[solved] OpenVPN Connect broken in iOS 16

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
ajs1k
OpenVpn Newbie
Posts: 2
Joined: Wed Aug 10, 2022 7:00 am

[solved] OpenVPN Connect broken in iOS 16

Post by ajs1k » Wed Aug 10, 2022 7:05 am

Perhaps unwisely, I'm on the iOS 16 public betas.

The last time that OpenVPN Connect worked for me was July 29th, which was v3.3.0 of Connect.

At the moment, Connect produces no logs, the orange spinner sits there, and tcpdumping the device reveals that not only does it not connect to the OpenVPN server, it doesn't even do a DNS lookup to resolve the hostname.

Has anyone else experienced the same behaviour? I was hoping for it to be mended in the latest beta that came out yesterday but no it's still broken, and the lack of any logging output at all is rather tiresome because debugging this is just not possible.
Last edited by ajs1k on Wed Aug 10, 2022 9:07 am, edited 1 time in total.

ajs1k
OpenVpn Newbie
Posts: 2
Joined: Wed Aug 10, 2022 7:00 am

Re: OpenVPN Connect broken in iOS 16

Post by ajs1k » Wed Aug 10, 2022 9:07 am

Hm. Turns out that adding a OpenVPN Cloud profile made it mysteriously work again on iOS.

And doing the same thing on iPadOS plus rebooting the iPad made it work on the iPad as well.

omatzyo
OpenVpn Newbie
Posts: 2
Joined: Fri Sep 16, 2022 1:26 pm

Re: [solved] OpenVPN Connect broken in iOS 16

Post by omatzyo » Fri Sep 16, 2022 1:41 pm

I just updated to iOS 16 today and it seems to have broken my vpn-on-demand connection. This was working well before the system update on OpenVPN 3.3.2. I have restarted, uninstalled/reinstalled the app, uninstalled and reinstalled the profile to no avail.

The on demand connection just cycles rapidly through "Connecting..." and "Disconnecting..." with the following logs:

Client:

Code: Select all


[Sep 16, 2022, 09:16:47] START CONNECTION

[Sep 16, 2022, 09:16:47] ----- OpenVPN Start -----
OpenVPN core 3.git::081bfebe ios arm64 64-bit

[Sep 16, 2022, 09:16:47] OpenVPN core 3.git::081bfebe ios arm64 64-bit

[Sep 16, 2022, 09:16:47] Frame=512/2048/512 mssfix-ctrl=1250

[Sep 16, 2022, 09:16:47] UNUSED OPTIONS
3 [id] [8D9B82E9-DCD9-4472-98AF-562489CBB522]
6 [mute] [20]
7 [mute-replay-warnings]
8 [nobind]
10 [persist-key]
11 [persist-tun]
12 [rcvbuf] [393216]
14 [resolv-retry] [infinite]
15 [sndbuf] [393216]

[Sep 16, 2022, 09:16:47] EVENT: RESOLVE

[Sep 16, 2022, 09:16:47] Contacting x.x.x.x:xxxxx via UDP

[Sep 16, 2022, 09:16:47] EVENT: WAIT

[Sep 16, 2022, 09:16:47] Connecting to [x.x.com]:xxxxx (x.x.x.x) via UDPv4

[Sep 16, 2022, 09:16:47] EVENT: CONNECTING

[Sep 16, 2022, 09:16:47] Tunnel Options:V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client

[Sep 16, 2022, 09:16:47] Creds: UsernameEmpty/PasswordEmpty

[Sep 16, 2022, 09:16:47] Peer Info:
IV_VER=3.git::081bfebe
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC
IV_IPv6=0
IV_AUTO_SESS=1
IV_SSO=webauth,openurl,crtext


[Sep 16, 2022, 09:16:48] VERIFY OK: depth=1, /C=US/ST=xx/L=xx/O=xx/OU=xx/CN=xx/name=xx/emailAddress=mail@host.domain, signature: RSA-SHA1

[Sep 16, 2022, 09:16:48] VERIFY OK: depth=0, /C=US/ST=xx/L=xx/O=xx/OU=xx/CN=xx/name=xx/emailAddress=mail@host.domain, signature: RSA-SHA1

[Sep 16, 2022, 09:16:48] SSL Handshake: peer certificate: CN=xx, 1024 bit RSA, cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD


[Sep 16, 2022, 09:16:48] Session is ACTIVE

[Sep 16, 2022, 09:16:48] EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future

[Sep 16, 2022, 09:16:48] EVENT: GET_CONFIG

[Sep 16, 2022, 09:16:48] Sending PUSH_REQUEST to server...

