard query response 0x61dd A www.bbc.co.uk CNAME www.bbc.net.uk A 212.58.246.55 .... (Netgear responds)
        • 10.0.0.11    10.0.0.1  ICMP  Destination unreachable (Port unreachable)

         

        The last line is the one where I would have expected the DNS response to be natted back to etun2 and returned to the client, whilst it looks like the backwards mapping doesn't know that that packet needs to be mapped back to the Virtual Interface. I have spent two days trying to understand what it's wrong with it,

        and I am left now with the hope that someone that has gone through a seccessful setup will wander around this post and share his experience.

         

        Related posts:

        https://forums.developer.apple.com/thread/36453

        https://forums.developer.apple.com/message/117304#117304

        https://forums.developer.apple.com/message/78853#78853

        https://forums.developer.apple.com/thread/49858

         


        • Re: SimpleTunnel: responses not routed back to the tunnel
          eskimo Apple Staff Apple Staff (6,675 points)

          Just FYI, I discuss this issue (off Mac routing with the SimpleTunnel VPN server) with VPN Engineering a while back and their response is simply that it’s not something we support.  That’s pretty much where I left things.  So, while there may be a way to make this work, I’m not able to offer any advice on that front.

          This isn’t a problem for most VPN developers because they use the SimpleTunnel client and server to get something up and limping, and then immediately switch to having their client talk to their actual VPN server.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: SimpleTunnel: responses not routed back to the tunnel
              m.digimat Level 1 Level 1 (0 points)

              Thanks Eskimo, at least this tells me I shouldn't spend more time on it. As SimpleTunnel was advertised to be both the client and server component of a sample tunnelling infrastructure, I kind of took for granted that it would haver served the purpose to crearte an end-to-end POC. As I am still validating the technology choice at this level, I was aimining for a demonstrable demo without having to involve the backend guys to crerate a proper VPN server. I've also went for a brief attempt  to building tunnel_sever on Linux where port routing is easier, but as the working branch of it it's Swift 2.x it lacks all the Swift Foundation liibraries that came with Swift 3.

              At this point I'll follow the advice to build my own VPN server for testing, while waiting fot the opened DTS regarding AlwayON VPN to decide whether the the TunnelProvider API can server the purrpose of enforced tunnelling or I'd better fallback onto NEVPNManager with IKEv2.