VPN-on-demand stopped working with 3.2.0

Post Reply
erich1899
OpenVpn Newbie
Posts: 6
Joined: Fri Jul 10, 2020 9:03 am

VPN-on-demand stopped working with 3.2.0

Post by erich1899 » Fri Jul 10, 2020 9:37 am

Hi there,

my environment:
pfSense: 2.4.5_1 (up2date)
iOS: 13.5.1 (up2date)
openVPN-App: 3.2.0 (up2date)

I've been using VPN-on-demand profiles (imported with .mobileconfig) for a long time now on many iOS devices. But since the app-update to 3.2.0 all vpn-on-demand connections stoped working. I use(d) both, udp and tcp connections. Both stopped working. What i can see on pfSense is not much:

Code: Select all

Jul 10 11:16:51	openvpn	15873	80.187.x.x:4926 TLS Error: incoming packet authentication failed from [AF_INET]80.187.x.x:4926
Jul 10 11:16:51	openvpn	15873	80.187.x.x:4926 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1594372607) Fri Jul 10 11:16:47 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Jul 10 11:16:51	openvpn	15873	80.187.x.x:4926 PID_ERR replay [0] [TLS_WRAP-0] [0] 1594372607:1 1594372607:1 t=1594372611[0] r=[0,64,15,0,1] sl=[63,1,64,528]
Jul 10 11:16:51	openvpn	15873	80.187.x.x:4926 TLS: Initial packet from [AF_INET]80.187.x.x:4926, sid=b245ec54 567c1176
Jul 10 11:16:51	openvpn	15873	80.187.x.x:4926 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
Jul 10 11:16:51	openvpn	15873	80.187.x.x:4926 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
Question 1: the connection on iOS is initiated automatically when opening remote (my own) addresses. Where can i find a log? The OpenVPN log in the app is empty.
Question 2: what changed from 3.1.2 => 3.2.0 that could cause these problems?

I'm a bit lost right now... without logs on the device-side it is almost impossible to investigate any further...

Thanks in advance

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7584
Joined: Fri Jun 03, 2016 1:17 pm

Re: VPN-on-demand stopped working with 3.2.0

Post by TinCanTech » Fri Jul 10, 2020 10:38 am

erich1899 wrote:
Fri Jul 10, 2020 9:37 am
I use(d) both, udp and tcp connections
You only get replay warnings in UDP. Your problem is caused by something else.
erich1899 wrote:
Fri Jul 10, 2020 9:37 am
without logs on the device-side
They are there somewhere. I don't use iOS so I don't know where.

erich1899
OpenVpn Newbie
Posts: 6
Joined: Fri Jul 10, 2020 9:03 am

Re: VPN-on-demand stopped working with 3.2.0

Post by erich1899 » Fri Jul 10, 2020 1:02 pm

I only reported UDP related logs here. TCP look similar.
My problem is caused by the new app-version. It stopped working exactly after upgrading to 3.2.0

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7584
Joined: Fri Jun 03, 2016 1:17 pm

Re: VPN-on-demand stopped working with 3.2.0

Post by TinCanTech » Fri Jul 10, 2020 1:34 pm

erich1899 wrote:
Fri Jul 10, 2020 1:02 pm
I only reported UDP related logs here. TCP look similar.
Looks similar but no replay warnings ..

See viewtopic.php?f=30&t=22603#p68963

erich1899
OpenVpn Newbie
Posts: 6
Joined: Fri Jul 10, 2020 9:03 am

Re: VPN-on-demand stopped working with 3.2.0

Post by erich1899 » Fri Jul 10, 2020 1:39 pm

Thanks for your help... :?

I think i am not the first one that might search for the client-logs on iOS when using VPN-on-demand.
So that is my main question. Server side did not change, so i focus on my client. But without being able to analyse logs, i will not solve my problem.

erich1899
OpenVpn Newbie
Posts: 6
Joined: Fri Jul 10, 2020 9:03 am

Re: VPN-on-demand stopped working with 3.2.0

Post by erich1899 » Fri Jul 10, 2020 2:23 pm

UDP server config pfSense

dev ovpns3
verb 4
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-GCM
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local x.x.x.x
tls-server
server y.y.y.y 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server3
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'public.dns' 2"
lport 1194
management /var/etc/openvpn/server3.sock unix
push "route z.z.z.z 255.255.255.0"
push "dhcp-option DNS z.z.z.1"
duplicate-cn
ca /var/etc/openvpn/server3.ca
cert /var/etc/openvpn/server3.cert
key /var/etc/openvpn/server3.key
dh /etc/dh-parameters.4096
crl-verify /var/etc/openvpn/server3.crl-verify
tls-auth /var/etc/openvpn/server3.tls-auth 0
ncp-disable
comp-lzo adaptive
push "comp-lzo adaptive"
persist-remote-ip
float
topology subnet
mute-replay-warnings

push "explicit-exit-notify"

push "inactive 60"


TCP server config pfSense

dev ovpns4
verb 4
dev-type tun
dev-node /dev/tun4
writepid /var/run/openvpn_server4.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp4-server
cipher AES-256-GCM
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local x.x.x.x
tls-server
server y.y.y.y 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server4
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'public.dns' 2"
lport 1194
management /var/etc/openvpn/server4.sock unix
push "route z.z.z.z 255.255.255.0"
push "dhcp-option DNS z.z.z.1"
duplicate-cn
ca /var/etc/openvpn/server4.ca
cert /var/etc/openvpn/server4.cert
key /var/etc/openvpn/server4.key
dh /etc/dh-parameters.4096
crl-verify /var/etc/openvpn/server4.crl-verify
tls-auth /var/etc/openvpn/server4.tls-auth 0
ncp-disable
comp-lzo adaptive
persist-remote-ip
float
topology subnet
mute-replay-warnings

push "explicit-exit-notify"

push "inactive 60"
Last edited by Pippin on Fri Jul 10, 2020 2:29 pm, edited 2 times in total.
Reason: Formatting

Post Reply