Dear Lazyweb, tell me how to use Sonic's VPN properly

Since I'm a Sonic customer, I have access to their VPN and I'd like to use it with my iPhone and iPad. They recommend the "OpenVPN Connect" app, but it kind of sucks.

It's supposed to re-connect, but it never does. It's rare that the VPN stays up for longer than a couple of hours. If I'm lucky, I notice that there's no longer a tiny "VPN" logo at the top of the screen, and I have to launch the app manually and flick the "connect" checkbox again. You'd think that clicking the "VPN" checkbox in Settings would work. It doesn't. It tries to connect and fails. Often (maybe always?) with "authentication failed". The only thing that works is launching the OpenVPN app and clicking the checkbox there, multiple times a day. It happens so often that I might as well not have a VPN.

And it's unconscionable that when it drops my VPN connection, it does so silently. "Oh, we just downgraded your security! I'm sure that's totally what you wanted, and you don't need an alert about it!"

Second, there appears to be no host, network, or IP-based whitelist. I want my mobile devices to not use the VPN when they are attached to my home network. First so that I can access my home devices, but also because that would be redundant, as my home network's first hop is Sonic.

Is there an iOS VPN client that is compatible with ovpn.sonic.net that sucks less than "OpenVPN Connect"? Or is there some other pile of settings that I missed?

PLEASE NOTE: I am 100% uninterested in your rambling story about the VPN service that you used that is not ovpn.sonic.net.

Tags: , , , ,

31 Responses:

  1. jokeyrhyme says:

    Does iOS have system-wide VPN settings section? Is there an entry for Sonic there? I wonder if there is some behaviour (e.g. alerts, reconnection, etc) that have to be managed at the iOS level? /shrug

  2. bsod says:

    Last time I checked, a couple of years ago, OpenVPN on iOS was unable to establish a permanent connection. It was only for "corporate" client like Cisco something ... Very frustrating.

  3. Kyle Williamson says:

    Probably isn't what you want to do.. but you can jailbreak it and run a different OVPN client.

    • jwz says:

      FFS, people.

    • Glaurung says:

      There's no jailbreak for IOS 11. And why on earth would JWZ want to degrade his security in order to improve his security? 2 steps back, one step forward.

      • Kyle Williamson says:

        Please note - I did say probably not what you want to do :) and it was an ironic answer. The OVPN client isn’t that bulletproof on iOS sadly.

  4. David Glover-Aoki says:

    OpenVPN Connect is one of the few apps that puts extra settings actually in the Settings app, just on the offchance that you didn't look in there. There are options for reconnection in there.

    I don't believe it has a network whitelist.

    • jwz says:

      Nothing there that looks like it will fix the reconnect problem. All the switches seem to be pointing in the direction of "just do the right damned thing" as far as I can tell.

  5. Jacob says:

    Have you tried using Apple configurator to make your own .mobileprofile?

    • jwz says:

      Sonic's instructions involve downloading a mobile profile from their site, so I'm guessing that there aren't a bunch of other knobs in there for me to spin.

      • Jacob White says:

        Googling for “always on vpn profile” says that you can’t set an always on vpn unless you put your iPhone in supervised mode which will also wipe your phone.

        • jwz says:

          I am not asking for "turn my phone into a brick if the VPN server is not available", which I think is what you are describing.

          Both the OS and the VPN app are clearly attempting to re-connect to the VPN when the connection drops at random.

          They just collectively suck at it.

  6. Eric says:

    No other OpenVPN app, sadly. Making a custom profile with either Apple Configurator or programatically is probably the best bet.

    https://www.derman.com/blogs/iPhone-OpenVPN-Setup
    https://github.com/iphoting/ovpnmcgen.rb

  7. Penguin Pete says:

    Holy legacy code! The blink tag still works in Chrome on Android tablet!

    I have nothing on topic to offer. Happy feast of Winterveil.

    • some-troll says:

      The blink tag still works in Chrome on Android tablet

      That's because there's a little bit of magic in the style sheet:
      /* That's right bitches */

      @keyframes blink {
      0% { opacity:1; } 75% { opacity:1; } 76% { opacity:0; } 100% { opacity:0; }}
      @-webkit-keyframes blink {
      0% { opacity:1; } 75% { opacity:1; } 76% { opacity:0; } 100% { opacity:0; }}
      @-moz-keyframes blink {
      0% { opacity:1; } 75% { opacity:1; } 76% { opacity:0; } 100% { opacity:0; }}
      @-ms-keyframes blink {
      0% { opacity:1; } 75% { opacity:1; } 76% { opacity:0; } 100% { opacity:0; }}
      @-o-keyframes blink {
      0% { opacity:1; } 75% { opacity:1; } 76% { opacity:0; } 100% { opacity:0; }}

      blink {
      text-decoration: inherit;
      animation: blink 0.75s ease-in infinite alternate;
      -webkit-animation: blink 0.75s ease-in infinite alternate;
      -moz-animation: blink 0.75s ease-in infinite alternate;
      -ms-animation: blink 0.75s ease-in infinite alternate;
      -o-animation: blink 0.75s ease-in infinite alternate;
      }

