Failing to create VPN on demand profile in iOS 12 with OpenVPN

[alexanderalbrecht]

Hi,

is still got trouble at creating the vpn-on-demand with a .mobileconfig profile, even getting through the instructions ( https://docs.openvpn.net/connecting/con ... nnect-ios/ ) at least 10 times. I think I got everything right, importing will work, the profile will be added to the iOS settings and appear in the OpenVPN app. But in the end, when I try to connect, the OpenVPN log says: (I am using the latest app and iOS)

Code: Select all

–––
2018-40-01 15:40:49 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Oct  3 2018 06:35:04

2018-40-01 15:40:49 Frame=512/2048/512 mssfix-ctrl=1250

2018-40-01 15:40:49 EVENT: CORE_ERROR mbed TLS: error parsing config private key : PK - Invalid key tag or value [ERR]

2018-40-01 15:40:49 Raw stats on disconnect:

2018-40-01 15:40:49 Performance stats on disconnect:
  CPU usage (microseconds): 28463
  Network bytes per CPU second: 0
  Tunnel bytes per CPU second: 0
–––

I already spent 10 hours on figuring out my problem, but got still no solution. I think the private key is kind of wrong, or I do not know how to add the private key lines to the .mobileconfig: the following lines are from the OpenVPN file:

Code: Select all

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,C3E42ABD3EC0B7BDE9FF12F4AF183DB6

My part of the .mobileconfig for the private key starts like…

Code: Select all

<key>key</key>
<string>-----BEGIN PRIVATE KEY-----\nQRfHqAhMRKcaCI3jjLrSJg5Lf5hd+HEPIRYh1uEinW etc…

Thx and best regards
Alex

[TinCanTech]

https://community.openvpn.net/openvpn/wiki/IOSinline

[alexanderalbrecht]

Sorry for being not specific enough. I try to create a .mobileconfig file (an iOS profile) that manages the behavior of my iPhone depening on which wifi network it is joining or when it is using mobile data. For example, when being outside the house, on 4G network or being at the universities wifi network, I want the iPhone to connect to OpenVPN. This is done by creating the .mobileconfig file and adding rules. Inside the mobileconfig, I have to add the certificates etc.

My OpenVPN is already running fine, I can manually connect without any problems. But I want to automate the task.

Here is my mobileconfig file. I've changed the server and keys for security reasons to post the whole content of the file. And of course I've disabled the vpn-on-demand and set the string 0, just to have better control and to have a look at the log file. I have to set this to 1 if I want the whole cake.

The current settings will try to connect but nothing happens, no errors inside the log. I think the keys and certs have some errors. I do not know how to convert them to work inside the mobileconfig. I read somewhere to replace all line breaks with "\n", which I did. But it did not help.

