OpenVPN Connect 3.3.0 mobile config not working anymore

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
frbr
OpenVpn Newbie
Posts: 4
Joined: Tue Aug 02, 2022 1:59 pm

OpenVPN Connect 3.3.0 mobile config not working anymore

Post by frbr » Tue Aug 02, 2022 2:23 pm

I'm puzzled.

We deployed an openVPN config profile successfully since a couple of years.

Suddenly, after updating to OpenVPN Connect 3.3.0 newly installed config profiles don't work anymore. Already deployed profiles still are connecting fine to the VPN.

If I want to connect with a freshly installed profile in OpenVPN Connect nothing really happens. Not even a log entry. If I'm trying to connect via the iOS VPN toggle I'll get en error in the OpenVPN Connect log:

Code: Select all

[Aug 02, 2022, 13:26:52] NIP: OpenVPN VoD config error: Neither CertificatePayload nor cert/key values configured

[Aug 02, 2022, 13:26:52] EVENT: VOD_CONFIG_ERROR Neither CertificatePayload nor cert/key values configured [ERR]

[Aug 02, 2022, 13:26:52] EVENT: DISCONNECT_PENDING

[Aug 02, 2022, 13:26:52] Raw stats on disconnect:


[Aug 02, 2022, 13:26:52] Performance stats on disconnect:
  CPU usage (microseconds): 5694
  Network bytes per CPU second: 0
  Tunnel bytes per CPU second: 0

[Aug 02, 2022, 13:26:52] NIP: couldn't parse VPN on Demand settings
We didn't change anything on the profile or deployment side.

Sidenote: If I'm importing the ovpn file directly in OpenVPN Connect through Finder, I'm able to connect

Here's the config:

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
  <dict>
    <key>PayloadUUID</key>
    <string>...</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadOrganization</key>
    <string>MYCompany</string>
    <key>PayloadIdentifier</key>
    <string>...</string>
    <key>PayloadDisplayName</key>
    <string>OpenVPN-Configuration</string>
    <key>PayloadDescription</key>
    <string/>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadEnabled</key>
    <true/>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadContent</key>
    <array>
      <dict>
        <key>PayloadUUID</key>
        <string>...</string>
        <key>PayloadType</key>
        <string>com.apple.vpn.managed</string>
        <key>PayloadOrganization</key>
        <string>MY Company</string>
        <key>PayloadIdentifier</key>
        <string>....</string>
        <key>PayloadDisplayName</key>
        <string>com.apple.vpn.managed</string>
        <key>PayloadDescription</key>
        <string/>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadEnabled</key>
        <true/>
        <key>IPv4</key>
        <dict>
          <key>OverridePrimary</key>
          <integer>1</integer>
        </dict>
        <key>Proxies</key>
        <dict/>
        <key>UserDefinedName</key>
        <string>MY VPN CONNECTION</string>
        <key>VPN</key>
        <dict>
          <key>RemoteAddress</key>
          <string>DEFAULT</string>
          <key>OnDemandUserOverrideDisabled</key>
          <integer>0</integer>
          <key>ExcludeLocalNetworks</key>
          <integer>0</integer>
          <key>AuthName</key>
          <string/>
          <key>ProviderDesignatedRequirement</key>
          <string/>
          <key>AuthenticationMethod</key>
          <string>Password</string>
          <key>ProviderType</key>
          <string>packet-tunnel</string>
          <key>IncludeAllNetworks</key>
          <integer>0</integer>
        </dict>
        <key>VPNType</key>
        <string>VPN</string>
        <key>VPNSubType</key>
        <string>net.openvpn.connect.app</string>
        <key>VendorConfig</key>
        <dict>
          <key>cipher</key>
          <string>AES-128-CBC</string>
          <key>auth</key>
          <string>SHA256</string>
          <key>tls-client</key>
          <string>NOARGS</string>
          <key>setenv</key>
          <string>CLIENT_CERT 0</string>
          <key>remote-cert-tls</key>
          <string>server</string>
          <key>persist-key</key>
          <string>NOARGS</string>
          <key>key-direction</key>
          <string>1</string>
          <key>lport</key>
          <string>0</string>
          <key>remote</key>
          <string>IP Port Protocol</string>
          <key>tls-auth</key>
          <string>-----BEGIN OpenVPN Static key V1-----\n...\n-----END OpenVPN Static key V1-----</string>
          <key>vpn-on-demand</key>
          <string>0</string>
          <key>persist-tun</key>
          <string>NOARGS</string>
          <key>auth-user-pass</key>
          <string>NOARGS</string>
          <key>client</key>
          <string>NOARGS</string>
          <key>ca</key>
          <string>-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----</string>
        </dict>
        <key>OnDemandUserOverrideDisabled</key>
        <integer>0</integer>
      </dict>
    </array>
  </dict>
</plist>
Also, I noticed that in the iOS VPN dialog it only reads "app"

