Hi Everyone!
I have several iPhones setup with OpenVPN. I used the iPhone Configuration Utility (not easy, but I got it working) to setup VPN-On-Demand (VOD) for the required network traffic.
The problem is, the VPN disconnects as soon as the iPhone goes to sleep. The VPN disconnects even if the iPhone is plugged in when it goes to sleep (so the iPhone stays connected to the wifi but not the VPN). As a result, domains that are setup for VOD (like our email server and Lync server) become unreachable while the phone is asleep. So users aren't alerted to new messages or emails until their iPhone wakes up.
I tried adjusting the '--keepalive' settings to let the iPhone stay connected to the VPN while it is asleep to no avail. Is there any way to keep the VPN with VOD alive while the iPhone is asleep???
Thanks for the help!
How to Maintain VPN when iPhone is Asleep???
-
redradioflyer
- OpenVPN User
- Posts: 25
- Joined: Mon Jul 08, 2013 7:00 am
-
Nachtfalke
- OpenVpn Newbie
- Posts: 5
- Joined: Sat May 18, 2013 4:48 pm
Re: How to Maintain VPN when iPhone is Asleep???
Unfortunately not.
I would really appreciate an option on the OpenVPN Connect app which allows the user to prevent the device from going to sleep even if it costs much battery. This should be an optional option.
I would really appreciate an option on the OpenVPN Connect app which allows the user to prevent the device from going to sleep even if it costs much battery. This should be an optional option.
-
redradioflyer
- OpenVPN User
- Posts: 25
- Joined: Mon Jul 08, 2013 7:00 am
Re: How to Maintain VPN when iPhone is Asleep???
Actually, I may have complained too soon...
It appears that data (emails etc) is reaching the phone when it is asleep.
There is a longer delay than an iPhone that done not use VOD, but eventually the emails and messages do show up.
The question is, does the iPhone reconnect the VPN to get this data or does it allow the data to leak out through the normal network. If the pounding my battery is taking is any indication I'd guess the VPN is constantly getting re-established and then dropped.
I think I'll have to block my email server so it will only respond to requests from within the VPN to see what happens. I'll let you know if I keep getting email when the iPhone is asleep.
It appears that data (emails etc) is reaching the phone when it is asleep.
There is a longer delay than an iPhone that done not use VOD, but eventually the emails and messages do show up.
The question is, does the iPhone reconnect the VPN to get this data or does it allow the data to leak out through the normal network. If the pounding my battery is taking is any indication I'd guess the VPN is constantly getting re-established and then dropped.
I think I'll have to block my email server so it will only respond to requests from within the VPN to see what happens. I'll let you know if I keep getting email when the iPhone is asleep.
-
jamesyonan
- OpenVPN Inc.
- Posts: 169
- Joined: Thu Jan 24, 2013 12:13 am
Re: How to Maintain VPN when iPhone is Asleep???
The power management of an iOS device is really out of the control of OpenVPN. The device basically sends OpenVPN a message just before it goes to sleep so OpenVPN can disconnect, and after it wakes up, so OpenVPN can reconnect.
Sometimes a device that's not being used (where the screen is blanked), will still wake up from time to time for short periods to check email, etc. You can look at the system log on the device to see if OpenVPN was given a message by iOS to reconnect during these periods.
James
Sometimes a device that's not being used (where the screen is blanked), will still wake up from time to time for short periods to check email, etc. You can look at the system log on the device to see if OpenVPN was given a message by iOS to reconnect during these periods.
James
-
redradioflyer
- OpenVPN User
- Posts: 25
- Joined: Mon Jul 08, 2013 7:00 am
Re: How to Maintain VPN when iPhone is Asleep???
Hi James,
I understand the iOS setting are beyond your control... Too bad
I left my iPhone with the screen off (and unplugged) for an hour and then checked the OpenVPN app log (posted below). I have good news and bad news. The good news is that iOS is resuming the OpenVPN app when it wakes up to get fresh data. The bad news is that OpenVPN seems to be renegotiating and re-verifying the connection from scratch every time it resumes the connection. I'm guessing this is the cause of my super low stand-by battery (it dies after only a few hours). Is there any way to get arround this?
