iOS on-demand-VPN inactivity issue with 3.3.2

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
KennyDW
OpenVpn Newbie
Posts: 2
Joined: Thu Oct 13, 2022 12:59 pm

iOS on-demand-VPN inactivity issue with 3.3.2

Post by KennyDW » Thu Oct 13, 2022 1:36 pm

Hi all


I am using OpenVPN per-app-VPN-connections for over 2 years now in combination with an MDM to push the configs to the device. Whenever one of the apps is opened, the iOS system is starting the OpenVPN tunnel in the background. I've setted up inactivity timers (30 sec 1000 bytes) to prevent the tunnels from being active all the time. The per-app-VPN is reopened once there's traffic again from one of these apps. This worked very well with all versions of OpenVPN Connect App >= 3.2.3. Last weeks, when I installed new smartphones with the OpenVPN Connect App version 3.3.2, there is this strange behaviour:

- my inactivity timeout of 30 seconds is ignored
- instead, OpenVPN Connect App closes the tunnel after 60 seconds
- meanwhile, the tunnel keeps it's "connected" status in iOS, the tunnel keeps working as well
- once there's a internet connectivity issue, let's say a switch between WiFi/4G, iOS per-app-VPN status goes to "connecting" and stays there untill reboot of the smartphone

It seems like OpenVPN Connect App is ignoring my inactivity timeout, exiting the tunnel itself at 60 seconds, without letting iOS know.

Server config

port 11XX
server 10.8.6.0 255.255.255.0
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"

replay-window 10000

proto tcp4
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth tc.key
topology subnet
push "redirect-gateway def1 bypass-dhcp"
push "persist-key"
push "persist-tun"
duplicate-cn
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20


Here is the client config, just the keys and their values since it is pushed by the MDM.

Client config

client
dev tun
remote remotedomainname 11XX tcp4
nobind
block-outside-dns
inactive 30 1000
cipher AES-256-CBC
auth SHA512
persist-key
persist-tun
remote-cert-tls server
tls-auth -----KEY-----
ignore-unknown-option outside-dns
ca ------CERT-----
cert -----CERTIFICATE------
key -----KEY------


I haven't found a solution for this. I tried playing with ping-exit instead of inactivity, but I couldn't find a working solution.

I am aware of the workaround of installing the old version via TestFlight. Unfortunately, we are on iOS devices without iCloud-account which are managed by an MDM. TestFlight doesn't seem a solution to me.

Thanks for your advice

16r
OpenVpn Newbie
Posts: 5
Joined: Mon Jun 27, 2022 11:09 am

Re: iOS on-demand-VPN inactivity issue with 3.3.2

Post by 16r » Thu Mar 16, 2023 11:26 am

Hey, I'm having exact same issue. iOS unreliable closes the tunnel (from time to time it does seem to work), but often it's says in settings its "connected", while the OpenVPN app shows disconnected. Even after going to sleep.

Running 3.3.3 (b 5109) on iOS 16.3.1

Did you manage to solve this?

TestFlight doesn't accept new testers, so I have no means to downgrade.

KennyDW
OpenVpn Newbie
Posts: 2
Joined: Thu Oct 13, 2022 12:59 pm

Re: iOS on-demand-VPN inactivity issue with 3.3.2

Post by KennyDW » Mon Apr 03, 2023 3:20 pm

No, unfortunately I have no resolution for this. I am looking to switch to another VPN protocol for our iOS devices

16r
OpenVpn Newbie
Posts: 5
Joined: Mon Jun 27, 2022 11:09 am

Re: iOS on-demand-VPN inactivity issue with 3.3.2

Post by 16r » Fri Jun 02, 2023 6:58 am

I have a strong feeling the issue is caused by the OpenVPN software self.

When the connection time out occurs, the OpenVPN shows a dialog box (alert). It looks like it closes the connection once you clicked on that that dialog. Basically the dialog stops OPN of telling iOS to close the connection (until you open OPN app and click the message away, or you to Settings -> VON and stop it manually.

Any idea where we can we file a bug ?

16r
OpenVpn Newbie
Posts: 5
Joined: Mon Jun 27, 2022 11:09 am

Re: iOS on-demand-VPN inactivity issue with 3.3.2

Post by 16r » Fri Jul 14, 2023 10:18 am

Just a quick update.

After a lengthy emails back and forth with OpenVPN support, I (finally) for confirmation they can reproduce this problem. It’s in the pipeline to be fixed, but no ETA.

ktykls
OpenVpn Newbie
Posts: 7
Joined: Thu Jan 19, 2023 2:59 pm

Re: iOS on-demand-VPN inactivity issue with 3.3.2

Post by ktykls » Thu Aug 10, 2023 1:52 pm

Same problem for me.

Post Reply