sophos xg home SSL VPN Split Tunneling iphone not not working

Hi alex hsu1,

Thank you for reaching out to Sophos Community.

Could you please share OpenVPN log events?

Click the symbol shown in the below snapshot to obtain a log file.

What's the current running firmware version on the XG firewall?

Thank you for your response

iphone ios 14.7.1

SFVH (SFOS 18.0.5 MR-5-Build586)

I masked Public IP.

openvpn log

2021-09-14 19:49:06 1
2021-09-14 19:49:06 ----- OpenVPN Start -----
OpenVPN core 3.git::58b92569 ios arm64 64-bit
2021-09-14 19:49:06 OpenVPN core 3.git::58b92569 ios arm64 64-bit
2021-09-14 19:49:06 Frame=512/2048/512 mssfix-ctrl=1250
2021-09-14 19:49:06 UNUSED OPTIONS
3 [resolv-retry] [infinite]
4 [nobind]
5 [persist-key]
6 [persist-tun]
14 [route-delay] [4]
15 [verb] [3]
2021-09-14 19:49:06 EVENT: RESOLVE
2021-09-14 19:49:06 Contacting [*.*.*.*]:8443/TCP via TCPv4
2021-09-14 19:49:06 EVENT: WAIT
2021-09-14 19:49:06 Connecting to [*.*.*.*]:8443 (*.*.*.*) via TCPv4
2021-09-14 19:49:06 EVENT: CONNECTING
2021-09-14 19:49:06 Tunnel Options:V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-client
2021-09-14 19:49:06 Creds: Username/Password
2021-09-14 19:49:06 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl
2021-09-14 19:49:07 VERIFY OK: depth=1, /C=TW/ST=NA/L=NA/O=free/OU=OU/CN=Sophos_CA_*/emailAddress=*@*.*
2021-09-14 19:49:07 VERIFY OK: depth=0, /C=NA/ST=NA/L=NA/O=NA/OU=NA/CN=Appliance_Certificate_jk4Lp8ZesSNDjQ5/emailAddress=na@example.com
2021-09-14 19:49:09 SSL Handshake: CN=Appliance_Certificate_jk4Lp8ZesSNDjQ5, TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2021-09-14 19:49:09 Session is ACTIVE
2021-09-14 19:49:09 EVENT: GET_CONFIG
2021-09-14 19:49:09 Sending PUSH_REQUEST to server...
2021-09-14 19:49:10 Sending PUSH_REQUEST to server...
2021-09-14 19:49:12 Sending PUSH_REQUEST to server...
2021-09-14 19:49:12 OPTIONS:
0 [route-gateway] [10.81.234.5]
1 [sndbuf] [0]
2 [rcvbuf] [0]
3 [sndbuf] [0]
4 [rcvbuf] [0]
5 [ping] [45]
6 [ping-restart] [180]
7 [route] [192.168.99.0] [255.255.255.0]
8 [topology] [subnet]
9 [route] [remote_host] [255.255.255.255] [net_gateway]
10 [inactive] [900] [7680]
11 [dhcp-option] [DNS] [8.8.8.8]
12 [dhcp-option] [DNS] [168.95.1.1]
13 [ifconfig] [10.81.234.6] [255.255.255.0]
2021-09-14 19:49:12 PROTOCOL OPTIONS:
cipher: AES-128-CBC
digest: SHA256
compress: LZO_STUB
peer ID: -1
2021-09-14 19:49:12 EVENT: ASSIGN_IP
2021-09-14 19:49:12 NIP: preparing TUN network settings
2021-09-14 19:49:12 NIP: init TUN network settings with endpoint: *.*.*.*
2021-09-14 19:49:12 NIP: adding IPv4 address to network settings 10.81.234.6/255.255.255.0
2021-09-14 19:49:12 NIP: adding (included) IPv4 route 10.81.234.0/24
2021-09-14 19:49:12 NIP: adding (included) IPv4 route 192.168.99.0/24
2021-09-14 19:49:12 NIP: adding DNS 8.8.8.8
2021-09-14 19:49:12 NIP: adding DNS 168.95.1.1
2021-09-14 19:49:12 NIP: adding match domain ALL
2021-09-14 19:49:12 NIP: adding DNS specific routes:
2021-09-14 19:49:12 NIP: adding (included) IPv4 route 8.8.8.8/32
2021-09-14 19:49:12 NIP: adding (included) IPv4 route 168.95.1.1/32
2021-09-14 19:49:12 Connected via NetworkExtensionTUN
2021-09-14 19:49:12 LZO-ASYM init swap=0 asym=1
2021-09-14 19:49:12 Comp-stub init swap=0
2021-09-14 19:49:12 EVENT: CONNECTED alex@*.*.*.*:8443 (*.*.*.*) via /TCPv4 on NetworkExtensionTUN/10.81.234.6/ gw=[/]

Thank you for your response

iphone ios 14.7.1

SFVH (SFOS 18.0.5 MR-5-Build586)

I masked Public IP.

