Sunday, January 31, 2010

OpenVPN on a Jailbroken Iphone

OpenVPN support is one of the things sorely missing from the iphone. And there is very little information about how one could go about getting OpenVPN working even on a jailbroken iphone. There is iopenvpn.com if you are running 2.x and it costs $29. This post is my attempt to fill this gap with step-by-step instructions on how to get openvpn working for free. But please be forewarned that I am not liable for any problems this might cause your iphone. Having said that, I have followed the instructions given below and have been successful in getting access to resources behind the corporate network using OpenVPN. Before we get started, here are some of the pre-requisites:

  • Jailbroken Iphone (I run 3.1.2 jailbroken using Blackrain)

  • Putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)

  • WinSCP (http://winscp.net/eng/download.php or something similar)

  • OpenVPN certificates and openvpn configuration file (.ovpn). The certificate should not be password protected if you want to use this through SBSettings toggle. There is instructions to take the password off below. The .ovpn file should be renamed conf.ovpn and should also be pointing to the certificates without any path.



Step-by-Step instructions (Please run these as root by doing su root and entering your password)

  • In Cydia: Install Openvpn toggle for SBSettings

  • In your windows/mac assemble your certificate, .ovpn files etc into a local directory

  • rename your .ovpn file to conf.ovpn and add the following two lines to the end of the file. Here is a sample ovpn file. You need to change the remote host, cert details to yours.


  • up /var/mobile/Library/OpenVpn/update-resolv-conf
    down /var/mobile/Library/OpenVpn/update-resolv-conf

  • download the update-resolv-conf

  • Open a WinSCP session and copy all the files you assembled locally to /var/mobile/Library/OpenVpn

  • In the winscp session edit the /var/mobile/Library/SBSettings/Commands/com.offinf.openvpnup and change as follows:


  • #!/bin/sh
    /bin/rm /var/mobile/Library/SBSettings/Toggles/OpenVpn/OFF
    cd /var/mobile/Library/OpenVpn/
    "/usr/bin/openvpn-iphone --script-security 2 --config /var/mobile/Library/OpenVpn/conf.ovpn" &

  • Open Putty and login to your iphone as root.


  • $ cd /var/mobile/Library
    $ chown -R mobile.mobile OpenVpn
    $ cd OpenVpn
    $ chmod +x update-resolv-conf
    #### If you have a key with password. Remove the password with the command below.
    #### You will be asked for the password one last time
    #### Important: Leaving your certificate without a key is a security risk. Please turn on passcode lock in your settings
    #### This will ensure that if your phone does fall into the wrong hands they cant get into your network.
    $ cp my.key my.key.orig
    $ openssl rsa -in my.key.orig -out my.key
    #### Now test your vpn setup by doing the following:
    $ openvpn-iphone --script-security 2 --config conf.ovpn
    #### You should see it connecting to your vpn server and setting up routes. Try to use Safari to look at something
    #### behind the openvpn server.

  • Reboot your phone for the sbsettings toggle changes to take effect

  • After reboot, open SBSettings and turn on OpenVpn

  • Note: For trouble shooting install top from cydia and run top to see if the toggle spawns the openvpn-ip process.

93 comments:

  1. Hello,

    I thank you very much for posting this how-to, but it seems some errors got in, possibly due to the blog engine interpreting some character sequences: The "scutil

    ReplyDelete
  2. I am not sure my whole previous message got through, so to summarize, it does not work for me yet (no dns resolution as root, no tunnel ever as mobile) Thanks in advance, testman57

    ReplyDelete
  3. testman57: I updated my instruction to download the script and sample ovpn file instead of putting it in the body of my blog post.

    Try it with this script and see if it works for you.

    Remember to chmod +x update-resolv-conf and try to run it in command line to see if it executes.

    If you use windows to store and transfer the file, you might have to replace the ^M in the file. A simple:

    # Please note ^M is control-M. For the sed line below do a ctrl-V ctrl-M to replace ^M in the file.

    cp update-resolv-conf udpate-resolv-conf.orig
    cat update-resolv-conf.orig | sed "s/^M//g" > update-resolv-conf

    ReplyDelete
  4. I followed your directions and once I did the, openvpn-iphone --script-security 2 --config conf.ovpn, I was greeted with quite a few messages but it finally stopped @


    tunemu: opening pcap: (no device found) /dev/bpf0: permission denied
    Cannot allocate TUN/TAP dev dynamically
    exiting

    ReplyDelete
  5. adam , i had same issue ....

    you have to use terminal session with root privilege so just begin with:
    su root (enter)
    fill password and that's it !

    but i am not able to have the sbsettings toggle working .. :( , the red icon become green but i never the see the OpenVpn icon and i never jump to my local network

    so today , only way to have OpenVpn working is to use Terminal session directlu on the iPhone , navigate to the correct folder and launch the command you wrote above

    unable to script a little sh batch to launch automatically !!! but the best is to have sbsettings toggle working ... please help !!

    and of course i do not forget to thanks Chandra !

