Routing my VPN Server through VPN Client 1 Having issues with Facetime

[eibgrad]

so what do you want me to do ?

Route all traffic inbound from your own OpenVPN server through the WAN, NOT the OpenVPN client (OVPN1). I want to eliminate the OpenVPN client from the situation to see if that fixes it.

 

[eibgrad]

Meaning you want me to remove the rule in vpn director meaning disable the redirect :: Meaning this rule disable it and then connect to the server and see if it work?

​

Route

10.16.0.0/24

Yes. Or add a rule specifically for the WAN. Or try both ways.

 

[ComputerSteve]

so I disabled it and now when I connect to the server my IP is my home wan ip however it doesn't work with facetime.. so it seems to have nothing to do with client 1

 

[eibgrad]

so I disabled it and now when I connect to the server my IP is my home wan ip however it doesn't work with facetime.. so it seems to have nothing to do with client 1

Well that's good to know. We need to eliminate anything we can to narrow down the culprit.

 

[ComputerSteve]

So yeah it seems to be that me just connected to my server kills apple services // I wonder if this doesn't happen on the iphone ?? i'm gonna try that.. Maybe its an issue with Mac OS ?

 

[ComputerSteve]

wait so guess what I've disabled cellular data and connected to the server VPN and guess what !! ON the iphone its working perfect... So this might be an issue on MacOS X

 

[eibgrad]

wait so guess what I've disabled cellular data and connected to the server VPN and guess what !! ON the iphone its working perfect... So this might be an issue on MacOS X

Or it might be that you're effectively using both the cellular and wifi networks, but for different purposes w/ those services, and it's causing a conflict. Once you confine it to one or the other internet provider, the problem goes away.

 

[ComputerSteve]

So I turned off cell data on the iPhone and ran FaceTime / Apple News through the vpn on WiFi and it worked as it should. It’s not working on my MacBook Pro.

 

[eibgrad]

Is your MacBook cellular, wifi, or both?

 

[eibgrad]

wait so guess what I've disabled cellular data and connected to the server VPN and guess what !! ON the iphone its working perfect... So this might be an issue on MacOS X

Well frankly, I don't trust anything that claims to be routed through the OpenVPN server via wifi. Presumably that means you're NOT really on the internet side of the WAN but on the LAN side, and relying on NAT loopback. And when you do, you're effectively bypassing the OpenVPN server for local access anyway.

IOW, for all intents and purposes, it's as if you're connected locally, despite "technically" having an active OpenVPN client connection to your own OpenVPN server. And we already know that local wifi connections work.

As I tell ppl all the time, when it comes to accessing an OpenVPN server from the LAN on which the server is running (usually for the purposes of testing or debugging), it's completely bogus. The only thing that really counts is actually being connected on the *internet* side of the WAN, which typically means cellular. And so far, that does NOT appear to work.

 

[ComputerSteve]

My MacBook is only WiFi. To emulate that I put on airplane mode on my iPhone and just left WiFi on so no cellular and doing that connecting to the vpn server 2 it works. If I connect on my Mac I loose FaceTime and all other Apple services.

 

[ComputerSteve]

Well frankly, I don't trust anything that claims to be routed through the OpenVPN server via wifi. Presumably that means you're NOT really on the internet side of the WAN but on the LAN side, and relying on NAT loopback. And when you do, you're effectively bypassing the OpenVPN server for local access anyway.

IOW, for all intents and purposes, it's as if you're connected locally, despite "technically" having an active OpenVPN client connection to your own OpenVPN server. And we already know that local wifi connections work.

As I tell ppl all the time, when it comes to accessing an OpenVPN server from the LAN on which the server is running (usually for the purposes of testing or debugging), it's completely bogus. The only thing that really counts is actually being connected on the *internet* side of the WAN, which typically means cellular. And so far, that does NOT appear to work.

So this is getting me confused are you saying that maybe it isn't working... Because On my cellphone I disabled cellular and just had wifi connected to server 2 and facetime still worked / apple services.. Its only on the macbook pro it doesn't.

 

[eibgrad]

So this is getting me confused are you saying that maybe it isn't working... Because On my cellphone I disabled cellular and just had wifi connected to server 2 and facetime still worked / apple services.. Its only on the macbook pro it doesn't.

Depends on what YOU mean by having your cellphone connected over wifi to the OpenVPN server.

I assume you're at home. And therefore your wifi connection is to the LAN side of your home network. And you're attempting to connect that cellphone to the OpenVPN server by referencing the WAN ip (or DDNS domain name) from within the LAN (aka NAT loopback), and NOT from the internet side of the WAN like you would typically be doing if the cellphone was on the cellular network.

If that's the case, then I don't trust your claims that it works from the cellphone w/ wifi, since we already know it works locally over wifi. I only care if it works when you're actually *remote*, i.e., accessing it from the WAN side, such as cellular.

 

[ComputerSteve]

ok so I will disconnect wifi and use cellular

 

[ComputerSteve]

Ok so now I used my iphone and disconnected the wifi and used the cellular connection / then connected to vpn server 2 using openvpn connect ios app /// It still works on the iPhone --- However i'm not sure if thats because apple does a bypass of vpn services as I noticed here -
On the other hand, I found this explanation in the OpenVPN Connect FAQ:

Many Apple services such as Push Notifications and FaceTime are never routed through the VPN tunnel, as per Apple policy.

 

[eibgrad]

However i'm not sure if thats because apple does a bypass of vpn services as I noticed here -
On the other hand, I found this explanation in the OpenVPN Connect FAQ:

LOL. Well that sure does seem like an awfully interesting coincidence!

My assumption is that these services are NOT just pull, but push, which probably makes VPNs problematic. It's like trying to use an online game w/o UPnP or other form of port forwarding. The experience is either going to be limited, or not work at all.

 

[ComputerSteve]

So what do you suggest because it does work if I don't use the server.. meaning if I just route my macbook through the vpn directly using vpn director it works... So I still don't understand why it isn't working using the server 2.

 

[eibgrad]

So what do you suggest because it does work if I don't use the server.. meaning if I just route my macbook through the vpn directly using vpn director it works... So I still don't understand why it isn't working using the server 2.

According to those comments over at the OpenVPN site, notice it says "policy". IOW, it doesn't appear to be a technical issue, but perhaps more of a security/privacy issue for Apple. In the case of your own OpenVPN server, it's obvious to Apple when you're using a VPN, after all, you've configured the OpenVPN client on the device! But in the case of the local OpenVPN client on your home router, it is NOT obvious. Apple has no idea the apps are being routed over a VPN since the routing occurs upstream, thus undetectable.

 

[ComputerSteve]

According to those comments over at the OpenVPN site, notice it says "policy". IOW, it doesn't appear to be a technical issue, but perhaps more of a security/privacy issue for Apple. In the case of your own OpenVPN server, it's obvious to Apple when you're using a VPN, after all, you've configured the OpenVPN client on the device! But in the case of the local OpenVPN client on your home router, it is NOT obvious. Apple has no idea the apps are being routed over a VPN since the routing occurs upstream, thus undetectable.

Ok so can it be fixed? meaning can I use my own VPN Server 2 on the router/ connect to that / and still use facetime / apple services ? Or is this the expected behavior that it wont work !

 

[eibgrad]

P.S. That's why road warriors would be wise to carry a travel router w/ an OpenVPN client enabled so the VPN remains invisible to your devices. Unfortunately, running the OpenVPN client (or any VPN for that matter) on the device itself opens the door to the possibility of detection by the device's apps. I used to have that issue w/ MLB. If you enabled a VPN, it refused to run. It was their *policy*.