openvpn log

2021-09-14 19:49:06 1
2021-09-14 19:49:06 ----- OpenVPN Start -----
OpenVPN core 3.git::58b92569 ios arm64 64-bit
2021-09-14 19:49:06 OpenVPN core 3.git::58b92569 ios arm64 64-bit
2021-09-14 19:49:06 Frame=512/2048/512 mssfix-ctrl=1250
2021-09-14 19:49:06 UNUSED OPTIONS
3 [resolv-retry] [infinite]
4 [nobind]
5 [persist-key]
6 [persist-tun]
14 [route-delay] [4]
15 [verb] [3]
2021-09-14 19:49:06 EVENT: RESOLVE
2021-09-14 19:49:06 Contacting [*.*.*.*]:8443/TCP via TCPv4
2021-09-14 19:49:06 EVENT: WAIT
2021-09-14 19:49:06 Connecting to [*.*.*.*]:8443 (*.*.*.*) via TCPv4
2021-09-14 19:49:06 EVENT: CONNECTING
2021-09-14 19:49:06 Tunnel Options:V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA256,keysize 128,key-method 2,tls-client
2021-09-14 19:49:06 Creds: Username/Password
2021-09-14 19:49:06 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl
2021-09-14 19:49:07 VERIFY OK: depth=1, /C=TW/ST=NA/L=NA/O=free/OU=OU/CN=Sophos_CA_*/emailAddress=*@*.*
2021-09-14 19:49:07 VERIFY OK: depth=0, /C=NA/ST=NA/L=NA/O=NA/OU=NA/CN=Appliance_Certificate_jk4Lp8ZesSNDjQ5/emailAddress=na@example.com
2021-09-14 19:49:09 SSL Handshake: CN=Appliance_Certificate_jk4Lp8ZesSNDjQ5, TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2021-09-14 19:49:09 Session is ACTIVE
2021-09-14 19:49:09 EVENT: GET_CONFIG
2021-09-14 19:49:09 Sending PUSH_REQUEST to server...
2021-09-14 19:49:10 Sending PUSH_REQUEST to server...
2021-09-14 19:49:12 Sending PUSH_REQUEST to server...
2021-09-14 19:49:12 OPTIONS:
0 [route-gateway] [10.81.234.5]
1 [sndbuf] [0]
2 [rcvbuf] [0]
3 [sndbuf] [0]
4 [rcvbuf] [0]
5 [ping] [45]
6 [ping-restart] [180]
7 [route] [192.168.99.0] [255.255.255.0]
8 [topology] [subnet]
9 [route] [remote_host] [255.255.255.255] [net_gateway]
10 [inactive] [900] [7680]
11 [dhcp-option] [DNS] [8.8.8.8]
12 [dhcp-option] [DNS] [168.95.1.1]
13 [ifconfig] [10.81.234.6] [255.255.255.0]
2021-09-14 19:49:12 PROTOCOL OPTIONS:
cipher: AES-128-CBC
digest: SHA256
compress: LZO_STUB
peer ID: -1
2021-09-14 19:49:12 EVENT: ASSIGN_IP
2021-09-14 19:49:12 NIP: preparing TUN network settings
2021-09-14 19:49:12 NIP: init TUN network settings with endpoint: *.*.*.*
2021-09-14 19:49:12 NIP: adding IPv4 address to network settings 10.81.234.6/255.255.255.0
2021-09-14 19:49:12 NIP: adding (included) IPv4 route 10.81.234.0/24
2021-09-14 19:49:12 NIP: adding (included) IPv4 route 192.168.99.0/24
2021-09-14 19:49:12 NIP: adding DNS 8.8.8.8
2021-09-14 19:49:12 NIP: adding DNS 168.95.1.1
2021-09-14 19:49:12 NIP: adding match domain ALL
2021-09-14 19:49:12 NIP: adding DNS specific routes:
2021-09-14 19:49:12 NIP: adding (included) IPv4 route 8.8.8.8/32
2021-09-14 19:49:12 NIP: adding (included) IPv4 route 168.95.1.1/32
2021-09-14 19:49:12 Connected via NetworkExtensionTUN
2021-09-14 19:49:12 LZO-ASYM init swap=0 asym=1
2021-09-14 19:49:12 Comp-stub init swap=0
2021-09-14 19:49:12 EVENT: CONNECTED alex@*.*.*.*:8443 (*.*.*.*) via /TCPv4 on NetworkExtensionTUN/10.81.234.6/ gw=[/]

Hi, you should not use 8.8.8.8 as an dns server on the vpn with a split tunnel, unless you allow, vpn->wan with snat. This is because 8.8.8.8 is on the outside but you're routing it through the tunnel, so it you can't access it. Only put internal dns in the vpn config.

2021-09-14 19:49:12 NIP: adding (included) IPv4 route 8.8.8.8/32
2021-09-14 19:49:12 NIP: adding (included) IPv4 route 168.95.1.1/32

Hi,

This is the Route table on the PC.
DNS Routing is not added to the Route table.
The route of Sophos ssl vpn on PC and iPhone is different.

Thanks for your help.

After I deleted the DNS settings, Split Tunneling worked on the iPhone.

Maybe you can edit the openvpn file for the iPhone.