    ReplyDelete
  6. hey ! finally sbtoggle is working :) i think i have found the issue !

    it's not
    /usr/bin/openvpn-iphone –script-security 2 –config /var/mobile/Library/OpenVpn/conf.ovpn &

    but

    /usr/bin/openvpn-iphone --script-security 2 --config /var/mobile/Library/OpenVpn/conf.ovpn &

    ReplyDelete
  7. Thanks for the su hint, I am going to try it out right now. I don't see a difference between those two lines.

    ReplyDelete
  8. Well I tried it with the su root before using the commands and I believe I received a ip from my pfsense VPN as I see the ip range and an address that my laptop somewhat uses, 10.0.1.6 10.0.1.5 mtu 1500 netmask 255.255.255.255 up, but the next two lines do not give me faith.

    script failed: could not execute external program
    exiting

    ReplyDelete
  9. I been trying a whole bunch of stuff but I can't seem to get openvpn working, it always craps out with scripted failed: could not execute external program

    Does anyone have any insight?

    ReplyDelete
  10. Adam & Extenue: Sorry for disappearing. I didn't get email notification when new comments were added. Hopefully I can help you guys.

    Adam: Did you set the update-resolv-conf to have execute permission? Specifically you need to do :

    $ cd /var/mobile/Library/OpenVpn
    $ chmod +x update-resolv-conf

    Try to run the script and see if it at least runs. It wont do the right thing because it needs the parameters of your connection. So after you do this try to run the following command in one line:

    /usr/bin/openvpn-iphone –script-security 2 –config /var/mobile/Library/OpenVpn/conf.ovpn

    ReplyDelete
  11. sorry for the typo mistake

    it’s not
    /usr/bin/openvpn-iphone –script-security 2 –config /var/mobile/Library/OpenVpn/conf.ovpn &

    but

    /usr/bin/openvpn-iphone --script-security 2 --config /var/mobile/Library/OpenVpn/conf.ovpn &

    ReplyDelete
  12. ok i have understood , wordpress remove the double - before script and before config

    i retry with ""

    it’s not
    /usr/bin/openvpn-iphone –script-security 2 –config /var/mobile/Library/OpenVpn/conf.ovpn &

    but

    "/usr/bin/openvpn-iphone –-script-security 2 -–config /var/mobile/Library/OpenVpn/conf.ovpn &"

    ReplyDelete
  13. when I do the these 2 commands I have to put a .sh after update-resolv-conf or else it gives me a error saying no file or directory.

    (ex.)
    $ cd /var/mobile/Library/OpenVpn
    $ chmod +x update-resolv-conf.sh


    Next I tried running,

    $ ./update-resolve-conf.sh

    and was greeted with this message,

    ./update-resolve-conf.sh: $dev not defined, exiting


    I tried to run,

    /usr/bin/openvpn-iphone –-script-security 2 -–config /var/mobile/Library/OpenVpn/conf.ovpn &

    It finally crapped out @

    Thu Feb 11 03:52:29 2010 OPTIONS IMPORT: timers and/or timeouts modified
    Thu Feb 11 03:52:29 2010 OPTIONS IMPORT: --ifconfig/up options modified
    Thu Feb 11 03:52:29 2010 OPTIONS IMPORT: route options modified
    Thu Feb 11 03:52:29 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Thu Feb 11 03:52:29 2010 ROUTE default_gateway=10.10.5.1
    Thu Feb 11 03:52:29 2010 TUN/TAP device tunemu:/ppp0 opened
    Thu Feb 11 03:52:29 2010 /sbin/ifconfig ppp0 delete
    ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
    Thu Feb 11 03:52:29 2010 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
    Thu Feb 11 03:52:29 2010 /sbin/ifconfig ppp0 192.168.200.10 192.168.200.9 mtu 15 00 netmask 255.255.255.255 up
    Thu Feb 11 03:52:29 2010 /var/mobile/Library/OpenVpn/update-resolv-conf ppp0 150 0 1544 192.168.200.10 192.168.200.9 init
    Thu Feb 11 03:52:29 2010 script failed: could not execute external program
    Thu Feb 11 03:52:29 2010 Exiting


    Thanks for the responses guys! I really am trying to get this workings.