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>IPv4</key>
			<dict>
				<key>OverridePrimary</key>
				<integer>0</integer>
			</dict>
			<key>PayloadDescription</key>
			<string>Konfiguriert VPN-Einstellungen</string>
			<key>PayloadDisplayName</key>
			<string>VPN</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.vpn.managed.3A74BF8F-F0B3-427D-8FCA-9B59EF18573E</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>3A74BF8F-F0B3-427D-8FCA-9B59EF18573E</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>Proxies</key>
			<dict>
				<key>HTTPEnable</key>
				<integer>0</integer>
				<key>HTTPSEnable</key>
				<integer>0</integer>
			</dict>
			<key>UserDefinedName</key>
			<string>VPN OnDemand albiiphone</string>
			<key>VPN</key>
			<dict>
				<key>AuthName</key>
				<string>DEFAULT</string>
				<key>AuthenticationMethod</key>
				<string>Password</string>
				<key>OnDemandEnabled</key>
				<integer>1</integer>
				<key>OnDemandRules</key>
				<array>
					<dict>
						<key>Action</key>
						<string>Disconnect</string>
						<key>InterfaceTypeMatch</key>
						<string>WiFi</string>
						<key>SSIDMatch</key>
						<array>
							<string>AG</string>
							<string>Werner WLAN</string>
							<string>CVS</string>
						</array>
					</dict>
					<dict>
						<key>Action</key>
						<string>Connect</string>
						<key>InterfaceTypeMatch</key>
						<string>WiFi</string>
					</dict>
					<dict>
						<key>Action</key>
						<string>Connect</string>
						<key>InterfaceTypeMatch</key>
						<string>Cellular</string>
					</dict>
					<dict>
						<key>Action</key>
						<string>Ignore</string>
					</dict>
				</array>
				<key>RemoteAddress</key>
				<string>DEFAULT</string>
			</dict>
			<key>VPNSubType</key>
			<string>net.openvpn.connect.app</string>
			<key>VPNType</key>
			<string>VPN</string>
			<key>VendorConfig</key>
			<dict>
				<key>ca</key>
				<string>-----BEGIN CERTIFICATE-----\nMIIFKzCCAxOgAwIBAgIJAPxFUZrZTHyPMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV\nBAMMCENoYW5nZU1lMB4XDTE4MDgAEK1Qt55jHYFHOJIDi0/xi/43a\nyxpQY4OwxWVHRdxWx0rm9bOi6h3iHtB+s29Hnb1YqA==\n-----END CERTIFICATE-----\n</string>
				<key>cert</key>
				<string>-----BEGIN CERTIFICATE-----\nMIIFODCCAyCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDn09Ihp9YjJJcJQA+zateVivv\naAEtKPYjc/t5AMcKvCN3lnXl3UUzitLHZ7/tRyP1kEHnIM1GUp7rRF6/p4s=\n-----END CERTIFICATE-----\n</string>
				<key>cipher</key>
		                <string>AES-128-CBC</string>
				<key>client</key>
		                <string>NOARGS</string>
				<key>dhcp-option</key>
				<string>DNS 10.0.1.3</string>
				<key>key</key>
				<string>-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-128-CBC,C3E42ABD3EC0B7BDE9FF12F4AF183DB6\nQRfHqAhMRKcaCI3jjLrSJg5Lf5hd+HEPIRYh1uEinWC8kDyDGPHwDKKwvmlmxEAo\n3MIJ1P2WLfL9hP5sQiECCA8AYfrBq5KWAIgvGGrELBMSSLqabkTa1yk68IIPv4n8\n7f+yxjkOnS7rg5skao5q9kK6XZerH/NjNdBVTzRIXpmdj1Ry142YbuhD1HVVGsk/\nwwguymDWgmxJDB9Wrxh5CmVrA5TKb79pCZBjEPdAHe88zsCkX/kXonCqRZ/w5rPw\nQ5hXDXCw8I\nZS4f7+n+4JAGsp6GZqU6QtNxcO30v059Dib2WMx/U+EM8zp8AgxZMft54Jso0K3C\n+xm8ByOLq99WFI/gsHr2li4OMduEnDfJFycL8lZbC5ufS6jikGXOCQRb3tIs7v/f\n-----END RSA PRIVATE KEY-----\n</string>
				<key>remote</key>
				<string>vpn.myhost.xyz 1194 udp</string>
				<key>vpn-on-demand</key>
				<string>0</string>
			</dict>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>VPN OnDemand albiiphone</string>
	<key>PayloadIdentifier</key>
	<string>Albi.277D1E9C-0C23-4400-A473-4164BD8E6F4F</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>9FB4031D-AC01-4757-BEA2-E8BB20D152F1</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

[TinCanTech]

I read somewhere to replace all line breaks with "\n", which I did

You did that incorrectly ..

You replace (Windows style) "Carriage Return & Line Feed" with (Unix style) "Newline" character.

You have this:

<key>ca</key>
<string>-----BEGIN CERTIFICATE-----\nMIIFKzCCAxOgAwIBAgIJAPxFUZrZTHyPMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV\nBAMMCENoYW5nZU1lMB4XDTE4MDgAEK1Qt55jHYFHOJIDi0/xi/43a\nyxpQY4OwxWVHRdxWx0rm9bOi6h3iHtB+s29Hnb1YqA==\n-----END CERTIFICATE-----\n</string>

You have replaced "Line breaks" With literal "\n"

You need something like this:

<key>ca</key>
<string>-----BEGIN CERTIFICATE-----
MIIFKzCCAxOgAwIBAgIJAPxFUZrZTHyPMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
BAMMCENoYW5nZU1lMB4XDTE4MDgAEK1Qt55jHYFHOJIDi0/xi/43a\nyxpQY4OwxWVHRdxWx0rm9bOi6h3iHtB+s29Hnb1YqA==
-----END CERTIFICATE-----</string>

Also, it looks like you are using the tags incorrectly. Read the link above.