I have a static DNS address for my VPN server. Ideally, what I'd like to do is have OpenVPN just resume sending encrypted packets to the target web address based (mostly) on the settings it was using when it went to sleep and put the connection on pause. It seems like the risk of not re-negotiating the connection would be minimal because only the server (with the cert+key) would be able to decrypt the resumed transmission anyway. I set '--keepalive 60 600' on both the iPhone and Server config files. The iPhone is waking up and reconnectin before the 10 min keepalive limit, but the VPN connection is renegotiated when the VPN resumes anyway.
Is there another way to more directly control how the connection resumes after is is put on pause (or some reason I shouldn't)?
I understand the iOS setting are beyond your control... Too bad
I left my iPhone with the screen off (and unplugged) for an hour and then checked the OpenVPN app log (posted below). I have good news and bad news. The good news is that iOS is resuming the OpenVPN app when it wakes up to get fresh data. The bad news is that OpenVPN seems to be renegotiating and re-verifying the connection from scratch every time it resumes the connection. I'm guessing this is the cause of my super low stand-by battery (it dies after only a few hours). Is there any way to get arround this?
I have a static DNS address for my VPN server. Ideally, what I'd like to do is have OpenVPN just resume sending encrypted packets to the target web address based (mostly) on the settings it was using when it went to sleep and put the connection on pause. It seems like the risk of not re-negotiating the connection would be minimal because only the server (with the cert+key) would be able to decrypt the resumed transmission anyway. I set '--keepalive 60 600' on both the iPhone and Server config files. The iPhone is waking up and reconnectin before the 10 min keepalive limit, but the VPN connection is renegotiated when the VPN resumes anyway.
Is there another way to more directly control how the connection resumes after is is put on pause (or some reason I shouldn't)?
-
redradioflyer
- OpenVPN User
- Posts: 25
- Joined: Mon Jul 08, 2013 7:00 am
Re: How to Maintain VPN when iPhone is Asleep???
Here's my iPhone App log...
Code: Select all
2013-07-12 20:47:16 OS Event: SLEEP
2013-07-12 20:47:16 EVENT: PAUSE
2013-07-12 20:48:09 OS Event: WAKEUP
2013-07-12 20:48:12 EVENT: RESUME
2013-07-12 20:48:12 EVENT: RECONNECTING
2013-07-12 20:48:12 LZO-ASYM init swap=0 asym=0
2013-07-12 20:48:12 Contacting X.X.X.X:1194 via UDP
2013-07-12 20:48:12 EVENT: WAIT
2013-07-12 20:48:12 Connecting to secure.XXX.info:1194 (X.X.X.X) via UDPv4
2013-07-12 20:48:12 EVENT: CONNECTING
2013-07-12 20:48:12 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
2013-07-12 20:48:12 Peer Info:
IV_VER=1.0
IV_PLAT=ios
IV_NCP=1
IV_LZO=1
2013-07-12 20:48:12 VERIFY OK: depth=0
cert. version : 3
serial number : XXX
issuer name : C=US, ST=AZ, L=Phoenix, O=XXX CA, CN=XXX CA, 0x29=XXX CA, emailAddress=XXX@XXX.info
subject name : C=US, ST=AZ, L=Phoenix, O=XXX CA, CN=XXX VPN, 0x29=XXX VPN, emailAddress=XXX@XXX.info
issued on : 2013-06-29 00:11:26
expires on : 2023-06-27 00:11:26
signed using : RSA+SHA1
RSA key size : 2048 bits
2013-07-12 20:48:12 VERIFY OK: depth=1
cert. version : 3
serial number : XXX
issuer name : C=US, ST=AZ, L=Phoenix, O=XXX CA, CN=XXX CA, 0x29=XXX CA, emailAddress=XXX@XXX.info
subject name : C=US, ST=AZ, L=Phoenix, O=XXX CA, CN=XXX CA, 0x29=XXX CA, emailAddress=XXX@XXX.info
issued on : 2013-06-29 00:06:28
expires on : 2113-06-05 00:06:28
signed using : RSA+SHA1
RSA key size : 2048 bits
2013-07-12 20:48:12 SSL Handshake: TLSv1.0/SSL-EDH-RSA-AES-256-SHA
2013-07-12 20:48:12 Session is ACTIVE
2013-07-12 20:48:13 EVENT: GET_CONFIG
2013-07-12 20:48:13 Sending PUSH_REQUEST to server...