    ReplyDelete
  14. Adam: Two things. If you changed it to update-resolve-conf.sh then you need to change your config.ovpn file to add .sh to those up and down lines in the configuration.

    Also, it seems like you are not running this as root. Please run these command as root. Do a su and enter your password to become root.

    ReplyDelete
  15. Ok I changed the conf.ovpn and added the .sh part, When I downloaded the file with safari it already had the .sh extension on it, that's my bad. I was able to connect and login to my openvpn server. Now I am working on trying to get the OpenVpn toggle too work.

    ReplyDelete
  16. Hey i have been trying to get the OpenVpn toggle too work but it's just not happening. I've tried running top and using the toggle but it doesn't show up in the running process. One thing I've noticed and I don't know if this is relevant but sometimes when I restart my iPhone, the OpenVpn toggle disappears from my SBSettings and I have to re-enable it. Any input is very much appreciated and thanks for all the help Chandra!

    ReplyDelete
  17. For the toggle to work you need to edit "/var/mobile/Library/SBSettings/Commands/com.offinf.openvpnup" file, did you follow the instructions to change that? As extenue mentioned the parameters need to have two dashes , I think wordpress swallowed one of them in my original blog post.

    ReplyDelete
  18. Yah I've got the double dashes, I made sure of that. Like I said it wouldn't have anything too do with the toggle disappearing from the sbsetting drop down when I restart would it?

    ReplyDelete
  19. Adam: It might. I don't have the disappearing toggle problem. Maybe you want to try reinstalling the sbsettings toggle? It is pretty awesome with sbsettings toggle. Getting into terminal to start openvpn would be a major PIA.

    ReplyDelete
  20. Hello again,

    I do not understand why, but the toggle started working now (perhaps I restarted the device, can't remember...). I had only one problem, it was not resolving the names I wanted on the DNS level, but I hard coded the 2 subdomains I wanted in update-resolv-conf and off it went, with correct access to my intranet... Now, shouldn't such a vpn catch ALL dns requests, independant from the domain given by dhcp, which in my case was very limited (and prevents surfing and so on) ?

    In any case, many thanks for this updated scripts from a happy user :)

    ReplyDelete
  21. I finally got the toggle too work, I played around with the script and overwrite the previous one and then re-added the toggle and restarted the device ( twice) and it eventually started too work. Thanks Chandra for the guide and all your help!

    ReplyDelete
  22. do i have to type all the putty command again after i reboot my phone?

    any shortcut available?

    ReplyDelete
  23. testman57: coincidentally I had to do the same thing in my setup. This was due to the fact that my openvpn server was not sending back connection specific dns suffix using dhcp-option DOMAIN . It was only pushing the dhcp-option for DNS. So I had to hardwire the subdomains inside my network as well in update-resolv-conf script:

    d.add SupplementalMatchDomains * sub1.mydomain.com sub2.mydomain.com

    If you have control over the openvpn server configuration, this section will tell you how to push foriegn options to clients:

    http://openvpn.net/index.php/open-source/documentation/howto.html#examples

    Something like:

    push dhcp-option DOMAIN mydomain.com

    ReplyDelete
  24. higaki: Are you not using sbsettings toggle for openvpn?

    ReplyDelete
  25. When I finally found some time for following your writeup, it's gone ;_; I'm out of luck today.

    ReplyDelete
  26. Steffen: my apologies. The wordpress installation i use is filled with security bugs. I need to update. In the meantime, I have restored the content.

    ReplyDelete
  27. hello regards from Guatemala, i´m a geek,
    Thanks Chandra the script woks perfectly, i can acces from my iphone to my OpenVPN server, and to the orange zone behind the firewall.

    Cool!

    ReplyDelete
  28. This seems to be the only walk through on the net to get the SBSettings toggle to work and the original post is missing. :'(

    ReplyDelete
  29. sorry wkoloyan: The content is restored again. I am having wordpress upgrade issues.

    ReplyDelete
  30. aside from using terminal to determine the openvpn ip when connected, is there anything im missing within SBSettings available toggles that should tell me? i know the default sbsettings mode tells your wifi ip / Data (att) ip/ and available memory..but once connected via OpenVpn nothing seems to indicate that ip (ie if you're actually connected or if the openvpn button has simply changed color)

    any hints?

    ReplyDelete
  31. Thanks for putting it back. I am confused about one thing though. Where do i get aquire my certificates ??? I am ableto get my config file from the web install page. Any help would be appreciated.