As for this ".mobileconfig" file, I don't know what you need ..

[alexanderalbrecht]

I've reverted this to normal (unix style) newline carriers with the TextEdit.app on macOS.

At the moment the certs and the key are the same like in the already working .ovpn file. I did the same like the example given here… https://docs.openvpn.net/connecting/con ... example-1/

I read somewhere the certs and keys have to be one line? Is that wrong?

And do I have to add the tls-auth key? Or is this optional?

[TinCanTech]

I've reverted this to normal (unix style) newline carriers with the TextEdit.app on macOS.

At the moment the certs and the key are the same like in the already working .ovpn file. I did the same like the example given here… https://docs.openvpn.net/connecting/con ... example-1/

Sorry, judging by your example you probably had it right the first time ..

I read somewhere the certs and keys have to be one line? Is that wrong?

In the example it would appear they must be on one line.

do I have to add the tls-auth key? Or is this optional?

It is optional .. if you use --tls-auth on the server then use it on the client otherwise don't use it.

[alexanderalbrecht]

So removing all line breaks from the key should be good? I did not replace the line breaks inside the key with \n

\n only appears in my config-file where the example by the OpenVPN page says it should be.

Now I got the following error:

Code: Select all

2018-27-02 14:27:10 EVENT: CORE_ERROR mbed TLS: error parsing config private key : PK - Invalid key tag or value : ASN1 - ASN1 tag was of an unexpected value [ERR]

[alexanderalbrecht]

I think I made one step forward with this https://github.com/pivpn/pivpn/issues/304

My private key for this user is not encrypted anymore. But it still fails to connect:

Code: Select all

2018-53-02 14:53:13 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Oct  3 2018 06:35:04

2018-53-02 14:53:13 Frame=512/2048/512 mssfix-ctrl=1250

2018-53-02 14:53:13 EVENT: RESOLVE

2018-53-02 14:53:13 Contacting [158.181.xxx.xx]:1194/UDP via UDP

2018-53-02 14:53:13 EVENT: WAIT

2018-53-02 14:53:13 Connecting to [vpn.myhost.xyz]:1194 (158.181.xxx.xx) via UDPv4

2018-53-02 14:53:24 Server poll timeout, trying next remote entry...

2018-53-02 14:53:24 EVENT: RECONNECTING

As I said before, the ovpn file inside the OpenVPN iOS app is working. So connecting to my RaspberryPi VPN from outside is not the issue.

[TinCanTech]

2018-53-02 14:53:13 Connecting to [vpn.myhost.xyz]:1194 (158.181.xxx.xx) via UDPv4 2018-53-02 14:53:24 Server poll timeout, trying next remote entry...

Check your server log.

[alexanderalbrecht]

it says

Code: Select all

Nov  2 15:36:24 pi ovpn-server[405]: tls-crypt unwrap error: packet too short
Nov  2 15:36:24 pi ovpn-server[405]: TLS Error: tls-crypt unwrapping failed from [AF_INET]194.230.155.213:54319

[TinCanTech]

See --tls-crypt in the manual.

viewtopic.php?f=30&t=22603

[alexanderalbrecht]

From my server.conf I already have…

Code: Select all

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_foxXy0n9hCFWETp9.crt
key /etc/openvpn/easy-rsa/pki/private/server_foxXy0n9hCFWETp9.key
dh none
ecdh-curve secp384r1
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 10.0.1.3"
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
compress lz4
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io

Honestly I have no clue what to do with your information

[TinCanTech]

TLS Error: tls-crypt

Which you have in your server but not in your client.

I have no clue what to do with your information

Read it and follow the instructions ..

[alexanderalbrecht]

What I don't understand, why is connecting with the .ovpn file from the OpenVPN no problem, but setting up a VPN profile with the same credentials via .mobileconfig throws an error?

[alexanderalbrecht]

GOT IT!

Like described here http://www.codingmerc.com/blog/ios-vpn- ... h-openvpn/

I had to add the key tls-auth plus the accordion string (actually the key from the .ovpn file without line-breaks) and change "tls-auth" to "tls-crypt"

Connecting to the OpenVPN is no problem anymore.

Thanks for pointing me to the solution.

[alexanderalbrecht]

As the connection is working, other problems pop up. At first I saw at the log some error about the compression, I've added the setting "compress lz4" to the .mobileconfig, and the error was gone.

