Upgrade to OpenVPN 1.2.5 (iOS): issues

[PhC]

What problem are you having exactly?

Hi,

updated iOS clients cannot connect anymore. They used to work fine on previous version. All other clients (mainly PCs or Mac) are still working fine.
On client side, the connection fails immediately with various error messages.
On server side, the log contains a line stating that "digest RSA too big" or Something like this.
Sorry, I can not be very precise immediately as I'm not at the office. I'll try to find someone able to give you full détails.

Thx.
PhC.

[ordex]

What problem are you having exactly?

Sorry, I can not be very precise immediately as I'm not at the office. I'll try to find someone able to give you full détails.

copy/pasting the app log would be very helpful. thanks!

[dazo]

Just to explain a bit further on a few details

Regarding retracting the 1.2.5 release and have 1.1.1 in the appstore again. Apple gave OpenVPN Inc a hard deadline on the old VPN API. Any app updates to OpenVPN Connect after July 2017 cannot utilize the old VPN API. This is out of our control. So we are forced by Apple to move forward. To rollback or even re-release the old 1.1.1 with a newer version number will be blocked by the Appstore before it reaches all the users - due to the fact that the app will then use an API which is no longer approved.

Regarding the issues related to the keychain. The newer VPN API we needed to move towards to is far more stringent and stricter in the access control. The old API was much more open and forgiving, and it was possible to access keying material outside the "domain" of the single app. This power is bad for device security. So when we now do not have that access, it is definitely seen as a user experience regression. But again, this is also outside our control. Apple enforces OpenVPN Connect updates to use the newer VPN API, and we need to play within the boundaries that gives us. One way to circumvent all this is to have the key/cert/ca files embedded into the configuration file.

Some users have utilized --tls-auth without using --key-direction (either explicitly or indirectly via the --tls-auth option as the last argument). That this worked initially has actually been a bug, and it degrades the overall security layer --tls-auth can provide. Those who switched to --tls-crypt will not see these issues, as --key-direction is automatically handled correctly. That said, --tls-crypt gives an even stronger protection than --tls-auth would provide; so this move alone is a good improvement.

There are probably a few more other issues which would deserve comments too ... but currently, these three areas have been taking most of the focus of the discussion in this thread.

All that said ... We are working on a new release, which is just about to hit testing and QA ... it seeks to remedy a lot of the issues reported. We've focused on the critical ones first for this first update. And some other issues may need to in a later release, as they need more work and we don't want to hold back a release for issues where we have fixes ready.

Despite many of you have had a bad experience with this update, we also have a lot of users telling us this update improved their situation - where it now finally works better in their environments. So this update broke some configurations while other configurations got improved. With that in mind we cannot conclude that this update was ultimately an utter and complete disaster. But it also wasn't a complete successful story either, unfortunately.

And finally, all the feedback has been valuable - in various degrees. But some post have been less constructive and useful. We fully understand and sympathize with the frustration when something truly and badly breaks - especially if your responsible for many users. But please be considerate in the wording you use when responding and raising awareness about issues. What I'm about to write, is truly sad and disturbing to write. But it seems needed. Personal attacks, questioning processes or competences or other derailing of the discussion thread is not much valuable and it belongs nowhere in these discussion threads. Most of you have have behaved well, and we could have a constructive dialogue. But some posters have experienced or will experience their posts being removed or even banned. This is not because we want to censor the forum, but simply because it provides nothing to the discussion at all. Remember that behind each and single post, there is a living human being. When submitting a post, think through how you would experience the message you're about to submit if you were the receiver and not the sender. So be considerate and respectful, and you will experience we take your feedback serious.

Thank you all ... now at least I need to get back to work

[Ozwel]

Thanks for the feedback dazo.

Hopefully the next issue to be addressed is the one about the connection looking good but no data transmitted from the apps to the vpn gateway (I saw 2 or 3 posts about this on this thread besides mine).

[oat_bondmen]

Regarding retracting the 1.2.5 release and have 1.1.1 in the appstore again. Apple gave OpenVPN Inc a hard deadline on the old VPN API. Any app updates to OpenVPN Connect after July 2017 cannot utilize the old VPN API. This is out of our control. So we are forced by Apple to move forward. To rollback or even re-release the old 1.1.1 with a newer version number will be blocked by the Appstore before it reaches all the users - due to the fact that the app will then use an API which is no longer approved.