2013-07-12 20:48:13 OPTIONS:
0 [route] [192.168.1.0] [255.255.255.0]
1 [redirect-gateway] [def1]
2 [route-gateway] [192.168.100.1]
3 [topology] [subnet]
4 [ping] [60]
5 [ping-restart] [600]
6 [ifconfig] [192.168.100.4] [255.255.255.0]
2013-07-12 20:48:13 LZO-ASYM init swap=0 asym=0
2013-07-12 20:48:13 EVENT: ASSIGN_IP
2013-07-12 20:48:13 Connected via tun
2013-07-12 20:48:13 EVENT: CONNECTED @secure.XXX.info:1194 (X.X.X.X) via /UDPv4 on tun/192.168.100.4/
2013-07-12 20:48:33 OS Event: SLEEP
2013-07-12 20:48:33 EVENT: PAUSE
2013-07-12 20:51:21 OS Event: WAKEUP
2013-07-12 20:51:24 EVENT: RESUME
2013-07-12 20:51:24 EVENT: RECONNECTING
2013-07-12 20:51:24 LZO-ASYM init swap=0 asym=0
2013-07-12 20:51:24 Contacting X.X.X.X:1194 via UDP
2013-07-12 20:51:24 EVENT: WAIT
2013-07-12 20:51:24 Connecting to secure.XXX.info:1194 (X.X.X.X) via UDPv4
2013-07-12 20:51:24 EVENT: CONNECTING
2013-07-12 20:51:24 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
2013-07-12 20:51:24 Peer Info:
IV_VER=1.0
IV_PLAT=ios
IV_NCP=1
IV_LZO=1
2013-07-12 20:51:24 VERIFY OK: depth=0
cert. version : 3
serial number : XXX
issuer name : C=US, ST=AZ, L=Phoenix, O=XXX CA, CN=XXX CA, 0x29=XXX CA, emailAddress=XXX@XXX.info
subject name : C=US, ST=AZ, L=Phoenix, O=XXX CA, CN=XXX VPN, 0x29=XXX VPN, emailAddress=XXX@XXX.info
issued on : 2013-06-29 00:11:26
expires on : 2023-06-27 00:11:26
signed using : RSA+SHA1
RSA key size : 2048 bits
2013-07-12 20:51:24 VERIFY OK: depth=1
cert. version : 3
serial number : XXX
issuer name : C=US, ST=AZ, L=Phoenix, O=XXX CA, CN=XXX CA, 0x29=XXX CA, emailAddress=XXX@XXX.info
subject name : C=US, ST=AZ, L=Phoenix, O=XXX CA, CN=XXX CA, 0x29=XXX CA, emailAddress=XXX@XXX.info
issued on : 2013-06-29 00:06:28
expires on : 2113-06-05 00:06:28
signed using : RSA+SHA1
RSA key size : 2048 bits
2013-07-12 20:51:24 SSL Handshake: TLSv1.0/SSL-EDH-RSA-AES-256-SHA
2013-07-12 20:51:24 Session is ACTIVE
2013-07-12 20:51:25 EVENT: GET_CONFIG
2013-07-12 20:51:25 Sending PUSH_REQUEST to server...
