Tag Archives: VPN Connectivity

The resulting benefits of a VPN can, depending on the VPN protocol used, be supplemented by encryption that enables tap-proof and manipulation-proof communication between the VPN partners.

OpenVPN Connection fails on iOS and Android

Home
Leave a comment

Here my experience using OpenVPN connection on iOS and Android mobile device. When you try to start a connection with the OpenVPN Connect App.

When you try to start a connection with OpenVPN Connect on your iOS or Android device, the VPN connection is established but no network resources can be reached, also you may find the error message in the OpenVPN server log;

Bad compression stub (swap) decompression header

Error openvpn_server1 user1/10.11.0.2:38767 Bad compression stub (swap) decompression header byte: 250

How to solve this issue, it comes to works perfectly with add options in the OpenVPN server configuration. I use here a Synology NAS and an OPNsense as a VPN server in this experience report.

allow-compression no
push "compress migrate"

This completely deactivates full and asymmetric compression, which is useful for functionality and secure communication with OpenVPN mobile clients. These finding can give valuable hints to make your users happy.

Note. The options are used to provision the OpenVPN clients, existing clients can continue to make VPN connections, the settings do not have to be changed manually.

How do I know that no compression is in use?

You will find the statistics of the OpenVPN connection in the log file. This way you can also see the state of the compression, like in the screenshots below.

OpenVPN Connection on OS and Android

OpenVPN Connection to Synology NAS

I have an OpenVPN server package installed on my Synology NAS, and the OpenVPN client on my iPhone 15 (iOS 17.3.1) is able to connect to it over a cellular connection. FileBrowserGO is then able to connect to the Synology using the OpenVPN Server’s LAN IP address.

We have tried this with both a UDP and TCP based OpenVPN connection (forwarding port 1194) to the Synology NAS. I would recommend trying an IP Address in FileBrowserGO’s “Name or URL” field, to avoid the DNS lookup stage of the connection.

To prevent compression on the OpenVPN server on a Synology NAS, you can open the VPN server in DSM under OpenVPN and disable the option Use compression on the VPN connection. If you enable ssh then you can log in with an ssh terminal to open the configuration file.

$ sudo vi /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf

OpenVPN Connect from iOS, Android to OPNsense

I went through it with another environment with deploy a virtual OPNsense using the OpenVPN Server. To do this, go to VPN -> OpenVPN -> open the corresponding server, here under Compression select “No Preference”, next add the two lines in the box under Advanced configuration, then save changes.

OPNsense GUI: VPN – OpenVPN – Servers

Restart the OpenVPN server again and launch a VPN connection with your iOS or Android mobile device.

Name Resolution via VPN with Split Horizon DNS

Home
Leave a comment

Using Name Resolution in VPN connections, clients often cannot resolve the network resources to which the VPN clients are connected.

This is especially problematic with Active Directory, because the clients cannot reach domain controllers to log on. The login then takes place only via the local cache, as a result, group policies and login scripts fail to run.

Customize Interface Metric

To control the Windows interface metric and favor the DNS server after dialing the VPN connection. The VPN interface can be assigned a higher priority and thus lower metric via the TCP/IP settings of the network adapter using the Windows+R keys and entering ncpa.cpl

In the properties of the corresponding network adapter you open with a double-click. Internetprotocol, version 4 (TCP/IPv4), then via the button Advanced, you will find the field for the value of the interface metric.

Here “Automatic metric” should not be activated for the VPN interface, a low value can be entered. After the next initialization, name resolution should take place over the VPN network.

Disable multicast name resolution

Windows 10 and 11 introduced Smart Multi-Homed Name Resolution (SMHNR), which sends DNS requests to multiple DNS servers simultaneously to speed up name resolution.

This is an undesirable side effect, the requests for internal name resolution are sent to external DNS servers (“DNS leakage”). Their operators can thus obtain a detailed overview of the organisation’s IT resources.

Name resolution via VPN

The setting is Turn off smart multi-homed name resolution under Computer Configuration => Administrative Templates => Network > DNS Client.

Customize interface metrics in PowerShell

The interface metrics of the different network connections can be displayed sorted in PowerShell with the following command.

PS C:\> Get-NetIPInterface | Sort-Object Interfacemetric

PowerShell now shows all interface metrics.

Alternatively, the metrics can be output with the netsh.exe utility, although not as detailed as in PowerShell.

C:\> netsh int ip show interfaces

Idx     Met         MTU          State                Name
---  ----------  ----------  ------------  ---------------------------
  1          75  4294967295  connected     Loopback Pseudo-Interface 1
 10           5       65535  disconnected  OpenVPN Wintun
 12          40        1500  connected     WLAN
 15           5        1500  disconnected  Ethernet
  8          25        1500  disconnected  OpenVPN TAP-Windows6
 11          65        1500  disconnected  Bluetooth-Netzwerkverbindung
 17          25        1500  disconnected  OpenVPN Data Channel Offload
 16          25        1500  disconnected  LAN-Verbindung* 3
 22          25        1500  disconnected  LAN-Verbindung* 12
  4          35        1500  connected     VMware Network Adapter VMnet1
  6          35        1500  connected     VMware Network Adapter VMnet8

The interface metric is changed in PowerShell as follows.

PS C:\> Set-NetIPInterface -InterfaceIndex <ifIndex Wert> -InterfaceMetric <Metrik>

The network adapter is identified by using the –InterfaceIndex parameter, which is obtained when queried with the Get-NetIPInterface cmdlet in the ifIndex column.

Conclusion

In this tutorial we show you, the name resolution for VPN clients is enabled via the tunneled VPN connections.

Network resources are resolved and the domain controllers can be reached for authentication. Login can be done through Local Security Authority Subsystem Service (LSASS), running Group Policy and login scripts.

What is Split-Horizon DNS

When split-horizon DNS is deployed by a network. Then certain domains are only resolvable by querying the network-designated DNS server rather than a public DNS server.

DNS clients which use DNS servers not provided by the network need to route those DNS domain queries to the network-designated DNS server.

This document informs DNS clients of split-horizon DNS, their DNS domains, and is compatible with encrypted DNS.