At the moment no data is coming through

Now I do not know if there is an error, but the server log says:

Code: Select all

Nov  2 17:54:58 pi ovpn-server[405]: 194.230.155.213:63323 TLS: Initial packet from [AF_INET]194.230.155.213:63323, sid=57680604 64c7181b
Nov  2 17:54:58 pi ovpn-server[405]: 194.230.155.213:63323 VERIFY OK: depth=1, CN=ChangeMe
Nov  2 17:54:58 pi ovpn-server[405]: 194.230.155.213:63323 Validating certificate key usage
Nov  2 17:54:58 pi ovpn-server[405]: 194.230.155.213:63323 ++ Certificate has key usage  0080, expects 0080
Nov  2 17:54:58 pi ovpn-server[405]: 194.230.155.213:63323 VERIFY KU OK
Nov  2 17:54:58 pi ovpn-server[405]: 194.230.155.213:63323 Validating certificate extended key usage
Nov  2 17:54:58 pi ovpn-server[405]: 194.230.155.213:63323 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Nov  2 17:54:58 pi ovpn-server[405]: 194.230.155.213:63323 VERIFY EKU OK
Nov  2 17:54:58 pi ovpn-server[405]: 194.230.155.213:63323 VERIFY OK: depth=0, CN=albiiphonevod
Nov  2 17:54:58 pi ovpn-server[405]: 194.230.155.213:63323 peer info: IV_VER=3.2
Nov  2 17:54:58 pi ovpn-server[405]: 194.230.155.213:63323 peer info: IV_PLAT=ios
Nov  2 17:54:58 pi ovpn-server[405]: 194.230.155.213:63323 peer info: IV_NCP=2
Nov  2 17:54:58 pi ovpn-server[405]: 194.230.155.213:63323 peer info: IV_TCPNL=1
Nov  2 17:54:58 pi ovpn-server[405]: 194.230.155.213:63323 peer info: IV_PROTO=2
Nov  2 17:54:58 pi ovpn-server[405]: 194.230.155.213:63323 peer info: IV_LZO_STUB=1
Nov  2 17:54:58 pi ovpn-server[405]: 194.230.155.213:63323 peer info: IV_COMP_STUB=1
Nov  2 17:54:58 pi ovpn-server[405]: 194.230.155.213:63323 peer info: IV_COMP_STUBv2=1
Nov  2 17:54:58 pi ovpn-server[405]: 194.230.155.213:63323 peer info: IV_AUTO_SESS=1
Nov  2 17:54:58 pi ovpn-server[405]: 194.230.155.213:63323 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Nov  2 17:54:58 pi ovpn-server[405]: 194.230.155.213:63323 [albiiphonevod] Peer Connection Initiated with [AF_INET]194.230.155.213:63323
Nov  2 17:54:58 pi ovpn-server[405]: albiiphonevod/194.230.155.213:63323 MULTI_sva: pool returned IPv4=10.8.0.9, IPv6=(Not enabled)
Nov  2 17:54:58 pi ovpn-server[405]: albiiphonevod/194.230.155.213:63323 MULTI: Learn: 10.8.0.9 -> albiiphonevod/194.230.155.213:63323
Nov  2 17:54:58 pi ovpn-server[405]: albiiphonevod/194.230.155.213:63323 MULTI: primary virtual IP for albiiphonevod/194.230.155.213:63323: 10.8.0.9
Nov  2 17:54:58 pi ovpn-server[405]: albiiphonevod/194.230.155.213:63323 PUSH: Received control message: 'PUSH_REQUEST'
Nov  2 17:54:58 pi ovpn-server[405]: albiiphonevod/194.230.155.213:63323 SENT CONTROL [albiiphonevod]: 'PUSH_REPLY,dhcp-option DNS 10.0.1.3,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 1800,ping-restart 3600,ifconfig 10.8.0.9 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Nov  2 17:54:58 pi ovpn-server[405]: albiiphonevod/194.230.155.213:63323 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov  2 17:54:58 pi ovpn-server[405]: albiiphonevod/194.230.155.213:63323 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key

The log of the OpenVPN app says:

Code: Select all

2018-20-02 18:20:38 NIP: iOS reported network status unavailable

2018-20-02 18:20:38 OS Event: NET UNAVAILABLE (PAUSE): Internet:NotReachable/-R tc-----