Right. This is information which should have been communicated from the outset, rather than allege that I, for example, do not know what I am talking about. Indeed, the information you cite confirms my prior statement that OpenVPN were not compelled to release 1.2.5 this week. You could have taken your time to release a product which was not broken upon arrival for many customers, as well as using the time to plan through how to make users aware of the major rebase changes contained within the product.

Instead, your QA and testing process failed so badly, that you are now in the position where you are unable to rollback to 1.1.1 within the AppStore due to the guidelines imposed on you by Apple. If you had tested this better before release, you would not be left with so many upset customers currently.

Regarding the issues related to the keychain. The newer VPN API we needed to move towards to is far more stringent and stricter in the access control. The old API was much more open and forgiving, and it was possible to access keying material outside the "domain" of the single app. This power is bad for device security. So when we now do not have that access, it is definitely seen as a user experience regression. But again, this is also outside our control. Apple enforces OpenVPN Connect updates to use the newer VPN API, and we need to play within the boundaries that gives us. One way to circumvent all this is to have the key/cert/ca files embedded into the configuration file.

I get all that, and others clearly do as well. The issue is how this change was communicated prior to the release. OpenVPN need to reassess completely how they release and name versions with major changes.

And finally, all the feedback has been valuable - in various degrees. But some post have been less constructive and useful.

You work in software. So do I, and many others here. You have to learn to deal with irritated users who are rightly upset at the approach taken with your release.

What I'm about to write, is truly sad and disturbing to write

No. It's not. Writing a persons death sentence is 'disturbing to write'. Asking people to be nicer to you and staff is not remotely 'disturbing'.

When submitting a post, think through how you would experience the message you're about to submit if you were the receiver and not the sender.

I would simply appreciate why users are upset and work internally to ensure the business understands why a customer is irritated and upset, working together openly to agree a strategy to resolve their frustrations. I wouldn't, however, cry about being spoken to in a forceful manner by an intelligent customer who is raising legitimate issues of complaint.

[Ozwel]

Regarding retracting the 1.2.5 release and have 1.1.1 in the appstore again. Apple gave OpenVPN Inc a hard deadline on the old VPN API. Any app updates to OpenVPN Connect after July 2017 cannot utilize the old VPN API. This is out of our control. So we are forced by Apple to move forward. To rollback or even re-release the old 1.1.1 with a newer version number will be blocked by the Appstore before it reaches all the users - due to the fact that the app will then use an API which is no longer approved.

Indeed, the information you cite confirms my prior statement that OpenVPN were not compelled to release 1.2.5 this week. You could have taken your time to release a product which was not broken upon arrival for many customers, as well as using the time to plan through how to make users aware of the major rebase changes contained within the product.

I think you haven't read the part when oat_bondmen says Apple forced them to release something for months and they had no choice other than publishing their new app or their old app was going to be removed.

We're a dozen of people here pretending this app is a mess for 99% of this world's users but it seems oat says we are only few people complaining. Well... up to you to believe him or not.

[oat_bondmen]

I think you haven't read the part when oat_bondmen

Er, that's me.

says Apple forced them to release something for months and they had no choice other than publishing their new app or their old app was going to be removed.

At no point has that statement been made. Here's the statement again:

"Apple gave OpenVPN Inc a hard deadline on the old VPN API. Any app updates to OpenVPN Connect after July 2017 cannot utilize the old VPN API."

Some points:

1. At no point is it stated that the existing app will be removed from the AppStore.

2. There is no mention of the date which Apple had provided, (I would be very interested in knowing that date. It's clearly not being shared for a reason) nor the consequences of not doing so.

We're a dozen of people here pretending this app is a mess for 99% of this world's users but it seems oat says we are only few people complaining. Well... up to you to believe him or not.

I think you're confused as to my identity.

[Ozwel]

Oops, I meant dazo sorry.

I guess if Apple set a deadline for them to update the app with a new VPN API it means that all previous apps not compliant would be removed, well at least that's my understanding.

I can't use their iOS client anymore, I'm really gutted. But I try to help them as much as I can to have the fixes coming fast. I could blame but I'm sure they understood we're all pissed and they will certainly learn from that.

