Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#372521 - 01/01/2020 23:04 iPhone Routing Table / VPN
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
iPhone network question for you:

I have a VPN server at home to access my local LAN when not at home.
It works correctly from Windows, OSX, and Android.

When I connect to it using my iPhone VPN built-in client, my iPhone decides to route ALL traffic through that VPN tunnel. This is not a welcome behavior because my VPN server is configured NOT to route traffic back to the internet (that's not what my VPN server is there for), but to confine it to my LAN.
So, when connected to my LAN via my VPN server, the iPhone correctly reaches all local resources (i.e. file shares, cams, home automation various devices, etc.), but stops being able to go anywhere on the internet - so, no browsing, no email, no social media, no messaging of any sort.
Of course, by disconnecting from my VPN, all goes back to normal.

Not ideal.

My guess is that the iPhone stops using the correct gateways it must have in its routing table (WiFi's and/or Cellular Network).

Any suggestion on how to solve this? I can't even find a way in IOS to see the iPhone routing table. Let alone configure it.

Repeated searches online did not help much.

Thanks! And Happy 2020!


P.S.: I did, as an experiment, try reconfigure my VPN server to allow routing traffic to the internet, and it "worked", so to speak. My VPN server can push routes to the clients' routing tables, and the iPhone seems to get those. So I did, and my iPhone could access the internet via my home network/isp, of course; that had some side effects on Windows and OSX (did not test with Android) which I had to fix, but still, I don't particularly like the idea of hav ing my iphone route all Internet traffic through my home network and ISP when connected to the VPN.
Ideally, I'd like to simply configure the iPhone's routing table.


Edited by Taym (01/01/2020 23:17)
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#372522 - 02/01/2020 15:58 Re: iPhone Routing Table / VPN [Re: Taym]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
There is no direct access to the routing tables.

With some (one) of the built in VPN types you get an option to only route traffic destined for the remote LAN. The option is on the L2TP VPN type, called "Send All Traffic".

I've not used the two other builtin VPN types, but I'd always assumed that with those you could control the behaviour from the server end, like you can do with an OpenVPN setup.

I use OpenVPN endpoints and the OpenVPN iOS app for my VPN needs.
_________________________
Remind me to change my signature to something more interesting someday

Top
#372523 - 04/01/2020 00:28 Re: iPhone Routing Table / VPN [Re: Taym]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
Unfortunately I don't see any change in behavior when I enable or disable the "Send All Traffic" option.

Just to provide more details, this is in short the behavior that I see in every non-iPhone VPN client I have used with my home VPN Server (SoftEther, FYI):
If I configure the server to push to clients routing table changes (defined by me server side), such changes will be added to the client routing table as expected.
If I configure the server NOT to push any route changes to clients, clients will simply retain their original routing table, also as expected.

In the case of the iPhone VPN client it seems to me (no way to find out, apparently, unless I find an app to show me) that
- it drops entirely its own original routing table
- it creates a new routing table entirely, which routes all traffic through the VPN tunnel AND, also, fortunately, includes all additional routes I push from server side, if I do push them.


Edited by Taym (04/01/2020 00:38)
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#372524 - 04/01/2020 00:36 Re: iPhone Routing Table / VPN [Re: Taym]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
Also, still to clarify further:

By combining the following two features:
- Pushing specific routing table changes to clients, server side.
- Using a feature in the SoftEther client that prevents such routing changes to be applied locally.

... I can in fact make sure that, when connected to my home VPN, routing changes only get used by the iPhone, so non-iPhone clients behave as desired, and the iPhone does reach the Internet - but ONLY through my VPN Server ->LAN -> Home ISP, which is what I'd like to avoid in the first place.