Image

Can someone push me in the right direction to fix this?

r.groesbeek
OpenVpn Newbie
Posts: 3
Joined: Mon Sep 19, 2022 4:29 pm

Re: OpenVPN Connect 3.3.0 mobile config not working anymore

Post by r.groesbeek » Tue Sep 20, 2022 7:40 am

Hi frbr,
We encountered the same problem!
(Old mobileconfigs still worked, reinstalled mobileconfigs could not be started with OpenVPN 3.3.2 build 5086)

I experimented somewhat with creating a VoD version instead, and with converting to Cert based authentication instead, but it didn't feel like our wanted usage user behavior (which is password authentication, and no On Demand activation).

I encountered the following topic, where an OpenVPN Support workaround is being given, by downloading the 3.2.3 Beta via Testflight (or 3.3.1 5056 according to appdetails), and that works for now.
viewtopic.php?t=34569

OpenVPN Support:
================

Code: Select all

There is currently a reported issue with the latest update of OpenVPN Connect with iOS, and will be fixed in the future update which will be 3.3.2.

However, if you want to use the old version you may do so by downloading the application here:
https://testflight.apple.com/join/wG8Ln3FA
By this link they can join beta testing and download older production build instead of 3.3.0

IMPORTANT NOTE: DO NOT UPGRADE FROM 3.3.0. Only uninstall and install this 3.3.1 from the scratch.
Upgrading directly from the APPSTORE will not work, app won’t connect.

IMPORTANT NOTE: Also by doing this, you will going to have to import your user profile, if you are not sure how to retrieve your user profile, then we would suggest to either ask your administrator of the OpenVPN Server or wait for the update.

I would hope to see this fixed in future versions though..

ktykls
OpenVpn Newbie
Posts: 7
Joined: Thu Jan 19, 2023 2:59 pm

Re: OpenVPN Connect 3.3.0 mobile config not working anymore

Post by ktykls » Tue Mar 07, 2023 9:01 am

It seems this is not fixed in 3.3.2, current iOS version is 3.3.3 and i tried deploy mobileconfig on multiple MDM services, vpn cannot be started through application.

etag_mv
OpenVpn Newbie
Posts: 1
Joined: Wed May 10, 2023 12:13 pm

Re: OpenVPN Connect 3.3.0 mobile config not working anymore

Post by etag_mv » Wed May 10, 2023 12:33 pm

I had exactly the same problem with the same kind of configuration (delivered by MDM),

Code: Select all

user-auth-pass
ca
vpn-on-demand 0
tls-auth
The password consists of a 4 digit string and TOTP (6 digit string)
So it changes on each connection, the user has to enter the user name and the password.

I kept getting the following error :

NIP: OpenVPN VoD config error: Neither CertificatePayload nor cert/key values configured
EVENT: VOD_CONFIG_ERROR Neither CertificatePayload nor cert/key values configured [ERR]

So I've added the missing keys to the .mobileconfig file
With garbage as the values and it seems to get past the CertificatePayload error. But fails on authentication
Because of an EmptyPassword (AUTHFAILED)

Code: Select all

                       
                       		<key>cert</key>
                                <string>Something invalid</string>
                                <key>key</key>
                                <string>Something invalid so that the config gets parsed</string>
I am now facing the problem described here:
viewtopic.php?t=35230

I can't start the connection through the app! The toggle button is inactive when the connection is configured by
MDM.

OpenVPN seems to handle this as a VoD profile when delivered by MDM.

I am not expecting a response from the 'devs'
Just posting this for documentation... I will probably ask my client to disable the TOTP component in the password!
So that it will work (by setting a umame/password) with the user-auth-pass configuration directive

I will keep looking for a solution by myself..

If only it was a native app :) it would of made my life easier, because Javascript Hermes bytecode makes me want to vomit all over my keyboard :)
oh and React is cancer. :)

BR

Erik Tagirov

Post Reply