2013-07-12 20:51:25 OPTIONS:
0 [route] [192.168.1.0] [255.255.255.0]
1 [redirect-gateway] [def1]
2 [route-gateway] [192.168.100.1]
3 [topology] [subnet]
4 [ping] [60]
5 [ping-restart] [600]
6 [ifconfig] [192.168.100.4] [255.255.255.0]
2013-07-12 20:51:25 LZO-ASYM init swap=0 asym=0
2013-07-12 20:51:25 EVENT: ASSIGN_IP
2013-07-12 20:51:25 Connected via tun
2013-07-12 20:51:25 EVENT: CONNECTED @secure.XXX.info:1194 (X.X.X.X) via /UDPv4 on tun/192.168.100.4/
2013-07-12 20:51:55 OS Event: SLEEP
2013-07-12 20:51:55 EVENT: PAUSE
2013-07-12 20:52:41 OS Event: WAKEUP
2013-07-12 20:52:44 EVENT: RESUME
2013-07-12 20:52:44 EVENT: RECONNECTING
2013-07-12 20:52:44 LZO-ASYM init swap=0 asym=0
2013-07-12 20:52:44 Contacting X.X.X.X:1194 via UDP
2013-07-12 20:52:44 EVENT: WAIT
2013-07-12 20:52:44 Connecting to secure.XXX.info:1194 (X.X.X.X) via UDPv4
2013-07-12 20:52:44 EVENT: CONNECTING
2013-07-12 20:52:44 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
2013-07-12 20:52:44 Peer Info:
IV_VER=1.0
IV_PLAT=ios
IV_NCP=1
IV_LZO=1
2013-07-12 20:52:44 VERIFY OK: depth=0
cert. version : 3
serial number : XXX
issuer name : C=US, ST=AZ, L=Phoenix, O=XXX CA, CN=XXX CA, 0x29=XXX CA, emailAddress=XXX@XXX.info
subject name : C=US, ST=AZ, L=Phoenix, O=XXX CA, CN=XXX VPN, 0x29=XXX VPN, emailAddress=XXX@XXX.info
issued on : 2013-06-29 00:11:26
expires on : 2023-06-27 00:11:26
signed using : RSA+SHA1
RSA key size : 2048 bits
2013-07-12 20:52:44 VERIFY OK: depth=1
cert. version : 3
serial number : XXX
issuer name : C=US, ST=AZ, L=Phoenix, O=XXX CA, CN=XXX CA, 0x29=XXX CA, emailAddress=XXX@XXX.info
subject name : C=US, ST=AZ, L=Phoenix, O=XXX CA, CN=XXX CA, 0x29=XXX CA, emailAddress=XXX@XXX.info
issued on : 2013-06-29 00:06:28
expires on : 2113-06-05 00:06:28
signed using : RSA+SHA1
RSA key size : 2048 bits
2013-07-12 20:52:44 SSL Handshake: TLSv1.0/SSL-EDH-RSA-AES-256-SHA
2013-07-12 20:52:44 Session is ACTIVE
2013-07-12 20:52:45 EVENT: GET_CONFIG
2013-07-12 20:52:45 Sending PUSH_REQUEST to server...
2013-07-12 20:52:45 OPTIONS:
0 [route] [192.168.1.0] [255.255.255.0]
1 [redirect-gateway] [def1]
2 [route-gateway] [192.168.100.1]
3 [topology] [subnet]
4 [ping] [60]
5 [ping-restart] [600]
6 [ifconfig] [192.168.100.4] [255.255.255.0]
2013-07-12 20:52:45 LZO-ASYM init swap=0 asym=0
2013-07-12 20:52:45 EVENT: ASSIGN_IP
2013-07-12 20:52:45 Connected via tun
2013-07-12 20:52:45 EVENT: CONNECTED @secure.XXX.info:1194 (X.X.X.X) via /UDPv4 on tun/192.168.100.4/
2013-07-12 20:53:15 OS Event: SLEEP
2013-07-12 20:53:15 EVENT: PAUSE