[jason.salameh]

Hello,

Also new to this topic, and hopefully we can get the issue resolved. Sorry if the question has already been asked here but here's what I've done and the problems I'm seeing

My Configuration

1. Manually created a VPN server on a linux device in my home
2. Created the Cert / Key
3. Exported all the information
4. Created a Mobile Configuration with Apple Mobile Config Utility - Specified On Demand Functionality with a few key hosts
5. Exported the Config
6. Imported to my iPhone with iOS 11 (latest)

this worked with the previous version of OpenVPN. VPN would automatically connect when key hosts were accessed

with new OpenVPN iOS client (1.2.5) I observe several key things

1. VPN doesn't automatically connect anymore
2. Manually turning on the VPN in iOS settings results in the VPN turning back off immediatley
3. Attempting to manually turn on the VPN in OpenVPN - the toggle doesn't move
4. There is no longer any certificate associated with the On Demand configuration.
5. There are no logs that I can see or access in the OpenVPN client on my iPhone


My question is simple. With the existing cert/key and .ovpn config I have. Is there any way to create a .MobileConfig file again that allows me to do On Demand VPN access? If it requires some elbow grease thats fine... Just need to know how to do it.

If there's any more information you need please let me know

Thanks

[nullbandit]

The fix you guys are working on, does it address the issue when the openvpn is for-closed (swiped up) the tunnel breaks. The app shows its connected but the traffic doesn't flow anymore neither through tunnel nor non-tunneled ?

[johndoe2]

I got 1k+ angry users around the globe.
I guess in my case the issue is somewhat related to the keychain thingy...

I use Airwatch to pull user certificates from a windows PKI and create a custom profile for all the devices on the fly.
The devices then use "VPN on demand" to connect when needed to a PFSense fw running the server part.

If I export the profile from Airwatch it looks something like this (uids/hosts etc has been removed):
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key>
<string>com.apple.security.pkcs12</string>
<key>PayloadUUID</key>
<string>6125.<removed>.6e08</string>
<key>PayloadContent</key>
<data></data>
<key>PayloadDisplayName</key>
<string>Certificate</string>
<key>PayloadDescription</key>
<string>CredentialSettings</string>
<key>PayloadIdentifier</key>
<string>074a8.<removed>.7c73.Certificate</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>PayloadDescription</key>
<string>Configures VPN settings, including authentication.</string>
<key>PayloadDisplayName</key>
<string>Corporate VPN</string>
<key>PayloadIdentifier</key>
<string>074a8.<removed>.7c73.VPN</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>dc41b.<removed>.3272b</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>UserDefinedName</key>
<string>Corporate-VPN</string>
<key>VPNType</key>
<string>VPN</string>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>0</integer>
</dict>
<key>VendorConfig</key>
<dict>
<key>ca</key>
<string>"-----BEGIN CERTIFICATE-----.<removed a total of 4 certificates, from the root and down>.-----END CERTIFICATE-----"</string>
<key>cipher</key>
<string>"AES-128-CBC"</string>
<key>comp-lzo</key>
<string>NOARGS</string>
<key>dev</key>
<string>tun</string>
<key>key-direction</key>
<string>1</string>
<key>nobind</key>
<string>NOARGS</string>
<key>port</key>
<string>443</string>
<key>proto</key>
<string>tcp</string>
<key>remote</key>
<string>"fqdn_of_the_pfsense_box 443"</string>
<key>tls-auth</key>
<string>-----BEGIN OpenVPN Static key V1-----.<removed>.-----END OpenVPN Static key V1-----</string>
<key>tls-client</key>
<string>NOARGS</string>
<key>verb</key>
<string>3</string>
</dict>
<key>VPNSubType</key>
<string>net.openvpn.OpenVPN-Connect.vpnplugin</string>
<key>VPN</key>
<dict>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>PayloadCertificateUUID</key>
<string>6125a.<removed>.86e08</string>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandMatchDomainsAlways</key>
<array>
<string>domain1</string>
<string>domain2</string>
<string>domain3 and so on up to 19 domains in total</string>
</array>
<key>OnDemandMatchDomainsNever</key>
<array>
<string>33 lines with FQDNs for which the VPN should not be activated</string>
</array>
<key>RemoteAddress</key>
<string>FQDN of the pfsense box</string>
</dict>
<key>Proxies</key>
<dict />
</dict>
</array>
<key>PayloadDescription</key>
<string>iOS - OpenVPN</string>
<key>PayloadDisplayName</key>
<string>iOS - OpenVPN/V_31</string>
<key>PayloadIdentifier</key>
<string>074a8.<removed>.17c73</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadRemovalDisallowed</key>
<false />
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>98ae4.<removed>.f9dbb</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>


From the above, I have one payload for the user certificate enrolled on the fly from the MS PKI (com.apple.security.pkcs12) and one payload for the VPN configuration (com.apple.vpn.managed).

