Auto created profiles work for Mac systems, but not iOS

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
maxiedaniels
OpenVpn Newbie
Posts: 10
Joined: Tue Jun 27, 2017 3:34 pm

Auto created profiles work for Mac systems, but not iOS

Post by maxiedaniels » Tue Jun 27, 2017 3:38 pm

I have an OpenVPN server running on a Lubuntu system, and the profiles that are auto created work great for my Mac systems. However, the iOS profiles do not work - I'm able to 'connect' using the iOS OpenVPN app, however I can't actually connect to any service on my server. I normally am able to connect to anything on my server using 10.8.0.1... no dice on this. I researched a bit and saw someone recommend adding `push "route 10.8.0.1 255.255.255.0"` to my server.conf, but no luck there either.

Client config:

Code: Select all

client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote MYSERVER.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3
<ca>
...
Server Config:

Code: Select all

port 1194
proto udp
dev tun
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
push "route 10.8.0.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 4
crl-verify crl.pem
mssfix 1460
tun-mtu 1500
mode server
tls-server

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Auto created profiles work for Mac systems, but not iOS

Post by TinCanTech » Tue Jun 27, 2017 3:52 pm

maxiedaniels wrote:I researched a bit and saw someone recommend adding `push "route 10.8.0.1 255.255.255.0"` to my server.conf, but no luck there either
You do not want that because it is incorrect and --server 10.8.0.0 255.255.255.0 does it correctly.

See --server in The Manual v24x
maxiedaniels wrote: I can't actually connect to any service on my server. I normally am able to connect to anything on my server using 10.8.0.1
Check you Openvpn logs and your server firewall.

maxiedaniels
OpenVpn Newbie
Posts: 10
Joined: Tue Jun 27, 2017 3:34 pm

Re: Auto created profiles work for Mac systems, but not iOS

Post by maxiedaniels » Tue Jun 27, 2017 3:59 pm

OpenVPN logs just show:

Code: Select all

OpenVPN CLIENT LIST
Updated,Tue Jun 27 08:56:25 2017
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
iphone,166.170.47.XXX:41832,2861,3762,Tue Jun 27 08:55:44 2017
laptop2condo,192.168.1.1:65422,74558336,49384191,Tue Jun 27 08:40:01 2017
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.5,iphone,166.170.47.250:41832,Tue Jun 27 08:55:45 2017
10.8.0.2,laptop2condo,192.168.1.1:65422,Tue Jun 27 08:56:05 2017
GLOBAL STATS
Max bcast/mcast queue length,4
END
Also I wrote the push line wrong, it was `push "route 10.8.0.0. 255.255.255.0"`

I have no firewall running on my server. I just have my router blocking anything but the OpenVPN port coming in.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Auto created profiles work for Mac systems, but not iOS

Post by TinCanTech » Tue Jun 27, 2017 4:03 pm

You also need to learn the difference between --log and --status

See --log, --verb & --status in The Manual v24x

Edit: Can your client ping your server and vice versa ?

maxiedaniels
OpenVpn Newbie
Posts: 10
Joined: Tue Jun 27, 2017 3:34 pm

Re: Auto created profiles work for Mac systems, but not iOS

Post by maxiedaniels » Tue Jun 27, 2017 8:22 pm

Ah, thank you for pointing that out, I always assumed if I had a verb set in my conf file, logs were created automatically.. I always wondered why my logs were so uninformative!!!

So this looks like a problem area... weird part is that I checked and I don't have link-mtu set in any of my client configs nor my server config. Should I put comp-lzo into my server config since it's in my client configs? It looks like my major problem is where it says IP packet with unknown IP...

Code: Select all

Tue Jun 27 09:17:33 2017 us=233379 166.170.47.250:42257 Re-using SSL/TLS context
Tue Jun 27 09:17:33 2017 us=233481 166.170.47.250:42257 Control Channel MTU parms [ L:1557 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Tue Jun 27 09:17:33 2017 us=233516 166.170.47.250:42257 Data Channel MTU parms [ L:1557 D:1460 EF:57 EB:12 ET:0 EL:3 ]
Tue Jun 27 09:17:33 2017 us=233538 166.170.47.250:42257 Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Tue Jun 27 09:17:33 2017 us=233545 166.170.47.250:42257 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Tue Jun 27 09:17:33 2017 us=233559 166.170.47.250:42257 Local Options hash (VER=V4): '8a244582'
Tue Jun 27 09:17:33 2017 us=233568 166.170.47.250:42257 Expected Remote Options hash (VER=V4): 'ed844052'
Tue Jun 27 09:17:33 2017 us=233595 166.170.47.250:42257 TLS: Initial packet from [AF_INET]166.170.47.250:42257, sid=6c3649cd 19f23c35
Tue Jun 27 09:17:34 2017 us=103554 166.170.47.250:42257 CRL CHECK OK: CN=ChangeMe
Tue Jun 27 09:17:34 2017 us=103599 166.170.47.250:42257 VERIFY OK: depth=1, CN=ChangeMe
Tue Jun 27 09:17:34 2017 us=103750 166.170.47.250:42257 CRL CHECK OK: CN=iphone
Tue Jun 27 09:17:34 2017 us=103765 166.170.47.250:42257 VERIFY OK: depth=0, CN=iphone
Tue Jun 27 09:17:34 2017 us=577960 166.170.47.250:42257 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'
Tue Jun 27 09:17:34 2017 us=578038 166.170.47.250:42257 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Tue Jun 27 09:17:34 2017 us=578142 166.170.47.250:42257 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jun 27 09:17:34 2017 us=578156 166.170.47.250:42257 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 27 09:17:34 2017 us=578163 166.170.47.250:42257 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jun 27 09:17:34 2017 us=578170 166.170.47.250:42257 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jun 27 09:17:34 2017 us=975144 166.170.47.250:42257 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Jun 27 09:17:34 2017 us=975223 166.170.47.250:42257 [iphone] Peer Connection Initiated with [AF_INET]166.170.47.250:42257
Tue Jun 27 09:17:34 2017 us=975257 iphone/166.170.47.250:42257 MULTI_sva: pool returned IPv4=10.8.0.5, IPv6=(Not enabled)
Tue Jun 27 09:17:34 2017 us=975287 iphone/166.170.47.250:42257 MULTI: Learn: 10.8.0.5 -> iphone/166.170.47.250:42257
Tue Jun 27 09:17:34 2017 us=975295 iphone/166.170.47.250:42257 MULTI: primary virtual IP for iphone/166.170.47.250:42257: 10.8.0.5
Tue Jun 27 09:17:34 2017 us=991052 iphone/166.170.47.250:42257 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jun 27 09:17:34 2017 us=991080 iphone/166.170.47.250:42257 send_push_reply(): safe_cap=940
Tue Jun 27 09:17:34 2017 us=991099 iphone/166.170.47.250:42257 SENT CONTROL [iphone]: 'PUSH_REPLY,sndbuf 393216,rcvbuf 393216,route 10.8.0.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.5 255.255.255.0' (status=1)
Tue Jun 27 09:17:45 2017 us=411300 iphone/166.170.47.250:42257 IP packet with unknown IP version=15 seen
**Edit** Turns out it was comp-lzo causing the issue! I'm not sure why but somehow my auto created laptop configurations didn't have comp-lzo, but my iphone one did.

Post Reply