Edited by Taym (04/01/2020 00:37)
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#372525 - 04/01/2020 08:56 Re: iPhone Routing Table / VPN [Re: Taym]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
The “Send all traffic” option has definitely worked for me to toggle the behaviour when I’ve used L2TP links in the past. I’ve not needed it for a few years though, I’ve only used OpenVPN recently.
_________________________
Remind me to change my signature to something more interesting someday

Top
#372526 - 04/01/2020 15:50 Re: iPhone Routing Table / VPN [Re: Taym]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
I don't know why it doesn't here.
When I first realized the iPhone was sending all traffic to the VPN tunnel I did assume I had that option enabled, but it wasn't. If I do enable it, no change.

I am looking for Apps to show me the active routing table on the iPhone. Maybe I'll get some clude there.

Thanks Andy anyway.
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#372527 - 04/01/2020 17:53 Re: iPhone Routing Table / VPN [Re: Taym]
mlord
carpal tunnel

Registered: 29/08/2000
Posts: 14493
Loc: Canada
It could have something to do with "corporate" requirements. When businesses have remote employees, or people on the go, accessing the corporate VPNs, they tend to want to disable all non-VPN traffic. This avoids possibilities of malicious internet actors tunnelling through the remote machine, through the VPN, to inside of the corporate firewalls.

There may be some other setting or app on the device which is triggering this "corporate mode", so think about what that might be.

Cheers

Top
#372528 - 04/01/2020 17:58 Re: iPhone Routing Table / VPN [Re: Taym]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
It turns out you can still see the routing table and I already have an app installed that shows it.

https://apps.apple.com/gb/app/he-net-network-tools/id858241710
_________________________
Remind me to change my signature to something more interesting someday

Top
#372529 - 04/01/2020 18:41 Re: iPhone Routing Table / VPN [Re: mlord]
jmwking
old hand

Registered: 27/02/2003
Posts: 777
Loc: Washington, DC metro
Originally Posted By: mlord
It could have something to do with "corporate" requirements. When businesses have remote employees, or people on the go, accessing the corporate VPNs, they tend to want to disable all non-VPN traffic. This avoids possibilities of malicious internet actors tunnelling through the remote machine, through the VPN, to inside of the corporate firewalls.

There may be some other setting or app on the device which is triggering this "corporate mode", so think about what that might be.

Cheers


My wife has this problem. We have to connect her work laptop to our printer via usb as the local network access for printing is disabled.

-jk

Top
#372530 - 05/01/2020 00:45 Re: iPhone Routing Table / VPN [Re: Taym]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
I have been looking at the routing table via that App, and that is confusing to me.

So, here's more details for you guys to enjoy this puzzle.

To make it simpler, I disconnected my iPhone from the WIFi, and left it only connected to the cellular (LTE) network.
What you see below are the routing tables returned by the app before and after connecting to my home VPN.

I removed plenty of IPv6 entries for simplicity. Not sure they do have a role here. I wonder why IPv6 routes are there in the first place as I am not aware of anything needing IPv6 on my iPhone. They are more than the IPv4 entries below. So, that is a big question mark to me, at present.

Anyway, as to IPv4 entries:

No VPN.
Code:
IPv4:
Destination      	Gateway    	Interface  	Flags
default   		10.60.165.177 	pdp_ip0 	UGSc
default 		link#21 	ipsec1 		UCSI
10.60.165.177 		10.60.165.177 	pdp_ip0 	UHr
10.60.165.177/32 	link#5 		pdp_ip0 	UCS
10.254.254.254 		10.254.254.254 	ipsec1 		UH
127 			127.0.0.1 	lo0 		UCS
127.0.0.1 		127.0.0.1 	lo0 		UH
224.0.0/4 		link#5 		pdp_ip0 	UmCS
224.0.0/4 		link#21 	ipsec1 		UmCSI
255.255.255.255/32 	link#5 		pdp_ip0 	UCS
255.255.255.255/32 	link#21 	ipsec1 		UCSI




