OpenVPN Connect iOS version 1.0.1 Release Notes

[elfredyc]

Release Notes for OpenVPN Connect iOS version 1.0.1 (released on App Store May 20, 2013)
-----------------------------------------------------------------------
Fixed proxy error "NTLM phase-2 Content-Length is not zero".

Updated PolarSSL to 1.1.6.

Implemented "tls-remote", "route-nopull", "remote-random", "cipher none", and "auth none" directives.

Support DNS names that resolve to multiple addresses by trying each address in sequence.

At Apple's request, require one-time user confirmation before starting initial VPN connection.

Log invalid server-pushed routes or dhcp-options but don't disconnect.

As device moves between WiFi and cellular networks, proactively reconnect.

Raise an error when unsupported modes are used, such as static key mode.

Support "tcp-client" usage such as this: remote foo.bar 1194 tcp-client

Client will report its protocol as UDPv4 or TCPv4_CLIENT in options compatibility string even if running over IPv6 transport to maintain compatibility with OpenVPN 2.x branch.

Support client profiles that use Windows UTF-8 BOM.

Added "Reconnect on wakeup" preference (on by default).

The "key-direction" default has been changed to "bidirectional" for compatibility with OpenVPN 2.x branch, however the previous default ("1") will be retained for profiles imported with 1.0.0 to avoid breakage. Note, however, that the previous default cannot be retained for previously imported VPN-on-Demand profiles, which could potentially fail to connect if they don't declare a key-direction key/value pair on the assumption that it defaults to "1". The solution is to explicitly declare key-direction in VPN-on-Demand profiles if the OpenVPN configuration file they are derived from declares it as well.

Fixed bug where pushed ifconfig subnet was not routing into the tunnel.

When split-tunnel VPN configuration is used (i.e. not redirect-gateway), and at least one pushed DNS server is present: (a) route all DNS requests through pushed DNS server if no added search domains, or (b) route DNS requests for only specifically added search domains if at least one added search domain.

Fixed bug where app would crash on startup if device keychain had certificate with nil subjectSummary.

Fixed issue where "reneg-sec 0" was causing an infinite reconnect loop.

Don't add IPv4 or v6 routes if the ifconfig for the particular IP protocol is absent.

Added support for "net_gateway" as a route destination. This effectively excludes the route from the tunnel.

Allow clients to connect without a client certificate or key, if the server allows it, and if the client profile contains the following directive: setenv CLIENT_CERT 0

Allow "dhcp-option DOMAIN ..." directives to be pushed with multiple space-separated domains.

Fixed an issue that prevented an External Certificate profile from also being an Autologin profile.

Fixed a corner case where profiles with saved passwords that connect to a server that uses Session ID tokens (such as an Access Server) would fail to automatically reconnect after long pause periods, such as when the device is asleep.

Add "OS Event" logging to OpenVPN log file, including: (a) network available/unavailable and (b) sleep/wakeup.

-------------------------------------------
Elfredy Cadapan
OpenVPN Technologies, Inc.

[canope]

Hi,

Thanks for this update!!!

Hoping to see updates supporting tun / link mtu change on the clientside configuration.


Can

[Nachtfalke]

Hi,

I have a question about the changelog. What do you mean with:

Added "Reconnect on wakeup" preference (on by default).

Do you mean that VPN reconnects if some application (mail) requires it together with "VPN on demand"?

Or do you mean that VPN reconnects when the user unlocks the device? This was already done when you set the OpenVPN connection timeout to "none" as far as my tests show. (Settings --> scroll down to bottom --> OpenVPN --> Timeout: None (default: 30s)

I would like to see an option to which allows to override the power settings on iOS. It should be possible if the user likes it - to make the VPN connection persitent even if the iOS device is in standby or sleep or prevent the device to go to standby/sleep even if this costs much more battery life. The user should have the possibility to change this if it is ok or to leave it off if he wants to save battery life.

Nevertheless thank you for the hard work on this.

Greetings
Alex

[jamesyonan]

In 1.0.0, the client would always "Reconnect on wakeup" -- there was no way to disable the behavior.

In 1.0.1 we made it an option so that people can turn it off, so that if the device goes to sleep, the VPN is disconnected, and it doesn't automatically reconnect on wakeup (some people actually prefer this behavior).

The use case is that turning "Reconnect on wakeup" off is effectively a kind of inactivity disconnect, that leverages on fact that the device will sleep after some period of user inactivity. In many ways, it's a better implementation of inactivity disconnect because it uses the device's own understanding of whether it's being used or not to trigger the disconnect, rather than relying on traffic heuristics.

