OpenVPN Connect fails to connect after push requests

Post Reply
JB27
OpenVpn Newbie
Posts: 2
Joined: Wed Nov 07, 2018 3:18 pm

OpenVPN Connect fails to connect after push requests

Post by JB27 » Wed Nov 07, 2018 4:36 pm

Setup an OpenVPN server on a SUSE Linux system running under VirtualBox. Tested it by connect to it from another linux box using shared secret and then migrated both ends to use full certs etc. All working fine. Created a .ovpn file and that works fine on a windows 10 machine but fails on iOS (iPad with iOS 12).

File imports fine on both Windows and iOS systems:

Code: Select all

client
dev tun
proto udp
remote yyy.yyy.yy.yyy
port 1194
ifconfig xxx.xxx.xxx.2 xxx.xxx.xxx.1

remote-cert-tls server
persist-key
persist-tun

key-direction 1
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<tls-auth>
</tls-auth>
Logfile on the iPad ends as follows:

Code: Select all

2018-05-07 15:05:08 VERIFY OK : depth=1
cert. version    : 3
serial number    : 9A:8C:ED:62:89:B3:FB:AA
issuer name      : CN=Cumulus
subject name      : CN=Cumulus
issued  on        : 2018-11-05 14:09:45
expires on        : 2028-11-02 14:09:45
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true
key usage        : Key Cert Sign, CRL Sign

2018-05-07 15:05:08 VERIFY OK : depth=0
cert. version    : 3
serial number    : 38:90:51:C4:07:09:2F:84:5A:36:26:32:FA:ED:9F:60
issuer name      : CN=Cumulus
subject name      : CN=server
issued  on        : 2018-11-05 14:11:00
expires on        : 2028-11-02 14:11:00
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
subject alt name  : server
key usage        : Digital Signature, Key Encipherment
ext key usage    : TLS Web Server Authentication

2018-05-07 15:05:08 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2018-05-07 15:05:08 Session is ACTIVE
2018-05-07 15:05:08 EVENT: GET_CONFIG
2018-05-07 15:05:08 Sending PUSH_REQUEST to server...
2018-05-07 15:05:10 Sending PUSH_REQUEST to server...
2018-05-07 15:05:12 Sending PUSH_REQUEST to server...
2018-05-07 15:05:15 Sending PUSH_REQUEST to server...
2018-05-07 15:05:18 Sending PUSH_REQUEST to server...
2018-05-07 15:05:21 Sending PUSH_REQUEST to server...
2018-05-07 15:05:24 Sending PUSH_REQUEST to server...
2018-05-07 15:05:27 Sending PUSH_REQUEST to server...
2018-05-07 15:05:30 Sending PUSH_REQUEST to server...
2018-05-07 15:05:34 Sending PUSH_REQUEST to server...
2018-05-07 15:05:37 EVENT: CONNECTION_TIMEOUT [ERR]

2018-05-07 15:05:37 Raw stats on disconnect:
 BYTES_IN : 6530
 BYTES_OUT : 5468
 PACKETS_IN : 26
 PACKETS_OUT : 25
 CONNECTION_TIMEOUT : 1
 N_RECONNECT : 1
The server log shows:

Code: Select all

VERIFY OK: depth=1, CN=Cumulus
VERIFY KU OK
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
VERIFY EKU OK
VERIFY OK: depth=0, CN=client
peer info: IV_GUI_VER=net.openvpn.connect.ios_3.0.2-894
peer info: IV_VER=3.2
peer info: IV_PLAT=ios
peer info: IV_NCP=2
peer info: IV_TCPNL=1
peer info: IV_PROTO=2
peer info: IV_AUTO_SESS=1
peer info: IV_BS64DL=1
WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig xxx.xxx.xxx.1 xxx.xxx.x.2'
Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
TLS: tls_multi_process: untrusted session promoted to semi-trusted
Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
[client] Peer Connection Initiated with [AF_INET]xxx.xxx.xx.xxx:61248
PUSH: Received control message: 'PUSH_REQUEST'
PUSH: Received control message: 'PUSH_REQUEST'
PUSH: Received control message: 'PUSH_REQUEST'
PUSH: Received control message: 'PUSH_REQUEST'
PUSH: Received control message: 'PUSH_REQUEST'
PUSH: Received control message: 'PUSH_REQUEST'
PUSH: Received control message: 'PUSH_REQUEST'
PUSH: Received control message: 'PUSH_REQUEST'
PUSH: Received control message: 'PUSH_REQUEST'
PUSH: Received control message: 'PUSH_REQUEST'
Push requests appear to be sent from the iPad and received by the server but not auctioned. As I say, the server can be connected to from a linux box (manual config), and windows (same .ovpn file). Anyone got any suggestions?

I note the warning about ifconfig but I have complimentary ifconfig statements in both the server.cong file and the .ovpn file! As it's a warning I am assuming its not the cause of my issue.

Thanks.

JB27
OpenVpn Newbie
Posts: 2
Joined: Wed Nov 07, 2018 3:18 pm

Re: OpenVPN Connect fails to connect after push requests

Post by JB27 » Fri Nov 09, 2018 2:23 pm

I think I may have got to the bottom of this:

- My iPad can connect to a windows server using the installer of this site but needs "ifconfig 192.168.xxx.1 192.168.xxx.2
" changed to "server 192.168.25.xxx.0 255.255.255.0".
- My Mac, configured with the macOS installer off this site, mimics the iPad connectivity.
- Setting up a client on a SUSE box connects to everything.
- Set up a new server on the latest SUSE (Tumbleweed with OpneVPN 2.4.6) works with everything if I change "ifconfig etc." to "server etc." in the config.

Changing my original server to match the config change above kills it. It's running OpenVPN 2.4.3 as opposed to 2.4.6 on the new box.

My conclusion is that OpenVPN Connect for the iOS or macOS needs the server configured with the "server" directive and not "ifconfig" and this is broken on version OpenVPN 2.4.3 which is what is current on openSUSE Leap 15. As such I need a new version of OpenVPN on my server.

I think this closes the tread unless some guru has an insight into the problem. Also any explanation as to why the change in the Server config file is needed to support connections from iOS or macOS versions of OpenVPN Connect would be appreciated.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5026
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN Connect fails to connect after push requests

Post by TinCanTech » Fri Nov 09, 2018 10:44 pm

JB27 wrote:
Fri Nov 09, 2018 2:23 pm
My conclusion is that OpenVPN Connect for the iOS or macOS needs the server configured with the "server" directive and not "ifconfig" and this is broken on version OpenVPN 2.4.3
Have you looked up what the difference is between --ifconfig and --server (they are --options) ?

Post Reply