VPN.
Code:
IPv4:
Destination      	Gateway     	Interface   	Flags
default 		link#26 	ppp0 		UCS
default 		10.60.165.177 	pdp_ip0 	UGScI
default 		link#21 	ipsec1 		UCSI
1.0.0.1 		10.10.11.101 	ppp0 		UH
10 			ppp0 		ppp0 		USc
10.60.165.177 		10.60.165.177 	pdp_ip0 	UHr
10.60.165.177/32 	link#5 		pdp_ip0 	UCS
10.254.254.254 		10.254.254.254 	ipsec1 		UH
127 			127.0.0.1 	lo0 		UCS
127.0.0.1 		127.0.0.1 	lo0 		UH
217.133.42.94 		10.60.165.177 	pdp_ip0 	UGHS
224.0.0/4 		link#26 	ppp0 		UmCS
224.0.0/4 		link#5 		pdp_ip0 	UmCSI
224.0.0/4 		link#21 	ipsec1 		UmCSI
224.0.0.251 		link#26 	ppp0 		UHmW3I
255.255.255.255/32 	link#26 	ppp0 		UCS
255.255.255.255/32 	link#5 		pdp_ip0 	UCSI
255.255.255.255/32 	link#21 	ipsec1 		UCSI


The above is very confusing to me.

10.60.x.x is mobile data link from my mobile isp (Wind Italy)

10.10.10.x/24 is my home LAN network.
10.10.11.x/24 is my VPN network
I decided to have the two above in two separate IP spaces back in the day when I configured my home VPN server.
VPN server routes from 10.10.11.x to 10.10.10.x and vice versa.

10.10.10.100 is my Gateway to the Internet for all clients in the 10.10.10.x/24 IP space (again, Home LAN).
10.10.11.1 is the VPN server and gateway for all clients in 10.10.11.x/24 IP space (VPN network).

So, VPN clients (including my iPhone) receive an IP in the 10.10.11.x space
They also receive the following two routes as they connect to my VPN server:
10.10.10.0/255.255.255.0/10.10.11.1 --> This to tell clients that they can access my LAN (10.10.10.x) via 10.10.11.1 .
0.0.0.0/0.0.0.0/10.10.10.100 --> This is to tell the clients that in order to access the Internet, they need to route through my home Gateway, in my LAN obviously. This route is designed for the iPhone specifically, otherwise there's no way the iPhone reaches the Internet while connected to my VPN.

For the records, this means that Windows or MacOS clients (and Android, I'd assume. Not tested) - but not the iPhone - would end up with two gateways for 0.0.0.0 (that is all traffic other than my home LAN). By configuring interface metrics, I can easily insure they do not use my home gateway (10.10.10.100) to get to the internet, and keep using whatever gateway they would use otherwise (my office network, or any other network I happen to be in).

Now, please notice that in the above iPhone routing tables I see no reference to 10.10.10.1 or 10.10.10.100 .
The two routes I push to the iPhone do not show.
But, I know they must be there somewhere, because:
- If I don't configure my VPN server to push the 10.10.10.0/255.255.255.0/10.10.11.1 route, my iPhone won't get to my home LAN
- If I don't configure my VPN server to push the 0.0.0.0/0.0.0.0/10.10.10.100 route, my iPhone won't get to the Internet.

So, they do affect the iPhone behavior. But, they do not show.

I suspect the app is not returning the routing table correctly. Or, I can't read it correctly.





Edited by Taym (05/01/2020 00:50)
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#372531 - 05/01/2020 12:55 Re: iPhone Routing Table / VPN [Re: Taym]
peter
carpal tunnel

Registered: 13/07/2000
Posts: 4180
Loc: Cambridge, England
Your second routing table (fifth line) sends 10/8 over ppp0. But 10/8 also matches your cell connection 10.60.x.y, so those packets get sent to your VPN instead. You should find whatever part of your VPN setup is advertising 10/8, and make it advertise 10.10/16 instead.

Basically your cell ISP and your VPN are fighting over who owns 10/8. If you can't straighten it out, you might need to change your VPN to use a different RFC1918 range e.g. 172.16/16.