    -Vk

    ReplyDelete
  32. Vk: look for ca, cert, key entries in your ovpn file. Whatever those entries point to is what you need.

    Stjb: don't know of any other way. You could perhaps use safari and try to access an internal resource inside the VPN. But nothing in sbsettings shows the ip of the tun for example.

    ReplyDelete
  33. Hi, Please help me for download example and how-to, I Dont see.

    Thank you

    ReplyDelete
  34. hi,When I use
    "openvpn-iphone --script-security 2 --config conf.ovpn"
    there is error:
    "dyld: Library not loaded: /usr/lib/libpcap.A.dylib
    Referenced from: /usr/bin/openvpn-iphone
    Reason: image not found
    Trace/BPT trap"

    It means this OS doesn't have "libpcap.A.dylib"?

    I don't know how to fix it...Please help me,Thank you

    ReplyDelete
  35. ok it seems that in my case the ca, cert, key entries are within the config file. they don't point anywhere.


    -----BEGIN CERTIFICATE-----
    cert info present in here
    -----END CERTIFICATE-----



    -----BEGIN CERTIFICATE-----
    cert info present in here
    -----END CERTIFICATE-----



    -----BEGIN RSA PRIVATE KEY-----
    key info present in here
    -----END RSA PRIVATE KEY-----


    so does that mean i only need to include the config file and nothing else?

    Thanks for the help

    -Vk

    ReplyDelete
  36. I've tested it but I've seen that tunemu is still not working with TAP adapters, only TUN. Is it possible?

    thanks in advance.

    ReplyDelete
  37. vkoloyan: if it is inlined you don't need anything else, just the .ovpn file.

    xavier: I haven't the slightest clue. anyone else ?

    ReplyDelete
  38. Hi,

    first of all thanks a lot for this page - helped me a lot to get OpenVPN working on my IPod touch. The only issue I still have is the problem that SBSettings toggle "OpenVPN" disappears at every reboot and, if re- enabled does not work. If I start manually, i.e. by typing "openvpn-iphone --script-security 2 --config conf.ovpn" everything works as expected.
    I did everything according to your howto, made sure to have two dashes ;-) , but still the toggle keeps disappearing and , if there has no effect whatsoever.
    Does anyone have a hint?

    Thanks a lot!

    Pat

    ReplyDelete
  39. I forgot: I also reinstalled OpenVPN toggle via Cydia and did all your changes again afterwards - nothing changed in behaviour.

    ReplyDelete
  40. Hey This is great!! Awesome job, thank you.

    When I turn on the toggle, vpn connects and seems to do everything its supposed to. However, some applications give an error that the Internet is not connected. For example, safari works fine, when i go ipchicken.com, it gives the VPN's endpoint address, but other applications seem to think that the internet is not connected.

    any ideas?

    ReplyDelete
  41. No Connection, TLS times out...

    root# openvpn-iphone --script-security 2 --config conf.ovpn
    OpenVPN 2.1_rc19_jfx arm-apple-darwin9 [SSL] [LZO2] built on Sep 3 2009
    NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
    Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    LZO compression initialized
    Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Data Channel MTU parms [ L:1542 D:1275 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Local Options hash (VER=V4): '504e774e'
    Expected Remote Options hash (VER=V4): '14168603'
    Socket Buffers: R=[41600->65536] S=[9216->65536]
    UDPv4 link local: [undef]
    UDPv4 link remote: 111.222.333.444:555
    TLS: Initial packet from 111.222.333.444:555, sid=5ad5ead0 1a78bfc4
    VERIFY OK: depth=1, /C=AU/ST=NSW/L=NS/O=XX/CN=OpenVPN-CA/emailAddress=mis@XX.com
    VERIFY OK: nsCertType=SERVER
    VERIFY OK: depth=0, /C=AU/ST=NSW/L=NS/O=XX/CN=server/emailAddress=mis@XX.com
    ~~~ DELAY HERE ~~~
    TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    TLS Error: TLS handshake failed
    TCP/UDP: Closing socket
    SIGUSR1[soft,tls-error] received, process restarting
    Restart pause, 2 second(s)
    root# ^C
    root#

    Note in my conf.ovpn:
    # Use the same setting as you are using on
    # the server.
    # On most systems, the VPN will not function
    # unless you partially or fully disable
    # the firewall for the TUN/TAP interface.
    ;dev tap
    ;dev tun
    dev tap

    Is tap supported?

    ReplyDelete
  42. Everything seems to be working for me, and thank you so much for your DNS script, I had to write a script that manually put in DNSes for my VPN and ones for my school because they use internal ones and it all messed up.