  8. crw says:

    fwiw, as a sonic ovpn/ios user i've run into the same problem with their setup and haven't found a good workaround. i'll note that their vpn service has been in "beta" for, like, ever. and now that the whole net neutrality fiasco is imminent, perhaps we, as paying users, should demand that they give it some more attention and bring it up-to-date with whatever will make it work with ios.

    • dzm says:

      For whatever it's worth, the random disconnect and "fuck it, reconnecting is hard, and why should I notify the user" isn't a thing that is unique to Sonic. It's the OpenVPN app (and maybe possibly iOS support). For whatever reason the app developers have not felt especially motivated to add better resilience and user feedback.

      In my configuration I have found:

      Connection timeout: None
      Network state detection: Disabled
      Layer 2 reachability: TRUE

      to provide some level of reconnect robustness. Your mileage may vary.

  9. jm says:

    Wondering if it’s at least partly a server side problem. I use ovpn connect to a OpenVPN server I set up on a vps and it works reliably, doesn’t exhibit any of the problems you describe.

    For accessing the local network, take a look in the ovpn connect app log. Is the server pushing routing and/or DNS settings that cause this behaviour?

    • jm says:

      Another thought. You could download the .ovpn file from sonic and fiddle with the settings before loading into connect.

  10. Aaron says:

    Have you tried Sonic tech support? Whenever I've called them, I've had good experiences: usually, zero wait time; smart, informed technician on the other end that is willing to talk to me like a reasonably-tech-savvy adult and do their best to fix my problem (which is usually AT&T mucking with the lines, but occasionally the router).

  11. db48x says:

    Sounds from the comments like it's probably a client problem, but as a test you could set up an OpenVPN server of your own and compare the behavior. There's a project called Streisand (https://github.com/jlund/streisand/) which will do all the work of setting up a VPS for you, so setting up the server won't take long.

  12. bizzy_ says:

    So now that every uninformed yahoo with some sort of tangential story has finished posting, i have some bad anecdotal info for you, I use the same OpenVPN app with my work VPN and it is rock solid reliable. I'm sorry to say (since I am also a happy Sonic customer) that the problem is on the Sonic side there.

    • jerry says:

      The problem is not unique to Sonic. I use another vpn service and experience the same problem using OpenVPN on iOS.

  13. Zygo says:

    OpenVPN on most platforms has an option (possibly called "persist" or "persist-tun" depending on how far the UI has drifted away from the native OpenVPN config syntax) which will keep the VPN in the routing table even when the VPN peer has gone away. Ideally this prevents data leakage during the few seconds until a new connection can be established. Until the connection is reestablished, given the choice of VPN or nothing, your device will have nothing. If the iOS version doesn't have that option, or if the process just dies randomly, then it's a bug in the iOS port.

    None of that protects the phone before the OpenVPN app comes up, so it will still spray your outgoing packets indiscriminately across any available network interface until that happens. As far as I can tell, on all platforms fixing this requires rooting the device or bribing the appropriate userland gatekeepers.

    Running your own OpenVPN host is a relatively small marginal time commitment if you're already keeping your own web host up (and probably fits on the same server hardware too). Your VPN server will work better than some random ISP's massively underprovisioned "just enough service so we can check the feature box on the brochures without spending any money" VPN server.

    Still waiting for a smartphone that doesn't suck.

  14. bizzy_ says:

    I'm struggling to figure out where in the three lines I wrote, you somehow got "its unique to Sonic" without several rounds of either google translate or aes.

  15. nma says:

    If it helps at all, OpenVPN was updated on the App Store to version 1.2.5 a day ago and among the things that they changed is switching to the new internal framework-du-jour that iOS uses for network connectivity.

    With any luck you may find that your problems are now gone. I have, so far, with a shitty mobile connection on an iPad in a rural area, had automatic reconnect work successfully in the sense that the VPN logo stays around and I can access my stuff after the mobile network comes back.

    • dzm says:

      Experience with updated app so far:

      * New App Store icon, but (as near as I can tell) same icon on Springboard.
      * New app lost all my profiles, but they were still present in Settings -> VPN. A reboot of the phone made the OVPN app have the profiles again.
      * New app doesn't seem any more, or any less, able to pin a connection and keep it always on. But I haven't paid any real attention to it either. MAYBE it's better. I'll watch more closely.