Synology VPN on iPhone silently doesn't protect you

Currently reading
Synology VPN on iPhone silently doesn't protect you

507
189
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS212, RS816, RS819, DS223, DS920+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Synology VPN client on iPhone allows ipv6. And, you can't turn off ipv6 on the iPhone's cellular connection. Which means: If you're running Synology VPN server on your router, and your router's connection for whatever reason doesn't have an ipv6 address enabled, then the iPhone will just bypass the VPN except when communicating with LAN resources on your router's network. So, your iPhone's internet traffic is unprotected by the VPN. Kind of annoying. It would be nice if the Synology VPN client app allowed you to disable ipv6 in the app (as the OpenVPN app does), or at least warned you that your connection was unprotected.
 
To be clear you mean: Synology’s iOS app VPN Plus when on mobile data connecting to VPN Plus server on SRM has this issue?

And that when the iPhone requests an Internet service then it isn’t tunnelled to VPN Plus server for breakout from your home ISP connection? … if IPv6 isn’t somehow configured on the SRM router.

How do we test this?
 
Yes, that's what I mean. Easy to test. Connect iPhone via cellular to Synology VPN on RT2600 using the VPN Plus app on iPhone. Then, on iPhone, browse to any site that tells you what IP address you're browsing from, such as www.whatismyip.com See if it shows you the IP address assigned by your ISP to your router, or some other IP address. And for all i know it does the same thing when the iPhone is using wireless at a coffee shop for example....but I haven't tested that.
 
Ok. So I have a hosted website on the Web and it has a dynamic script that displays the ENV info about requesting client.

I disconnect from home WiFi and then connect to home using iOS VPN Plus app. Now surf to my hosted site and I see my home ISP IP address as
  • client IP address
  • XFF IP address
  • X real IP address
 
Are you sure you don't have split-tunnelling enabled in VPN Plus server's SSL-VPN configuration? Hoping this is can be explained away :)

For information my RT2600ac's Internet setup for IPv6 is below and I don't seem to be able to replicate this situation. I even tried repeating the mobile + VPN Plus test and going to www.whatismyip.com, this again showed my home ISP IP address.
1630619532972.png

1630619453896.png
 
OK, I'm a dufus. I had split tunneling engaged on the VPN server. I owe everyone a cookie.
That’s a relief! I looked at the server setup for mention of IPv6 and then noticed split-tunnelling. I work with this stuff a lot and still overlooked it this time.

Look on the positive side, you found your VPN security wasn’t securing your mobile connection as you expected and now it’s fixed 👍
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
That is correct. I can continue to connect to devices on my LAN. But opening a website for example just...
Replies
2
Views
1,523
  • Question
I'm having the same issue. I can't add the public IP in the FW access list because for the NAS I'm...
Replies
18
Views
6,083
The difference is that the surface pro X uses an ARM processor. It uses a 32bit emulator for x32 apps
Replies
3
Views
3,209
Officially synology's nginx (reverse proxy) uses port 80/443 and those are reserved. Trying to free them...
Replies
2
Views
4,222
right , so I would assume even though there is no certificate applied on the certificate option, it...
Replies
3
Views
8,899
  • Question
So you have two sites with identical local IP subnets and even IP assignments? If trying to connect from...
Replies
2
Views
1,052

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top