    Anyway, my problem is, most apps enjoy the VPN with no problem.

    Though some apps like Softphone refuse to use the VPN and just say "no network" and I've tried everything.

    I have been using SSH forwarding which worked for a while, but it's so tiring, and I would much rather use OpenVPN to just force everything though my server.

    ReplyDelete
  43. Well an update to my previous comment.

    It looks like the DNS script failed for me because I didn't have it send a domain prefix.

    Still though, I can not seem to get Siphon to go over the OpenVPN.

    I know it's nothing with the OpenVPN, because using a Nokia N810, I can use SIP over it.

    I even put the VPN IP in "Bound IP".

    ReplyDelete
  44. Chandra: any chance of a spin-off app to just set DNS (eg to openDNS) for all internet traffic?

    ReplyDelete
  45. Thanks for tutorial.
    Unfortunatly i've the same problem as Lester.

    Appstore/Safari/Mail all work with openvpn.

    Other apps seems simply to detect no network activity (Lastfm) (webradio) or just hang downloading (pandora).

    Any advice?

    ReplyDelete
  46. Double check your configuration BratacD.
    First error is not a real problem, just a warning that other user could read your openvpn key files.

    Second one: use "dev tun" and not "dev tap".
    Follow the example config that chandra provided

    ReplyDelete
  47. The Openvpn server is running dev tap becouse
    fix ip doesnt work under winxp.

    I changed settings tun-->tap now its working fix ip.

    I dont use iphone+openvpn, if I dont go back tun and regenerate all cert in my company?

    ReplyDelete
  48. it is possible, to route the whole traffic over the openvpn connection?

    after the tunnel is up - my routing table looks like follow:

    Destination Gateway Flags Refs Use Netif Expire
    default 192.168.111.1 UGSc 6 0 en0
    default 10.8.0.5 UGSc 0 0 ppp0
    10.8.0.1/32 10.8.0.5 UGSc 0 0 ppp0
    10.8.0.5 10.8.0.6 UH 2 0 ppp0
    83.xx.xx.xx/32 192.168.111.1 UGSc 0 0 en0
    127 localhost UCS 0 0 lo0
    localhost localhost UH 0 0 lo0
    169.254 link#2 UCS 0 0 en0
    192.168.111 link#2 UCS 1 0 en0
    192.168.111.1 0:9:5b:c8:89:73 UHLW 9 42 en0 1177
    192.168.111.119 localhost UHS 0 0 lo0


    in my server config I use:
    push "redirect-gateway"

    the client.conf has:
    redirect-gateway
    active.



    Wed Apr 7 17:53:23 2010 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,dhcp-option DNS 81.xx.xx.xx,route 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
    Wed Apr 7 17:53:23 2010 OPTIONS IMPORT: timers and/or timeouts modified
    Wed Apr 7 17:53:23 2010 OPTIONS IMPORT: --ifconfig/up options modified
    Wed Apr 7 17:53:23 2010 OPTIONS IMPORT: route options modified
    Wed Apr 7 17:53:23 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Wed Apr 7 17:53:23 2010 ROUTE default_gateway=192.168.111.1
    Wed Apr 7 17:53:23 2010 TUN/TAP device tunemu:/ppp0 opened
    Wed Apr 7 17:53:23 2010 /sbin/ifconfig ppp0 delete
    Wed Apr 7 17:53:23 2010 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
    Wed Apr 7 17:53:23 2010 /sbin/ifconfig ppp0 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up
    Wed Apr 7 17:53:23 2010 /var/mobile/Library/OpenVpn/update-resolv-conf ppp0 1500 1542 10.8.0.6 10.8.0.5 init
    dns [81.xx.xx.xx] [] []
    About to set DNS and Domain
    Wed Apr 7 17:53:23 2010 /sbin/route add -net 83.xx.xx.xx 192.168.111.1 255.255.255.255
    add net 83.xx.xx.xx: gateway 192.168.111.1
    Wed Apr 7 17:53:23 2010 /sbin/route add -net 10.8.0.1 10.8.0.5 255.255.255.255
    add net 10.8.0.1: gateway 10.8.0.5
    Wed Apr 7 17:53:23 2010 Initialization Sequence Completed


    if I delete the first (old) default route manualy - I didnt see any packets on the servers interface.

    ReplyDelete
  49. Can somebody tell me how to run top to see if the toggle spawns the openvpn-ip process? Great post! Thanks.