[Nachtfalke]

In 1.0.0, the client would always "Reconnect on wakeup" -- there was no way to disable the behavior.

In 1.0.1 we made it an option so that people can turn it off, so that if the device goes to sleep, the VPN is disconnected, and it doesn't automatically reconnect on wakeup (some people actually prefer this behavior).

The use case is that turning "Reconnect on wakeup" off is effectively a kind of inactivity disconnect, that leverages on fact that the device will sleep after some period of user inactivity. In many ways, it's a better implementation of inactivity disconnect because it uses the device's own understanding of whether it's being used or not to trigger the disconnect, rather than relying on traffic heuristics.

Thank you for your feedback. This makes sense in the case you explained.

[mistic]

Hi.
I have a question. Danoe software can let all traffic through vpn? If the signal is lost wi-fi or sim, then at the time of the new connection all programs go into the network with the real IP.

config:

Code: Select all

client
dev tun
proto tcp
remote 80.79.1.1 443
resolv-retry infinite
nobind
key-direction 1
dhcp-option DNS 8.8.8.8
#cipher AES-128-CBC
persist-tun
persist-key
ns-cert-type server
redirect-gateway def1
comp-lzo
verb 3

##pkcs12 ios.p12
reneg-sec 3600
pull # may not be required

<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

I've tried:

push 'redirect-gateway def1'

redirect-gateway def1

redirect-gateway

This is possible at all?

[Solvy]

setenv CLIENT_CERT 0 - does not work ?

Below is my simple config file wich is working on any PC without any problem
I've added setenv parameter but got error message "PolarSSL: ca certificate is undefined"
where I'm wrong ?

=================
setenv CLIENT_CERT 0
proto udp
dev tun
port 6999
remote myhost.ru
ifconfig 10.254.1.10 10.254.1.9
route 192.168.254.10 255.255.255.255 10.254.1.9
tun-mtu 1500
mssfix
auth MD5
keepalive 10 120
cipher BF-CBC # Blowfish (default)
comp-lzo
verb 3
mute 20
user root
group nobody
persist-key
persist-tun
status openvpn-home.log
<secret>
-----BEGIN OpenVPN Static key V1-----
f66320fa1bc18a78fe7fdb8a511664a4
****************
351d3c1d896788c730bc68fd4eb77a11
-----END OpenVPN Static key V1-----
</secret>
=================================

[sometrashbin]

Hi guys

Sorry to bug you with that, ... but would you consider putting the app in the french appstore ? Can't use because i can't download it, makes my access server useless ...



Cheers

[XU4MeuXb82E]

I discovered a problem about the VPN on demand thing (not sure it is OpenVPN or iOS problem)

The VPN seems to ignore the connected Wifi connection, and keep using cellular data.

I discovered this by connecting my iPhone 5 with LTE to a super slow wifi network, and using auto-connect OpenVPN profile, which also routes all my iPhone traffic via the VPN server.

However, despite the super slow wifi network, the speed test (use speedtest app) of my iPhone 5 still reaches the LTE level, which is quite impossible. The only reason is that it is still using my LTE connection while I am connected to Wifi.

It happen when iOS / OpenVPN "auto reconnects" the VPN, this problem does not appear if I trigger the connection myself in OpenVPN or iOS Settings app.


The detail testing steps are as follow:

Pre-requisite:
a) OpenVPN server or client profile will route all traffics via VPN server: push "redirect-gateway" or redirect-gateway in client
b) OpenVPN Connect in iOS will reconnect itself
c) A wifi network with large speed difference with your iPhone
i) either a very slow one (ADSL connection)
ii) or a very fast one (Optic Fiber one which goes over 100Mbps and a fast router)


Testing steps:
1) Connect iPhone to WiFi
2) Connect iPhone to OpenVPN server
3) Do the speed test (take note that it is the WiFi speed)
4) Open Settings app, switch off WiFi
5) Switch on WiFi, connect back to the same WiFi network
6) Wait VPN auto-connect itself
7) Do the speed test again (take note that it is not the WiFi speed this time, it is your cellular data speed!)

[entunn]

Hello,

How can we setup a webserver for the profiles to be downloaded via a web browser link instead of using the email or iTunes to import profiles? As part of the features as stated, you can also import profile via a web browser link. How to do this from the web server side?

Thanks.

[igor.sem]

can't connect to server using openvpn as 2.0 and iPhone 4s IOS6
Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Verification of the message MAC failed

[gh6200]

The Open vpn version not work in iPhone 5s please help