So now that I can establish the sample client to sample server I was so excited to test the connection but I could not browse to any web site or any app access the internet. I can ping without issue but that is using default route's DNS not VPN server supplied DNS. network information looks good (virtual IP is obtained, DNS IP is using the default one).
Did anyone see this issue or have a workaround/fix?
If you have tcpdump or Wireshark available, you should see the packets from your mobile device showing up at the utun0 device on the computer running tunnel_server, so then it should just be a matter of configuring NAT and IP packet forwarding on that computer. There are some tutorials online on configuring pf to NAT traffic, but I was happy enough to see packets coming out of the utun device, and didn't take it that far. The utun device doesn't show up in System Preferences, so you can't just share your Wi-Fi or Ethernet to it through the GUI.
i managed to reach till this point and as @bprodoehl mentioned, the route rules (of utun0) are causing a problem for the phone sample code to allow to connect to internet.
Any help is getting this fixed ? tried looking in internet but was not successful
iOS 192.168.3.2
My Mac 192.168.2.62
Mac getway 192.168.0.245
the packet have reach dns server ,and send replay, but my Mac don't know how to send back to iOS
I see /usr/libexec/natpmpd can't support utun device
so, Maybe third part NAT pmp can keep nat port map status
11:33:48.913322 IP 192.168.3.2.62900 > 192.168.0.245.domain: 65237+ A? p08-imap.mail.me.com. (38)
11:33:48.913350 IP 192.168.2.62.44368 > 192.168.0.245.domain: 65237+ A? p08-imap.mail.me.com. (38)
11:33:48.915036 IP 192.168.0.245.domain > 192.168.2.62.44368: 65237 2/0/0 CNAME p08-imap.mail.me.com.akadns.net., A 17.133.231.9 (99)
11:33:48.915089 IP 192.168.2.62 > 192.168.0.245: ICMP 192.168.2.62 udp port 44368 unreachable, length 36I am having a very similar problem. I can establish the tunnel and see the interface created (utun2 on my Macbook), but I cannot access anything through tunnel except the tunnel machine itself. For example if I try to ping some IP address I don't even see the traffic come onto the server, which I am viewing using WireShark on utun2.
Since there is almost no traffic getting to the tunnel_server, I feel this must be a problem on the client (iPhone) side, but not sure how to triage.
I verified that SimpleTunnel is adding the default route, and oddly enough all IP traffic on iPhone is being blocked or redirected somewhere (for example, I cannot access sites with Safari), but it is not going to the tunnel_server.
If anyone has success with this, please let me know if you have any further triage steps.
It is OK when make the below two changes.
1.tunnel_server/config.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-/
<plist version="1.0">
<dict>
<key>IPv4</key>
<dict>
<key>Routes</key>
<array>
<dict>
<key>Netmask</key>
<string>255.255.255.0</string>
<key>Address</key>
<string>10.10.5.0</string>
</dict>
</array>
<key>Pool</key>
<dict>
<key>EndAddress</key>
<string>10.10.5.10</string>
<key>StartAddress</key>
<string>10.10.5.3</string>
</dict>
</dict>
</dict>
</plist>The routes is very important. If have no this, the default routes will be used according to below code. Default routes is (0.0.0.0/0.0.0.0) and it always route to default gateway.
newSettings.IPv4Settings?.includedRoutes = [NEIPv4Route.defaultRoute()]2. configure NAT
garyliumac$ sudo vi /etc/pf.conf
add
nat-anchor "simpleTunnel"
load anchor "simpleTunnel" from "/etc/pf.anchors/simpleTunnel"garyliumac$ sudo vi /etc/pf.anchors/simpleTunnel
add
nat on en0 from 10.10.0.0/16 to any -> en0Run command to make them work
sudo sysctl net.inet.ip.forwarding=1
sudo sysctl net.inet.ip.fw.enable=1
sudo pfctl -evf /etc/pf.confOver this, the response data can arrive at en0 correctly.
Hi,
I did all your configuration you mentioned above and I got the following behavior:
1. Client connects tunnel_server (VPN server)
2. We start browsing at the client
3. Client sends TCP data to tunnel_server
4. Tunnel_server sends DNS query to DNS server, source IP allocated by tunnel_server
5. Tunnel_server gets DNS reply
6. Tunnel_server drops the reply and wireshark shows: "Destination unreachable (Port unreachable), ICMP packet
Our configuration :
Client IP: 192.168.1.103
Tunnel_server (VPN server): 192.168.1.100
config.plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-/
<plist version="1.0">
<dict>
<key>IPv4</key>
<dict>
<key>Routes</key>
<array>
<dict>
<key>Netmask</key>
<string>255.255.255.0</string>
<key>Address</key>
<string>192.168.2.0</string>
</dict>
</array>
<key>Pool</key>
<dict>
<key>EndAddress</key>
<string>192.168.2.205</string>
<key>StartAddress</key>
<string>192.168.2.201</string>
</dict>
</dict>
</dict>
</plist>
sudo vi /etc/pf.anchors/simpleTunnel
nat on en0 from 192.168.0.0/16 to any -> en0
Please help me!!!
Thanks 🙂
When I run “sudo sysctl net.inet.ip.fw.enable=1” I got a "sysctl: unknown oid 'net.inet.ip.fw.enable'". Do you have some solutions?
My MacOS version is 10.13.6.
Thank you if you could help me!