    Tony

    ReplyDelete
  50. UNBELIEVABLE! IT WORKS!! 1000 THANKS to all you guys..

    ReplyDelete
  51. [...] 51 Jest wreszcie skuteczny i dziaÅ‚ajÄ…cy sposób na OpenVPN na iPhone: chandraonline.net iPhone 3GS 16GB black - 3.1.2 - blackra1n Cytuj   + Odpowiedz na ten temat « Poprzedni temat | NastÄ™pny temat » [...]

    ReplyDelete
  52. Quivalen and Lester:

    try and disable nobind from your conf.ovpn

    #nobind

    ReplyDelete
  53. There is an easyier way to use OpenVPN on iPhone : www.guizmovpn.com

    ReplyDelete
  54. Amazing!
    I almost managed to get it working by my own.
    I use Terminal in OSX to ssh to the Ipod, and after all the procedures I get this:

    Thu Jul 22 17:44:40 2010 OpenVPN 2.1_rc19_jfx arm-apple-darwin9 [SSL] [LZO2] built on Sep 3 2009
    Thu Jul 22 17:44:40 2010 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Thu Jul 22 17:44:40 2010 LZO compression initialized
    Thu Jul 22 17:44:40 2010 TUN/TAP device tunemu:/ppp0 opened
    Thu Jul 22 17:44:40 2010 /var/mobile/Library/OpenVpn/update-resolv-conf ppp0 1500 1545 init
    dns [] [] []
    dom [] [] []
    About to set DNS and Domain
    add net 80.179.114.160: gateway 172.19.254.254
    Thu Jul 22 17:44:41 2010 UDPv4 link local (bound): [undef]:1194
    Thu Jul 22 17:44:41 2010 UDPv4 link remote: 80.179.114.160:1194

    Everything seems ok, except that I don't actually connect to my network, I can't connect to my local resources behind the nat, and the server has no clue someone is connected.

    How do I troubleshoot it? Installed "top" as you recommend but I don't find it anywhere in the Ipod.

    If I keep the terminal window open and I open sbsettings in the Ipod, when I disconnect from the openvpn, I get:

    Thu Jul 22 17:45:04 2010 event_wait : Interrupted system call (code=4)
    delete net 80.179.114.160: gateway 172.19.254.254
    Thu Jul 22 17:45:04 2010 /var/mobile/Library/OpenVpn/update-resolv-conf ppp0 1500 1545 init
    Thu Jul 22 17:45:05 2010 SIGTERM[hard,] received, process exiting

    that means the sbsetting toggle is indeed working right?

    Or Maybe it's a server related problem? I usually use TAP to connect to my VPN, but I saw there is no support for TAP in the IOS, so I configured a second VpnServer in the router with TUN settings. Both run simultaneously right now but both use the same static key (I was to lazy to create a new one) :-)

    Maybe that's the problem?

    Thanks. Amazing tutorial.

    ReplyDelete
  55. Hi,
    If it doesn't go further than "Thu Jul 22 17:44:41 2010 UDPv4 link remote: 80.179.114.160:1194", that mean you have a problem with your server or your firewall.
    Another strange thing, the execution of your "update-resolv-conf" should only happen when the tunnel is active, in your case it happen before. Try to remove it.

    Guizmo

    ReplyDelete
  56. thx for the detailed instruction, it's really helpful, and I had tried it on my new iPad(3.2.1), the openvpn connection always ends up with the following error.

    Thu Aug 12 23:23:40 2010 TUN/TAP device tunemu:/ppp0 opened
    Thu Aug 12 23:23:40 2010 /sbin/ifconfig ppp0 delete
    Thu Aug 12 23:23:40 2010 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
    Thu Aug 12 23:23:40 2010 /sbin/ifconfig ppp0 192.168.5.22 192.168.5.21 mtu 1500 netmask 255.255.255.255 up
    Thu Aug 12 23:23:40 2010 Mac OS X ifconfig failed: could not execute external program
    Thu Aug 12 23:23:40 2010 Exiting

    I think the problem is not from my server or client config, because all these things work perfectly for my other computers, mac, linux and even windows. any other ideas?

    ReplyDelete
  57. A Cydia packet (network-cmds) seems to be missing.
    If you want to have an easy to install/configure/use solution, please look at www.guizmovpn.com :)

    Guizmo

    ReplyDelete
  58. Hi Chandra

    I made the toogle working perfect on iOS 3.1.3. Now I also installed it on iOS 4.0.1 and it's working like a charm.

    Only one thing I mentioned which appeared on 3.1.3 same as now on 4.0.1:
    After I used the toggle and reboot the phone, the toggle is deactivated.

