Importing OVPN Profiles in OpenVPN Connect on iOS 8.4

[stalwart.ca]

I've used OpenVPN Connect for a long time on my iPad, connecting through a TUN using an OVPN file. Suddenly, a few days ago (I think after an iOS update), it claims to connect but no longer allows traffic to go through the tunnel. I tried creating a fresh certificate/OVPN file in case that would help, but now I notice that there no way to actually import an OVPN file into the iPad. I can't find anyway to do it either from within iTunes, or from within the app itself on the iPad. Am I missing or forgetting something?

Thanks in advance!

[stalwart.ca]

Update: I found the file sharing area in iTunes. It seems more hidden than I remember. I just had to scroll all the way down in the sub-pane of the app area in iTunes. However, there still seems to be a problem with iOS 8.4 and OpenVPN, at least with my config. It has worked fine for years, but since I updated my two iPads, neither will send traffic through the tunnel.

Here's my server TUN config:

port 1195
proto udp
tun-mtu 1500
tun-mtu-extra 32
mssfix 1400
dev tun
dev-node "stalwart.ca (tun)"
ca "../easy-rsa/keys/stalwart.ca.ca.crt"
cert "../easy-rsa/keys/stalwart.ca.crt"
key "../easy-rsa/keys/stalwart.ca.key"
dh "../easy-rsa/keys/stalwart.ca.dh.pem"
server 10.23.48.0 255.255.255.0
ifconfig-pool-persist "stalwart.ca (tun).ipp.txt"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
max-clients 100
persist-key
persist-tun
status "stalwart.ca (tun).status.log"
verb 1
tls-server
tls-auth "../easy-rsa/keys/stalwart.ca.ta.key" 0
tls-cipher DHE-RSA-AES256-SHA
crl-verify "../easy-rsa/keys/stalwart.ca.crl.pem"


And here is one of my iPad's client configs:

client
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1400
dev-node "stalwart.ca (tun)"
proto udp
resolv-retry infinite
nobind
cipher AES-256-CBC
comp-lzo
tls-client
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
<tls-auth>
#
# 2048 bit OpenVPN static key
#
...REMOVED...
</tls-auth>
key-direction 1
remote-cert-tls server
remote stalwart.ca 1195
<ca>
...REMOVED...
</ca>
<cert>
...REMOVED...
</cert>
<key>
...REMOVED...
</key>
persist-key
persist-tun
keepalive 3 10
verb 1

[Traffic]

Here's my server TUN config:

Code: Select all

### Unless you know what you are doing, remove these three options:
tun-mtu 1500
tun-mtu-extra 32
mssfix 1400

### Increase to verb 4
verb 1

### tls-cipher name ?
tls-cipher DHE-RSA-AES256-SHA

And here is one of my iPad's client configs:

Code: Select all

### Unless you know what you are doing, remove these three options:
tun-mtu 1500
tun-mtu-extra 32
mssfix 1400

### tls-cipher name ?
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA

### this is designed as a server side directive and is unnecessary for a client
keepalive 3 10

### increase to verb 4
verb 1

What version of openvpn are you using on your server ? Please post full server log at verb 4

[stalwart.ca]

Thanks for the input!

Kind of fortunately but mysteriously, it spontaneously started working. All I changed was verb to 4, which of course wouldn't make any difference, but nonetheless it started working. I'm not sure what happened. It's totally solid now though, and has remained so for a while.

Regarding the tun-mtu, tun-mtu-extra, and mssfix, I had to implement those a long time ago to prevent the connection from being extremely unreliable. I imagine there was probably faulty hardware or software at some point along the line that was clumsily tripping on an unexpected mtu or something, but whatever the case, those definitely were necessary for the connection to be stable, as of a few years ago at least.

Re the cipher name, I believe it was using OpenVPN either with some Android client, or with iOS that required that naming convention, not accepting the other form.