2018-20-02 18:20:38 NIP: iOS reported network status available

2018-20-02 18:20:38 OS Event: NET AVAILABLE (RESUME): Internet:ReachableViaWWAN/WR t------ allow=1

2018-20-02 18:20:41 RECONNECT TEST: Internet:ReachableViaWWAN/WR t------

2018-20-02 18:20:41 EARLY RECONNECT

2018-20-02 18:20:43 1

2018-20-02 18:20:43 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Oct  3 2018 06:35:04

2018-20-02 18:20:43 Frame=512/2048/512 mssfix-ctrl=1250

2018-20-02 18:20:43 UNUSED OPTIONS
7 [link-mtu] [1570] 

2018-20-02 18:20:43 EVENT: RESOLVE

2018-20-02 18:20:43 Contacting [XXX.XXX.XXX.XX]:1194/UDP via UDP

2018-20-02 18:20:43 EVENT: WAIT

2018-20-02 18:20:43 Connecting to [vpn.myhost.xyz]:1194 (XXX.XXX.XXX.XX) via UDPv4

2018-20-02 18:20:43 EVENT: CONNECTING

2018-20-02 18:20:43 Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client

2018-20-02 18:20:43 Creds: UsernameEmpty/PasswordEmpty

2018-20-02 18:20:43 Peer Info:
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1


2018-20-02 18:20:43 VERIFY OK : depth=1
cert. version     : 3
serial number     : FC:45:51:9A:D9:4C:7C:8F
issuer name       : CN=ChangeMe
subject name      : CN=ChangeMe
issued  on        : 2018-08-28 06:09:26
expires on        : 2028-08-25 06:09:26
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=true
key usage         : Key Cert Sign, CRL Sign


2018-20-02 18:20:43 VERIFY OK : depth=0
cert. version     : 3
serial number     : 01
issuer name       : CN=ChangeMe
subject name      : CN=server_foxXy0n9hCFWETp9
issued  on        : 2018-08-28 06:10:04
expires on        : 2028-08-25 06:10:04
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=false
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication


2018-20-02 18:20:44 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

2018-20-02 18:20:44 Session is ACTIVE

2018-20-02 18:20:44 EVENT: GET_CONFIG

2018-20-02 18:20:44 Sending PUSH_REQUEST to server...

2018-20-02 18:20:44 OPTIONS:
0 [dhcp-option] [DNS] [10.0.1.3] 
1 [dhcp-option] [DNS] [10.0.1.3] 
2 [block-outside-dns] 
3 [redirect-gateway] [def1] 
4 [route-gateway] [10.8.0.1] 
5 [topology] [subnet] 
6 [ping] [1800] 
7 [ping-restart] [3600] 
8 [ifconfig] [10.8.0.9] [255.255.255.0] 
9 [peer-id] [0] 
10 [cipher] [AES-256-GCM] 


2018-20-02 18:20:44 PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: SHA256
  compress: COMP_STUB
  peer ID: 0

2018-20-02 18:20:44 EVENT: ASSIGN_IP

2018-20-02 18:20:44 NIP: preparing TUN network settings

2018-20-02 18:20:44 NIP: init TUN network settings with endpoint: XXX.XXX.XXX.XX

2018-20-02 18:20:44 NIP: adding IPv4 address to network settings 10.8.0.9/255.255.255.0

2018-20-02 18:20:44 NIP: adding (included) IPv4 route 10.8.0.0/24

2018-20-02 18:20:44 NIP: redirecting all IPv4 traffic to TUN interface

2018-20-02 18:20:44 NIP: adding DNS 10.0.1.3

2018-20-02 18:20:44 NIP: adding DNS 10.0.1.3

2018-20-02 18:20:44 Connected via NetworkExtensionTUN

2018-20-02 18:20:44 LZO-ASYM init swap=0 asym=1

2018-20-02 18:20:44 Comp-stub init swap=1

2018-20-02 18:20:44 EVENT: CONNECTED vpn.myhost.xyz:1194 (XXX.XXX.XXX.XX) via /UDPv4 on NetworkExtensionTUN/10.8.0.9/ gw=[/]

[alexanderalbrecht]

I had to disable the compress lz4 inside the server config and restart the server. After disabling it, data is coming in!