Peter

Top
#372532 - 05/01/2020 14:02 Re: iPhone Routing Table / VPN [Re: Taym]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
Yes.

I have no idea where 10/8 is coming from. Curious that the iPhone seems to get it from my VPN server, while no other client does.

Edit:
I wonder if the use of 10.x.y/24 is somehow confusing for the iPhone. Maybe a bug makes the device only expect 10. to be used as /8 ?
I'll try few changes as you suggested Peter. I don't really care what IP space is used by my VPN setup, provided all is routed correctly.


Edited by Taym (05/01/2020 14:19)
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#372533 - 05/01/2020 17:46 Re: iPhone Routing Table / VPN [Re: Taym]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
I changed the VPN IP network to
192.168.11.0/255.255.255.0
192.168.11.1 is the Gaetway

My home LAN is of course unchanged: 10.10.10.0/255.255.255.0, 10.10.10.100 gateway.

I push to VPN client the following routes:

1) 10.10.10.0/255.255.255.0/192.168.11.1
2) 0.0.0.0/0.0.0.0/192.168.11.1

iPhone routing Table looks like this.

VPN-Change1
Code:
Pv4:
Destination    		Gateway     	Interface   	Flags
default 		link#26 	ppp0 		UCS
default 		10.130.201.159 	pdp_ip0 	UGScI
default 		link#21 	ipsec1 		UCSI
1.0.0.1 		192.168.11.100 	ppp0 		UH
8.8.4.4 		link#26 	ppp0 		UHW3I
10.10.10.3 		link#26 	ppp0 		UHWIi
10.130.201.159 		10.130.201.159 	pdp_ip0 	UHr
10.130.201.159/32 	link#5 		pdp_ip0 	UCS
10.254.254.254 		10.254.254.254 	ipsec1 		UH
31.13.66.51 		link#26 	ppp0 		UHW3I
127 			127.0.0.1 	lo0 		UCS
127.0.0.1 		127.0.0.1 	lo0 		UH
149.154.167.91 		link#26 	ppp0 		UHW3I
157.240.14.53 		link#26 	ppp0 		UHW3I
157.240.22.54 		link#26 	ppp0 		UHWIi
192.168.11 		ppp0 		ppp0 		USc
217.133.42.94 		10.130.201.159 	pdp_ip0 	UGHS
224.0.0/4 		link#26 	ppp0 		UmCS
224.0.0/4 		link#5 		pdp_ip0 	UmCSI
224.0.0/4 		link#21 	ipsec1 		UmCSI
255.255.255.255/32 	link#26 	ppp0 		UCS
255.255.255.255/32 	link#5 		pdp_ip0 	UCSI
255.255.255.255/32 	link#21 	ipsec1 		UCSI


The two routes I push are not there, as far as I can see.

If I don't push the second one, the iPhone simply does not know how to get to the internet. I also noticed it is significantly slower in reaching what it does eventually reach inside my LAN, as if the first route I push was not there.

So, essentially, no change.

Also, I am guessing that the fact that my ISP is assigning me 10.x.x.x.x address and my home LAN is also 10.x.x.x.x is causing some confusion for the iPhone.


Edited by Taym (05/01/2020 18:04)
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#372537 - 07/01/2020 14:37 Re: iPhone Routing Table / VPN [Re: Taym]
jmwking
old hand

Registered: 27/02/2003
Posts: 777
Loc: Washington, DC metro
What happens if you pull your local 10./x subnets out of the vpn entirely? Could you set up a test network in one of the private 172 or 192 subnets with a local device or two on it?

-jk


Edited by jmwking (07/01/2020 14:40)

Top
#372538 - 09/01/2020 01:07 Re: iPhone Routing Table / VPN [Re: Taym]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
Good idea. I am thinking of a quick way to do that and see what happens.

I also want to try to put the VPN subet in 10.10.10.x, so it is IN the LAN subnet. I'll have to work on client IP assignment (DHCP relaying maybe). And see what happens too.
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top