I use the PiVPN deployment of OpenVPN on a Raspberry Pi to connect back into my home network when I’m on the road. About a month ago my SD card gave out and I had to rebuild. I decided to go with PiVPN for my OpenVPN deployment. Setup was really easy and it worked great on my Android phone.
This last weekend I was at the in-laws and wanted to VPN in from my iPad to do some stuff at home. That’s where I ran into an issue, and if you are reading this I suspect you might have run into the same issue.
What I found was that I could connect to my VPN from my iPad with IOS 12.x but was unable to get any network traffic to or from my iPad when on the VPN. I couldn’t even ssh into my Pi. I couldn’t figure out what was wrong with it. Everything was working perfectly on my android phone.
I used my googlefu and tried to find answers to what could be going on and tried all sorts of different things. I finally figured out what was up and figured I’d share so I can fix this again later or help someone else!
The problem was that compression is turned on with PiVPN. And if you look at your settings in your OpenVPN client you will see that that is insecure. (See picture below.) A further explanation of this can be found on the OpenVPN website under the security advisories if you are interested.
Understandably we want to turn off the allow compression option. So we tap “NO” on the screen.
Well if you’ve tried that you probably guessed its not that easy to fix. There is more to it than that.
First we have to modify the server config on the Raspberry Pi. To do this SSH into your Pi or open up a console window.
Now we are going to issue the following commands
su root #You will be prompted for your root password at this point cd /etc/openvpn su vi server.conf #You will be prompted for your root password at this point
You are now in the VI editor (you could also use your favorite editor).
Inside the config file you want to find the line that says:
compress lz4
You want to change that to be at the beginning of that line and press the ‘i’ button (for insert) then enter a ‘#‘ and a space (without quotes). It should look like this:
# compress lz4
Now press the esc key then type ‘:wq!‘ (without the quotes). This writes (w) and quits (q) forcefully (!).
What we just did was turn of the use of compression for your OpenVPN server. (Not sure why they haven’t shut it off yet in PiVPN.)
With that done you should be back at the prompt. We now need to reboot the Pi (the easiest way for many people, so the system can read the changes we made to the config file). To do this we will type the following:
exit sudo shutdown -r now #You will be prompted for your root password at this point your pi will reboot
While that’s happening we need to make a few more changes.
First we need to modify your profiles. (You will need to do this for any profile you’ve created.)
Open up the file in something like notepad++ and we want to find the line that says, “compress lz4” we then want to remove it or comment it out using the pound symbol (#). So the top section of the file (before the <ca>) should look something like this:
client dev tun proto udp remote [address] [port] resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server tls-version-min 1.2 verify-x509-name server_[***********] name cipher AES-256-CBC auth SHA256 # compress lz4 verb 3 <ca>
Save the file and transfer it to your IOS device. You will need to repeat this for any other devices you created profiles for. (Because we just to the server to stop doing compression.)
Now you can import the file into the OpenVPN app on your IOS device. Then go into the OpenVPN settings screen and make sure allow compression is set to NO.
Now go test it and see if it works!
Now to give credit where credit is due. I couldn’t have figured out how to do this without two posts I found.
First this thread on the OpenVPN forums pointed me in the right direction: https://forums.openvpn.net/viewtopic.php?f=36&t=27195&sid=728ec0b98d2563dc3cecf5b35188843d
And led me to this bug post on the OpenVPN community page: https://community.openvpn.net/openvpn/ticket/1126
I hope this quick post has helped you get your IOS device connecting to your OpenVPN instance.
Till next time, may the lights of your data center stay off and your server fans keep humming.