I am using OpenVPN per-app-VPN-connections for over 2 years now in combination with an MDM to push the configs to the device. Whenever one of the apps is opened, the iOS system is starting the OpenVPN tunnel in the background. I've setted up inactivity timers (30 sec 1000 bytes) to prevent the tunnels from being active all the time. The per-app-VPN is reopened once there's traffic again from one of these apps. This worked very well with all versions of OpenVPN Connect App >= 3.2.3. Last weeks, when I installed new smartphones with the OpenVPN Connect App version 3.3.2, there is this strange behaviour:
- my inactivity timeout of 30 seconds is ignored
- instead, OpenVPN Connect App closes the tunnel after 60 seconds
- meanwhile, the tunnel keeps it's "connected" status in iOS, the tunnel keeps working as well
- once there's a internet connectivity issue, let's say a switch between WiFi/4G, iOS per-app-VPN status goes to "connecting" and stays there untill reboot of the smartphone
It seems like OpenVPN Connect App is ignoring my inactivity timeout, exiting the tunnel itself at 60 seconds, without letting iOS know.
Server config
port 11XX
server 10.8.6.0 255.255.255.0
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
replay-window 10000
proto tcp4
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth tc.key
topology subnet
push "redirect-gateway def1 bypass-dhcp"
push "persist-key"
push "persist-tun"
duplicate-cn
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
Here is the client config, just the keys and their values since it is pushed by the MDM.
Client config
client
dev tun
remote remotedomainname 11XX tcp4
nobind
block-outside-dns
inactive 30 1000
cipher AES-256-CBC
auth SHA512
persist-key
persist-tun
remote-cert-tls server
tls-auth -----KEY-----
ignore-unknown-option outside-dns
ca ------CERT-----
cert -----CERTIFICATE------
key -----KEY------
I haven't found a solution for this. I tried playing with ping-exit instead of inactivity, but I couldn't find a working solution.
I am aware of the workaround of installing the old version via TestFlight. Unfortunately, we are on iOS devices without iCloud-account which are managed by an MDM. TestFlight doesn't seem a solution to me.
Thanks for your advice