Help: Unable to establish OpenVPN connection Iphone IOS 9.2

[marsalan]

- OpenVPN connection works fine on a Windows machine
- Iphone is using Public Dynamic IP(Cellular)

Server side .OVPN

local 10.10.10.5
lport 443
proto tcp
dev tun0
user nobody
group nobody
writepid /var/run/openvpn/openvpn.pid
persist-tun[img][img][img][/img][/img][/img]
persist-key
ifconfig-pool-persist /var/run/openvpn/openvpn.pool
max-clients 25
tmp-dir /tmp
max-routes-per-client 2
ping 10
ping-restart 120
status /var/run/openvpn/openvpn.log
verb 3
ca cacert.pem
cert vpn-server.pem
key vpn-serverkey.pem
dh dh1024.pem
tls-auth tls-auth.txt 0
username-as-common-name
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DOMAIN ourdomain.com"
push "route 192.168.0.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
comp-lzo
tls-server
server 192.168.5.0 255.255.255.0
plugin openvpn-auth-pam.so 0001

Client side .OVPN

client
dev tun
proto tcp
remote xxx.xxx.xxx.xxx 443
resolv-retry 3
nobind
persist-key
persist-tun
ca "cacert.pem"
cert "client.pem"
key "clientkey.pem"
tls-auth "tls-auth.txt" 1
comp-lzo
verb 3
reneg-sec 3600
ping 10
auth-user-pass
auth-nocache
tls-client

IPhone OpenVPN Connection Logs:

DIS-CDNNECI_PEN D1NG-
2016-04-07 14:09:50 OpenVPN Stop
2016-04-07 14:11:59 OpenVPN Start
OpenVPN core 3.0 ios arm64 64-bit
2016-04-07 14:11:59 UNUSED OPTIONS
4 [resolv-retry] [3]
5 [nobind]
6 [user] [nobody]
7 [group] [nobody]
8 [persist-key]
9 [persist-tun]
16 [verb] [3]
20 [auth-nocache]
2016-04-07 141 1:59 EVENT: RESOLVE
2016-04-07 141 1:59 LZO-ASYM init swap=0
asym=0
2016-04-07 14:11:59 Contacting
. t . :443 via TCP
2016-04-07 14:11:59 EVENT: WAIT
2016-04-07 14:11:59 SetTunnelSocket
returned 1
2016-04-07 14:11:59 Connecting to
..':443 . . . . 4 ;) via
TCPv4
2016-04-07 14:11:59 EVENT: CONNECTING
2016-04-07 14:12:39 Session invalidated:
KEEPALIVE TIMEOUT

2016-04-07 14:12:41 Connecting to
IP:443 (IP) via
TCPv4
2016-04-07 14:12:41 EVENT: CONNECTING
2016-04-07 14:12:59 EVENT:
CONNECTION_TIMEOUT [ERR]
2016-04-07 14:12:59 EVENT:
DISCONNECTED
2016-04-07 14:12:59 Raw stats on
disconnect:
BYTES_IN : 304
BYTES OUT : 304
PACKETS IN : 6
PACKETS OUT : 6
REPLAY ERROR 2
KEEPALIVE TIMEOUT : 1
CONNECTION TIMEOUT : 1
N_RECONNECT : 1
PKTID TCP OUT OF SEQ : 2
2016-04-07 14:12:59 Performance stats on
disconnect:
CPU usage (microseconds): 23318
Network bytes per CPU second: 26074
Tunnel bytes per CPU second: 0
2016-04-07 14:12:59 EVENT:
DISCONNECT PENDING
2016-04-07 14:12:59 OpenVPN Stop

Can provide server side logs aswell.

[Traffic]

Can provide server side logs aswell

Set --verb 4 in your server config and check for connection attempts from your phone

[marsalan]

Note: The connection is going to an ASA5505 with a public IP, using standard NAT port forwarding inbound to a 10.10.10.5 Private address space.

Set --- verb 4 to both Server and Client config. See server logs(sanitized where necessary) below:

Fri Apr 8 07:55:38 2016 us=383193 Initialization Sequence Completed
Fri Apr 8 08:47:04 2016 us=349329 MULTI: multi_create_instance called
Fri Apr 8 08:47:04 2016 us=349476 Re-using SSL/TLS context
Fri Apr 8 08:47:04 2016 us=349620 LZO compression initialized
Fri Apr 8 08:47:04 2016 us=350050 Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]
Fri Apr 8 08:47:04 2016 us=350106 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Apr 8 08:47:04 2016 us=350204 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Apr 8 08:47:04 2016 us=350223 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Apr 8 08:47:04 2016 us=350273 Local Options hash (VER=V4): 'bd577cd1'
Fri Apr 8 08:47:04 2016 us=350299 Expected Remote Options hash (VER=V4): 'ee93268d'
Fri Apr 8 08:47:04 2016 us=350345 TCP connection established with 209.29.57.208:50712
Fri Apr 8 08:47:04 2016 us=350369 Socket Buffers: R=[131072->131072] S=[131072->131072]
Fri Apr 8 08:47:04 2016 us=350405 TCPv4_SERVER link local: [undef]
Fri Apr 8 08:47:04 2016 us=350424 TCPv4_SERVER link remote: 209.x.x.x:50712
Fri Apr 8 08:47:04 2016 us=350792 209.29.57.208:50712 TLS: Initial packet from 209.29.57.208:50712, sid=e8091cc7 fbc042bc
Fri Apr 8 08:47:13 2016 us=688539 209.29.57.208:50712 Connection reset, restarting [0]
Fri Apr 8 08:47:13 2016 us=688597 209.29.57.208:50712 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Apr 8 08:47:13 2016 us=688778 TCP/UDP: Closing socket
Fri Apr 8 08:47:15 2016 us=649810 MULTI: multi_create_instance called
Fri Apr 8 08:47:15 2016 us=649900 Re-using SSL/TLS context
Fri Apr 8 08:47:15 2016 us=649951 LZO compression initialized
Fri Apr 8 08:47:15 2016 us=650055 Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]
Fri Apr 8 08:47:15 2016 us=650088 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Apr 8 08:47:15 2016 us=650146 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Apr 8 08:47:15 2016 us=650165 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Apr 8 08:47:15 2016 us=650195 Local Options hash (VER=V4): 'bd577cd1'
Fri Apr 8 08:47:15 2016 us=650221 Expected Remote Options hash (VER=V4): 'ee93268d'
Fri Apr 8 08:47:15 2016 us=650256 TCP connection established with 209.x.x.x:50713
Fri Apr 8 08:47:15 2016 us=650279 Socket Buffers: R=[131072->131072] S=[131072->131072]
Fri Apr 8 08:47:15 2016 us=650348 TCPv4_SERVER link local: [undef]
Fri Apr 8 08:47:15 2016 us=650371 TCPv4_SERVER link remote: 209.29.57.208:50713
Fri Apr 8 08:47:15 2016 us=650586 209.29.57.208:50713 TLS: Initial packet from 209.29.57.208:50713, sid=14d1055a 3719a9aa
Fri Apr 8 08:47:43 2016 us=162810 209.29.57.208:50713 Connection reset, restarting [0]
Fri Apr 8 08:47:43 2016 us=162879 209.29.57.208:50713 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Apr 8 08:47:43 2016 us=162971 TCP/UDP: Closing socket

[Traffic]

Fri Apr 8 08:47:04 2016 us=350792 209.29.57.208:50712 TLS: Initial packet from 209.29.57.208:50712, sid=e8091cc7 fbc042bc
Fri Apr 8 08:47:13 2016 us=688539 209.29.57.208:50712 Connection reset, restarting [0]

Looks like the connection is blocked somewhere .. for test try using TCP-443

[marsalan]

We are using TCP/443

Windows machines are fine. iOS is not (we do not have any Androids to test with).

First tests were done with iOS using Telus carrier-NAT on a 10.x.x.x Cellular IP. No good.

We changed to Telus Public "One Way" IP which is a 209.x.x.x, and that's where we are now.

Contemplating changing to a Telus "Two Way Public IP" (whatever that means), which might be where this "block" still is.

Thoughts?

[marsalan]

Update:

- We tried OpenVPN on a windows machine using TELUS(Cellular Internet connection - Non Public IP) - Worked fine
- Its an IPhone IOS 9 problem(Appears to be at this point).

Feel free to post an update if find a solution.

[Pippin]

Code: Select all

tls-auth tls-auth.txt 0

Using freeform passphrase file?

Manual:

--tls-auth file [direction]
...............
...............
file (required) is a key file which can be in one of two formats:
(1) An OpenVPN static key file generated by --genkey (required if direction parameter is used).
(2) DEPRECATED A freeform passphrase file. In this case the HMAC key will be derived by taking a secure hash of this file, similar to the md5sum(1) or sha1sum(1) commands. This option is deprecated and will stop working in OpenVPN 2.4 and newer releases.
OpenVPN will first try format (1), and if the file fails to parse as a static key file, format (2) will be used.

[marsalan]

Static key.... not freeform. Using OpenVPN version 2.0.9 (no choice, this is built into the security appliance we use and cannot be updated).