    F.e. like this:
    > switch toggle on
    > browse the web
    > switch toggle off
    > reboot phone
    --> toggle is deactivated. I have to re-activate it first. Do you have any idea what's the problem in here?

    ReplyDelete
  59. I install iOS 4.0.1 and I had to install network-cmds to have ifconfig, one the vpn is up I can ssh in my vpn servers, but I cant use safary, (safary doesnt find the machine no dns resolution) and of course the machine is ok, because I can ssh via shell. Any ideas?

    Thanks

    ReplyDelete
  60. Dabi: I have a similar problem in 4.0.1, I am unable to get DNS resolution working correctly. But I can connect to those servers using their IP address.

    Guizmo: I gave guizmovpn a shot as well, it has similar problems. I can't get DNS resolution eventhough I see dhcp-option being received and the DNS being set. I am running out of the trial license , so I am not sure if I can troubleshoot more. Have you tested it in 4.0.1?

    ReplyDelete
  61. Chandra : Can you send me your log (there is a button in the log page)

    ReplyDelete
  62. get get the update-resolv-conf.sh file to work.

    dowloaded or copy past it from the ftp and than saved it as update-resolv-conf.sh

    am i doing something wrong=

    login as: root
    root@192.168.1.103's password:
    iPhone-van-sven:~ root# cd /var/mobile/Library
    iPhone-van-sven:/var/mobile/Library root# chown -R mobile.mobile OpenVpn
    iPhone-van-sven:/var/mobile/Library root# cd OpenVpn
    iPhone-van-sven:/var/mobile/Library/OpenVpn root# chmod +x update-resolv-conf
    chmod: cannot access `update-resolv-conf': No such file or directory
    iPhone-van-sven:/var/mobile/Library/OpenVpn root#

    ReplyDelete
  63. Hi!
    I have the same problem as Chandra and Diabi with DNS resolution.
    I tried to install bind on the iPhone and did some tests connected in VPN such as ping or nslookup, both didn't work.
    Then I make my own /etc/resolv.conf with OpenDNS servers, disabled update-resolv-conf on iPhone and commented push "dhcp-option DNS on the server side.
    I'm now able to use nslookup correctly all domains in VPN but the ping didn't work again...

    Marcs-iPhone:/var/mobile/Library/OpenVpn root# nslookup apple.com
    Server: 208.67.222.222
    Address: 208.67.222.222#53

    Non-authoritative answer:
    Name: apple.com
    Address: 17.251.200.70
    Name: apple.com
    Address: 17.112.152.57
    Name: apple.com
    Address: 17.149.160.49

    Marcs-iPhone:/var/mobile/Library/OpenVpn root# ping apple.com
    ping: unknown host

    It's a stange problem, with nslookup I can communicate with OpenDNS servers et take infos but with ping or in Safari I can't resolve names...

    I hope this test can help us to fix it.

    ReplyDelete
  64. [...] Witopia Support Wiki ->http://wiki.witopia.net/wiki/Installing_personalVPN-SSL_on_Linux SBSettings -> http://chandraonline.net/blog/?p=22 GuizmOVPN -> http://www.guizmovpn.com/index.php?option=com_content&view=article&id=2&Itemid=2 [...]

    ReplyDelete
  65. [...] 注1:其目的是为了在连上openvpn后,自动的修改DNS 设置,例如改为8.8.8.8 注2:参考了http://www.chandraonline.net/blog/?p=22,但不知为什么,不能工作,只好改成比较蠢的办法,直接改主DNS,具体决定参数的流程见http://hints.macworld.com/article.php?story=20050621051643993 其副作用为,断开openvpn后,dns不会改回来,但问题应该不大。 注3,update-resolv-conf , 我的配置见附件。 [...]

    ReplyDelete
  66. Hi,

    I released an update for GuizmOVPN that should solve the problem with the DNS resolution.

    Can you try it and let me know if it's working ?

    Guizmo

    ReplyDelete
  67. Guizmo:

    It works for me now. I just need to buy a license and test it in the field :)

    Thanks.

    ReplyDelete
  68. As soon as I try testing my VPN setup with:

    $ openvpn-iphone --script-security 2 --config conf.ovpn

    Putty says:

    -sh: openvpn-iphone: command not found

    Where is my mistake? Im freakin out ^^ thx guys!

    ReplyDelete
  69. kindle dx reviews

    chandraonline.net » OpenVPN on a Jailbroken Iphone

    ReplyDelete
  70. Caratteristiche iPhone 5

    [...]chandraonline.net » OpenVPN on a Jailbroken Iphone[...]