My question now is if I´m shit out of luck due to the API changes regarding the keychain or can the openvpn app somehow get access to a certificate installed via another payload ?

I´m very far from an expert when it comes to ios and maybe an Airwatch upgrade could handle this in a different way, but for now the above is what I´m stuck with.
Any help would be greatly appreciated.

Best regards.

[pleveille]

Hi!

I have not read every post of this thread, but I just wanted to say that I have upgraded to version 1.2.5 of OpenVPN Connect and, since then, when I press the app icon, the only thing that loads is a completely black screen, and nothing happens after that. I can't connect to VPN from iOS Settings or any other way. I have tried to delete the app and download it again, but this changes nothing. I'm using an iPod 6th generation and iOS version 11.2.2.

I am willing to answer questions about the behavior of the app on my device if need be.

Hope for a fix very soon since, as it is, I just can't access the internet through VPN on my device. Thanks!

[danquel]

Has it worked for you? Can you send it to me? (danquel@hotmail.com) thank you, we are desperate

The above method does work (FYI I rolled back my openvpn app to v1.1.1) but you need to follow the above youtube tutorial by yourself. I cannot share my ipa file with you as the app is tied to my iTunes account.

I also can confirm that. It's working. Just rolled back to v1.1.1.

I followed the youtube link and the following tutorial: https://medium.com/@iosight/how-to-lega ... 45559b8357

The correct string for the version 1.1.1 is:

Code: Select all

819500456

With this information you can follow the tutorial from step 15. All steps above are only to find out the right string.

Of course you need the right iTunes version mentioned above to enter the app store and fiddler installed.

great, it worked, thank you very much !!!

[johndoe2]

The above method does work (FYI I rolled back my openvpn app to v1.1.1) but you need to follow the above youtube tutorial by yourself. I cannot share my ipa file with you as the app is tied to my iTunes account.

I also can confirm that. It's working. Just rolled back to v1.1.1.

I followed the youtube link and the following tutorial: https://medium.com/@iosight/how-to-lega ... 45559b8357

The correct string for the version 1.1.1 is:

Code: Select all

819500456

With this information you can follow the tutorial from step 15. All steps above are only to find out the right string.

Of course you need the right iTunes version mentioned above to enter the app store and fiddler installed.

great, it worked, thank you very much !!!

Would it be possible to rebrand/resign the IPA in xcode using our enterprise distribution provisioning profile and then push it out via Airwatch as an managed app?

[jason.salameh]

@OpenVPN dev team - there are mountains of people here requesting support. Please stay on top of these threads.

It's understandable that there was an update released which broke the world - but ignoring customers is not the answer.

even if you don't have the answer for them, please get dedicated CSS or something to help out... this is ridiculous

[oat_bondmen]

ignoring customers is not the answer.

Indeed it isn’t.

Nor is banning participants in these discussions, nor sending them ’warning’ messages, not is bleeting about ‘real persons’ being hurt by the dissent expressed here.

We should be receiving 6-12 hourly updates on progress being made to resolve each issue raised.

[disqualified]

ignoring customers is not the answer.

Indeed it isn’t.

Customers .. who have paid nothing because it is FREE.

Nor is banning participants in these discussions, nor sending them ’warning’ messages, not is bleeting about ‘real persons’ being hurt by the dissent expressed here.

We should be receiving 6-12 hourly updates on progress being made to resolve each issue raised.

Diaper changes ..

Your constant whining is as helpful as a Fart in an Elevator.

[oat_bondmen]

Customers .. who have paid nothing because it is FREE.

1. You have a lot to learn about FOSS development;
2. Regardless of your ignorance; you're wrong. OpenVPN has many paying enterprise customers who are affected by this unusable release.

[disqualified]

Pop goes the weasel ..

Your incesant crap has been noted .. I am sure of that.

You still have the opportunity to actually contribute .. it is, after all, FOSS.

And yet you persist .. with this idiotic delusion that your unfounded critisism is contributing to a solution.

And then you have the nerve to call yourself a professional ..

[oat_bondmen]

You will note that I was the first person to raise the alarm on this release warning users to not install it.

My criticism is very well founded. I have yet to hear a justification as to why this broken release was able to be released in such an unusable state, nor an explanation for the complete failure in QA before GA.