All of this is generated by the appliance utilities. Key is static, not freeform. Attached below (minus the actual key data)

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
data goes here
-----END OpenVPN Static key V1-----

[Traffic]

We are using TCP/443

oops so you are ..

Contemplating changing to a Telus "Two Way Public IP" (whatever that means), which might be where this "block" still is

worth checking ..

[marsalan]

Yes, changed it to Telus "Two way public IP" - still no luck.

[Traffic]

plugin openvpn-auth-pam.so 0001

This looks odd:
https://openvpn.net/index.php/open-sour ... .html#auth

[marsalan]

While odd, it works (the system is slightly custom - and the generation off all of this is done by script by the appliance).

I cannot state for certain, but I am next to positive that "0001" is the LDAP Authentication Profile (number) as represented on the system which receives the username and password from the client via the client .ovpn "auth-user-pass" directive. Regardless, that is the part which the appliance uses to authenticate the username and password and it does indeed work on Windows. Put the wrong username or password in, you get rejected.

This is what it looks like when a Windows client connects, the PAM authentication is several procedures past where the iOS client times out... comparing the two it is almost as if the iOS times out during or while the key is being validated. Not entirely sure which certificate is being compared, but all are 2048 bits, and self-signed (cacert.pem, client.pem and clientkey.pem).

------------- iOS --------------
Fri Apr 8 08:47:15 2016 us=650348 TCPv4_SERVER link local: [undef]
Fri Apr 8 08:47:15 2016 us=650371 TCPv4_SERVER link remote: 209.29.57.208:50713
Fri Apr 8 08:47:15 2016 us=650586 209.29.57.208:50713 TLS: Initial packet from 209.29.57.208:50713, sid=14d1055a 3719a9aa
Fri Apr 8 08:47:43 2016 us=162810 209.29.57.208:50713 Connection reset, restarting [0]
Fri Apr 8 08:47:43 2016 us=162879 209.29.57.208:50713 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Apr 8 08:47:43 2016 us=162971 TCP/UDP: Closing socket
--------------------------------

----------- Windows ------------
Fri Apr 8 10:20:16 2016 us=919828 TCPv4_SERVER link local: [undef]
Fri Apr 8 10:20:16 2016 us=919847 TCPv4_SERVER link remote: 209.171.88.235:27759
Fri Apr 8 10:20:16 2016 us=923052 209.171.88.235:27759 TLS: Initial packet from 209.171.88.235:27759, sid=1e81fad0 5230c6e0

Fri Apr 8 10:20:19 2016 us=457686 209.171.88.235:27759 VERIFY OK: depth=1, /C=CA/ST=********/L=********/O=********/OU=********/CN=********
Fri Apr 8 10:20:19 2016 us=458020 209.171.88.235:27759 VERIFY OK: depth=0, /C=CA/ST=********/L=********/O=********/OU=********/CN=********
Fri Apr 8 10:20:20 2016 us=802535 209.171.88.235:27759 PLUGIN_CALL: POST openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Fri Apr 8 10:20:20 2016 us=802601 209.171.88.235:27759 TLS: Username/Password authentication succeeded for username '********' [CN SET]
Fri Apr 8 10:20:20 2016 us=802910 209.171.88.235:27759 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr 8 10:20:20 2016 us=802937 209.171.88.235:27759 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 8 10:20:20 2016 us=803059 209.171.88.235:27759 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Apr 8 10:20:20 2016 us=803078 209.171.88.235:27759 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Apr 8 10:20:21 2016 us=183571 209.171.88.235:27759 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Fri Apr 8 10:20:21 2016 us=183669 209.171.88.235:27759 [********] Peer Connection Initiated with 209.171.88.235:27759
--------------------------------

[Traffic]

Note: The connection is going to an ASA5505

Make sure this is full configured ..

You could bump up --verb to see if the server sends anything back .. or use tcpdump.

[marsalan]

Figured out:

- OpenVPN works with TCP without "TLS-AUTH". In other words we turned off TLS Auth completely.

- FYI - It did not work with UDP with "TLS AUTH"

[Traffic]

Personally, I would expect --tls-auth to work ..

[Electra]

Hi,
Are you connecting to a free VPN service from IOS 9.x to check your client side alone?

[marsalan]

Yes we are using free VPN client service.

- Running OpenVPN on the IPhone IOS 9

[Electra]

So, you say your iOS connect client works fine when connecting to a Vpn service, like hidemyass, but not, when attempting to connect to your own server ?

[ip80393]

[quote="marsalan"]Yes we are using free VPN client service.

- Running OpenVPN on the IPhone IOS 9[/quote]

Thanx for ur help because I'm going to buy an iPhone in [url]https://iphone-mall.com/[/url] that's why this information is very useful for me