[Sep 16, 2022, 09:16:48] OPTIONS:
0 [route] [10.x.x.x] [255.255.255.255]
1 [route] [10.x.x.x] [255.255.255.0]
2 [route] [10.x.x.x] [255.255.224.0]
3 [dhcp-option] [DNS] [10.x.x.x]
4 [dhcp-option] [DNS] [10.x.x.x]
5 [redirect-gateway] [def1]
6 [route] [10.x.x.x] [255.255.255.0]
7 [topology] [net30]
8 [ping] [10]
9 [ping-restart] [120]
10 [ifconfig] [10.x.x.x] [10.x.x.x]
11 [peer-id] [3]
12 [cipher] [AES-256-GCM]
13 [block-ipv6]


[Sep 16, 2022, 09:16:48] PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: NONE
key-derivation: OpenVPN PRF
compress: NONE
peer ID: 3
control channel: tls-auth enabled

[Sep 16, 2022, 09:16:48] EVENT: ASSIGN_IP

[Sep 16, 2022, 09:16:48] NIP: preparing TUN network settings

[Sep 16, 2022, 09:16:48] NIP: init TUN network settings with endpoint: x.x.x.x

[Sep 16, 2022, 09:16:48] NIP: adding IPv4 address to network settings 10.x.x.x/255.255.255.252

[Sep 16, 2022, 09:16:48] NIP: adding (included) IPv4 route 10.x.x.x/30

[Sep 16, 2022, 09:16:48] NIP: adding (included) IPv4 route 10.x.x.x/32

[Sep 16, 2022, 09:16:48] NIP: adding (included) IPv4 route 10.x.x.x/24

[Sep 16, 2022, 09:16:48] NIP: adding (included) IPv4 route 10.x.x.x/19

[Sep 16, 2022, 09:16:48] NIP: adding (included) IPv4 route 10.x.x.x/24

[Sep 16, 2022, 09:16:48] NIP: redirecting all IPv4 traffic to TUN interface

[Sep 16, 2022, 09:16:48] NIP: adding DNS 10.x.x.x

[Sep 16, 2022, 09:16:48] NIP: adding DNS 10.x.x.x

[Sep 16, 2022, 09:16:48] NIP: blocking all IPv6 traffic

[Sep 16, 2022, 09:16:48] Connected via NetworkExtensionTUN

[Sep 16, 2022, 09:16:48] EVENT: CONNECTED x.x.com:xxxxx (x.x.x.x) via /UDPv4 on NetworkExtensionTUN/10.x.x.x/ gw=[/]

[Sep 16, 2022, 09:16:49] EVENT: DISCONNECTED

[Sep 16, 2022, 09:16:49] EVENT: CORE_THREAD_DONE

[Sep 16, 2022, 09:16:49] EVENT: DISCONNECT_PENDING

[Sep 16, 2022, 09:16:49] Raw stats on disconnect:
BYTES_IN : 17701
BYTES_OUT : 10200
PACKETS_IN : 42
PACKETS_OUT : 51
TUN_BYTES_IN : 5624
TUN_BYTES_OUT : 13008
TUN_PACKETS_IN : 39
TUN_PACKETS_OUT : 32


[Sep 16, 2022, 09:16:49] Performance stats on disconnect:
CPU usage (microseconds): 53169
Tunnel compression ratio (uplink): 1.81366
Tunnel compression ratio (downlink): 1.36078
Network bytes per CPU second: xxxxx760
Tunnel bytes per CPU second: 350429

Server:

Code: Select all

Fri Sep 16 09:16:45 2022 xxx:xxx:xxx:xxx:XXXXX [iosondemand2] Peer Connection Initiated with [AF_INET]xxx:xxx:xxx:xxx:XXXXX
Fri Sep 16 09:16:45 2022 iosondemand2/xxx:xxx:xxx:xxx:XXXXX MULTI_sva: pool returned IPv4=10.x.x.x, IPv6=(Not enabled)
Fri Sep 16 09:16:48 2022 xxx:xxx:xxx:xxx:XXXXX peer info: IV_VER=3.git::081bfebe
Fri Sep 16 09:16:48 2022 xxx:xxx:xxx:xxx:XXXXX peer info: IV_PLAT=ios
Fri Sep 16 09:16:48 2022 xxx:xxx:xxx:xxx:XXXXX peer info: IV_NCP=2
Fri Sep 16 09:16:48 2022 xxx:xxx:xxx:xxx:XXXXX peer info: IV_TCPNL=1
Fri Sep 16 09:16:48 2022 xxx:xxx:xxx:xxx:XXXXX peer info: IV_PROTO=30
Fri Sep 16 09:16:48 2022 xxx:xxx:xxx:xxx:XXXXX peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC
Fri Sep 16 09:16:48 2022 xxx:xxx:xxx:xxx:XXXXX peer info: IV_IPv6=0
Fri Sep 16 09:16:48 2022 xxx:xxx:xxx:xxx:XXXXX peer info: IV_AUTO_SESS=1
Fri Sep 16 09:16:48 2022 xxx:xxx:xxx:xxx:XXXXX peer info: IV_SSO=webauth,openurl,crtext
If anyone can help, I'd really appreciate it.

omatzyo
OpenVpn Newbie
Posts: 2
Joined: Fri Sep 16, 2022 1:26 pm

Re: [solved] OpenVPN Connect broken in iOS 16

Post by omatzyo » Fri Sep 16, 2022 2:41 pm

I think this was an error of my own making. My mobileconfig included a line about disconnecting with a specific DNS address (on the main network) that is also used from VPN clients.

Code: Select all

<dict>
	<key>Action</key>
	<string>Disconnect</string>
	<key>DNSServerAddressMatch</key>
	<array>
		<string>10.x.x.x</string>
	</array>
</dict>
Removing this section allowed me to connect. Sorry!

Post Reply