    ReplyDelete
  71. iPhone 5 uscita

    [...]chandraonline.net » OpenVPN on a Jailbroken Iphone[...]

    ReplyDelete
  72. Mein iPhone

    [...]chandraonline.net » OpenVPN on a Jailbroken Iphone[...]

    ReplyDelete
  73. iPhone 4S caratteristiche

    [...]chandraonline.net » OpenVPN on a Jailbroken Iphone[...]

    ReplyDelete
  74. Thank you for the amazing guide
    Everything work fine under ios 4.3.3
    But only tcp not udp
    I need udp for register to my Voip PBX (udp 5060 port)

    Thnks..

    ReplyDelete
  75. Just a few tips to anybody setting this up, that drove me crazy for days until I finally found the answer.

    I switched from OpenVPN Access Server to OpenVPN (normal OpenVPN) so that I could run it on my router instead of a VM.

    My router's config of it, set user and group nobody which was really messing up adding routes and using guizmo's DNS script. So no user/group options in the client.conf.

    Also I had to manually add DNSPush="Y" to the top of Guizmo's DNS script.

    ReplyDelete
  76. I forgot to mention above, that "nobody" broke Siphon, Softphone, & AOL Radio for example due to whatever it could not setup properly as root, even though Safari and other apps worked fine.

    This lead me to think this was a bug in 3.1.3 since this failed to occur in 4.2.1, yet it was a config bug.

    I love diagnosing things, makes you wanna pull your hair out sometimes, LoL.

    ReplyDelete
  77. A note on the 2 above comments.

    guizmovpn_updown.sh works perfectly updating DNS on my iPhone 2G 3.1.3 and works on my iPhone 4G 4.2.1 only on connect, but on disconnect, it shows a blank DNS config on scutil --dns.

    I can see running commands in scutil like d.show that it did add the DNS info back but it's like the OS or something is not "updating" or something.

    ReplyDelete
  78. Network Unidentified

    [...]chandraonline.net » OpenVPN on a Jailbroken Iphone[...]

    ReplyDelete
  79. iPhone games

    [...]chandraonline.net » OpenVPN on a Jailbroken Iphone[...]

    ReplyDelete
  80. pws frap

    [...]chandraonline.net » OpenVPN on a Jailbroken Iphone[...]

    ReplyDelete
  81. unlock iphone 4s

    [...]chandraonline.net » OpenVPN on a Jailbroken Iphone[...]

    ReplyDelete
  82. iPhone 3GS Support

    [...]chandraonline.net » OpenVPN on a Jailbroken Iphone[...]

    ReplyDelete
  83. Get 2012 worth of Facebook Credits

    [...]chandraonline.net » OpenVPN on a Jailbroken Iphone[...]

    ReplyDelete
  84. nullled script

    [...]chandraonline.net » OpenVPN on a Jailbroken Iphone[...]

    ReplyDelete
  85. ping

    [...]chandraonline.net » OpenVPN on a Jailbroken Iphone[...]

    ReplyDelete
  86. iPad 2 from Apple

    [...]chandraonline.net » OpenVPN on a Jailbroken Iphone[...]

    ReplyDelete
  87. iPhone, iPod, iPad kiegeszitok es tartozekok

    [...]chandraonline.net » OpenVPN on a Jailbroken Iphone[...]

    ReplyDelete
  88. jual mainan

    [...]chandraonline.net » OpenVPN on a Jailbroken Iphone[...]

    ReplyDelete
  89. lawn

    [...]chandraonline.net » OpenVPN on a Jailbroken Iphone[...]

    ReplyDelete
  90. Statusbaru

    [...]chandraonline.net » OpenVPN on a Jailbroken Iphone[...]

    ReplyDelete
  91. [...] OpenVPN: No es propiamente una aplicación de pentest de seguridad, sino una forma excelente de acceder vía VPN de forma gratuita cada vez más extendido. (y su toggler para SBSettings). Llevo desde que tenía la versión 1.3 de firmware de Iphone buscando compatibilidad para esta potente herramienta, hasta que dí con esto. Al acceder levanta un interfaz virtual TUN con la IP interna y las rutas definidas. [...]

    ReplyDelete
  92. [...] Your Price: $119.00- Kindle Paperwhite, 6 World’s most advanced e-reader – high resolution, high contrast touchscreen with built-in light and up to 8-week battery life, even with the light on at setting 10. Source Page: http://chandraonline.net/blog/?p=22 [...]

    ReplyDelete