iCloud stuff stops working while connected to OpenVPN
- by Taco Bob
I have a fairly simple OpenVPN setup on an OpenVZ VPS with Ubuntu 11.10. Client is the Viscosity client on Mac OS X 10.8.2, and after some testing, we can rule out the client as being part of the problem.
Everything has been working fine except for Apple's iCloud stuff. Web surfing, email, FTP, NNTP, and Skype are all working as expected. It's ONLY the iCloud services that cease to function.
If I connect to the VPN, iCloud stuff stops working. I no longer get anything in Messages, Calendar items don't get updated, and Notifications stop working.
If I disconnect, the iCloud stuff all starts working. Connect again, iCloud stops working.
Here's the server.conf:
status openvpn-status.log
log /var/log/openvpn.log
verb 4
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 10.9.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push “dhcp-option DNS 10.9.8.1?
keepalive 10 120
duplicate-cn
cipher BF-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
tun-mtu 1500
mssfix 1400
I'm using iptables in a script, and it's also fairly simplistic.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -A FORWARD -i tun0 -o venet0 -j ACCEPT
iptables -A FORWARD -i venet0 -o tun0 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.9.8.0/24 -j SNAT --to-source <server's public ip>
echo 1 > /proc/sys/net/ipv4/ip_forward
I tried forwarding ports as well, with no success.
iptables -A FORWARD -p tcp -d 10.9.8.0/24 --dport 5222:5230 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 5222:5230 -j DNAT --to-destination 10.9.8.6
I am also sometimes behind a double-NAT situation that I have no control over.
Client -> work VPN -> my OpenVPN box -> Internet.
Client -> Airport Express -> ISP (which is doing NAT) -> my OpenVPN box -> Internet.
Those two situations are just the fact of life where I am, and I cannot change them. I do have full control over my client and the OpenVPN server.
I am completely out of ideas. I have posted a similar query at the OpenVPN forums, but it hasn't posted yet and seems to be in their moderation queue still. Tried on freenode irc channels, but nobody is awake, so here I am. I have Googled extensively for this, and can find nothing that is related.
Help me get iCloud stuff working again! (I tried serverfault, it was closed as off-topic. I'm trying here and the Unix site as well. Here because it's a more general audience that might know more about OpenVPN based on the number of questions I see asked about it)
EDIT:
-I have also tried upgrading to Version: 2.3-beta1-debian0 - issue persists.
-Removed all iptables rules except for the ones that flush
-left this rule:iptables -t nat -A POSTROUTING -s 10.9.8.0/24 -j SNAT --to-source (server ip)
-added iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
still, nothing works.
I can see traffic in tcpdump on the server if i watch the tunnel:
20:03:48.702835 IP nk11p01st-courier105-bz.push.apple.com.5223 10.9.8.6.60772: Flags [F.], seq 2635, ack 1218, win 76, options [nop,nop,TS val 914984811 ecr 745921298], length 0
20:03:48.911244 IP 10.9.8.6.60772 nk11p01st-courier105-bz.push.apple.com.5223: Flags [R], seq 3621143451, win 0, length 0
But still, no push messages/notifications are ever delivered. :/
EDIT:
* Further testing indicates that it might actually be the client after all.
