OpenVPN Connect iOS verification problem

[granular6]

So I just installed OpenVPN AS 2.0, and it works great with Macintosh clients. Not so well, though, with iOS clients using OpenVPN Connect 1.0.1 build 88. Apparently using PolarSSL rather than OpenSSL, it has trouble authenticating, reporting "Verification of the message MAC failed" in the log, and never connecting.

If I downgrade back to OpenVPN AS 1.8.5, everything works fine again. It doesn't matter whether I'm using a profile downloaded from 1.8.5 or 2.0, the connection behavior is the same.

Anybody else have this problem and/or any suggestions to fix it?

[priller]

I have experienced the exact same problem. Had to revert back to 1.8.5. I haven't been able to find any fix.

[granular6]

I wonder whether (hope that) this behavior is known to the iOS development team, such that it might be fixed (or maybe has already been submitted to the App Store as a fix) in whatever update to OpenVPN Connect also addresses official iOS 7 compatibility.

Let me be clear that this behavior in particular does not seem to be an iOS 7 compatibility problem: an iOS 7 client connecting to an OpenVPN-AS running 1.8.5 has no problem, as I and at least one other have said. I speculate through quick Googling on "Verification of the message MAC failed" that it's a PolarSSL problem. But I know nothing at all about PolarSSL vs OpenSSL, and whether a newer version of PolarSSL (if there is one) would even address this problem.

I just hope this behavior is addressed in the next update of OpenVPN Connect, or in the next update to OpenVPN-AS 2.x (while maintaining security for all types of clients).

[granular6]

I have also reinstalled OpenVPN-AS 2.0 on both the same server I was using (using the openvpn-init tool to set it up with a completely new configuration), and installed a completely new virtual server OS on which to test a new OpenVPN-AS, and they both showed the same behavior with iOS clients as listed above. So it seems even moreso not to be server-side configuration at fault, but authentication problems on the iOS client side.

[ActiveOffice]

Same problem here!

Installed the vmWare appliance out of the box (ova-install, appliance V2.0.0 - Last updated: October 8, 2013)
The iOS-app tries to reconnect all the time.

Error: Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Verification of the message MAC failed

Do you need a valid ssl-certificate for this?

[tgeddings]

Same Problem here. How difficult is the downgrade to 1.8.5?

[granular6]

I've been running OpenVPN-AS on a virtual machine, so I just restored to a previous save state. I don't know what to suggest if you're running it outside of virtualization. If you've formatted your HD with LVM when you installed Linux AND set up save states, you may be able to downgrade that way.

Another method may be to fully un-install OpenVPN-AS 2.0, then install OpenVPN-AS 1.8.5, reconfigure & issue new certificates to clients. One potential problem with this !BEFORE YOU START! is knowing whether there's still a good URL from which to wget version 1.8.5 again. Since I didn't use this method, I have not researched this.


Sent from my iPhone using Tapatalk - now Free

[granular6]

Update: the behavior is still occurring under OpenVPN-AS 2.0.1. Downgrading back to 1.8.5…


Sent from my iPhone using Tapatalk

[priller]

I just upgraded to OpenVPN-AS 2.0.2, problem resolved!

[granular6]

Love to try that, but as previously resolved intopic14030.html, they haven't yet posted an amd_64 version of 2.0.2.


Sent from my iPhone using Tapatalk

[granular6]

Aha: it seems the URL for download is incorrect. Within the URL http://swupdate.openvpn.org/as/openvpn- ... amd_64.deb, the underscore ("_") should currently be removed, and the download will occur correctly. It is unknown when or whether the webmaster will reconcile this incorrect URL, but the software does work correctly once installed.

Until and unless (and depending on how) the URL issue is resolved, I consider the main issue of this thread RESOLVED.