there are a variety of posts disseminated around about this, but I didn't find any of the suggested solution working neither it's clear if anyone has managed to make this work (see at the end of the posts for a variety of non resolutive answers in realted posts).
I am running SimpleTunnel on iOS and I am able to route the web traffic via the tunnel to my Mac where tunnel_server runs: while browsing Safari, I can see the DNS queries reaching the server end of the tunnel on utun2, leaving the Mac's wi-fi interface en0 towards the WI-FI router, the DNS response coming back from the router but I have never been able to get the response back into the tunnel and to the client (therefore the iPhone cannot display any web content).
Configuration: with iPhone and Mac sitting in the same Wi-Fi home network that communicated to the internet via the NetGear router.
NetGear router IP: 10.0.0.1
Mac WIFI adapter: en0
Mac IP: 10.0.0.11
Tunnel Virtual interface: utun2
Tunnel IP: 192.168.2.2 (as defined by the tunnel server's config.plist start address)
iPhone IP: 10.0.0.15
I have setup nat port forwarding on the Mac. I have tried a variation of configurations there, among the ones working I have set for the following:
mc-lon-mb8633:Debug mmanni$ cat /etc/pf.anchors/simpleTunnel
nat on en0 inet from 192.168.2.0/24 to any -> en0
the file in tunnel_server is left as for the original project, therefore specyfying only the POOL dictionary with start address of 192.168.2.2 and end address of 192.168.2.10.
P.s: I have tried over time a few different configurations, including what suggested in a related post: setting the ROOT with Netmask and Address, but I have found that the latter would stop the traffic going through the tunnel. You would get the iPhone to browse normally, but that was because we would be bypassing the tunnel alltogether -
The following is the sequence of step to reproduce my problem (assume tunnel_server is already running adn assume the the entry in SimpleTunnel created):
1) I toggle the VPN on in SimpleTunnel. The server accepts a new connection and logs:
Accepted a new connection
Tunnel received Open command
Allocated address Optional("192.168.2.2")
*** Virtual Interface setup: ("utun2", "192.168.2.2")
2) The VPN symbol appears on the iPhone.
3) I open the browser and type: www.bbc.co.uk.
4) WireShark on utun2 show the following entry: 192.168.2.2 10.0.0.1 DNS Standard query 0x86d1 A www.bbc.co.uk - (this confirms the request is tunnelled)
5) WireShark on en0 shows the following entries:
- 10.0.0.11 10.0.0.1 DNS Standard query 0x61dd A www.bbc.co.uk - (etun2 natted to en0 / Mac WiFi interface)
- 10.0.0.1 10.0.0.11 DNS Standard query response 0x61dd A www.bbc.co.uk CNAME www.bbc.net.uk A 18.104.22.168 .... (Netgear responds)
- 10.0.0.11 10.0.0.1 ICMP Destination unreachable (Port unreachable)
The last line is the one where I would have expected the DNS response to be natted back to etun2 and returned to the client, whilst it looks like the backwards mapping doesn't know that that packet needs to be mapped back to the Virtual Interface. I have spent two days trying to understand what it's wrong with it,
and I am left now with the hope that someone that has gone through a seccessful setup will wander around this post and share his experience.