Unable to connect w/ iOS to VPN server on same network

ghmfranken · Post by **ghmfranken** » Thu Oct 01, 2015 5:41 pm

I have an OpenVPN server running on OpenWRT. I can succesfully connect from both Windows and iOS when outside the network of the OpenVPN server. However I was unable to connect to the OpenVPN server when I was trying to connect from the same network (for testing purposes). For Windows adding the "float" directive in the client config solved the problem. The remaining problem is that despite adding the "float" directive also on the iOS client config, I am still not able to connect from my iPhone when I am on the same network as the OpenVPN server. The iOS client is "waiting for server".

Below is the OpenVPN config for my server, Windows client, iOS client and two server logs when trying to connect with the iOS client. The VPN server is on IP 192.168.1.1 (internally) and mydomain.com (externally).

Thanks in advance for your support!

Server config

Code: Select all

config openvpn 'VPN'
	option enabled '1'
	option dev 'tun'
	option port '1194'
	option proto 'udp'
	option verb '3'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option tls_auth '/etc/openvpn/tls-auth.key 0'
	option auth 'SHA256'
	option cipher 'AES-256-CBC'
	option server '10.0.0.0 255.255.255.0'
	option dh '/etc/openvpn/dh2048.pem'
	option persist_tun '1'
	option log '/tmp/openvpn.log'
	option tls_server '1'
	option client_to_client '1'
	list push 'redirect-gateway def1'
	list push 'dhcp-option DNS 185.83.217.248'
	list push 'dhcp-option DNS 93.158.205.94'
	option remote_cert_tls 'client'

Windows client config

Code: Select all

dev tun
proto udp
log openvpn.log
verb 3
client
float
tls-client 1
ca ca.crt
cryptoapicert "THUMB:"
tls-auth tls-auth.key 1
auth SHA256
cipher AES-256-CBC
remote-cert-tls server
remote mydomain.com 1194

iOS client config

Code: Select all

dev tun
proto udp
log openvpn.log
verb 3
client
float
tls-client 1
auth SHA256
cipher AES-256-CBC
remote-cert-tls server
remote mydomain.com 1194
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1

OpenVPN server log unsuccesful attempt to connect iOS on same Network

Code: Select all

Thu Oct  1 18:32:28 2015 OpenVPN 2.3.6 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 24 2015
Thu Oct  1 18:32:28 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.08
Thu Oct  1 18:32:28 2015 WARNING: --keepalive option is missing from server config
Thu Oct  1 18:32:28 2015 Diffie-Hellman initialized with 2048 bit key
Thu Oct  1 18:32:28 2015 Control Channel Authentication: using '/etc/openvpn/tls-auth.key' as a OpenVPN static key file
Thu Oct  1 18:32:28 2015 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Oct  1 18:32:28 2015 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Oct  1 18:32:28 2015 Socket Buffers: R=[163840->131072] S=[163840->131072]
Thu Oct  1 18:32:28 2015 TUN/TAP device tun0 opened
Thu Oct  1 18:32:28 2015 TUN/TAP TX queue length set to 100
Thu Oct  1 18:32:28 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Oct  1 18:32:28 2015 /sbin/ifconfig tun0 10.0.0.1 pointopoint 10.0.0.2 mtu 1500
Thu Oct  1 18:32:28 2015 /sbin/route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.2
Thu Oct  1 18:32:28 2015 UDPv4 link local (bound): [undef]
Thu Oct  1 18:32:28 2015 UDPv4 link remote: [undef]
Thu Oct  1 18:32:28 2015 MULTI: multi_init called, r=256 v=256
Thu Oct  1 18:32:28 2015 IFCONFIG POOL: base=10.0.0.4 size=62, ipv6=0
Thu Oct  1 18:32:28 2015 Initialization Sequence Completed
Thu Oct  1 18:32:34 2015 192.168.1.204:51248 TLS: Initial packet from [AF_INET]192.168.1.204:51248, sid=0048555a 28cb39fe
Thu Oct  1 18:32:36 2015 192.168.1.204:51248 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1443717154) Thu Oct  1 18:32:34 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Thu Oct  1 18:32:36 2015 192.168.1.204:51248 TLS Error: incoming packet authentication failed from [AF_INET]192.168.1.204:51248
Thu Oct  1 18:32:38 2015 192.168.1.204:51248 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1443717154) Thu Oct  1 18:32:34 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Thu Oct  1 18:32:38 2015 192.168.1.204:51248 TLS Error: incoming packet authentication failed from [AF_INET]192.168.1.204:51248
Thu Oct  1 18:32:40 2015 192.168.1.204:51248 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1443717154) Thu Oct  1 18:32:34 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Thu Oct  1 18:32:40 2015 192.168.1.204:51248 TLS Error: incoming packet authentication failed from [AF_INET]192.168.1.204:51248
Thu Oct  1 18:32:42 2015 192.168.1.204:51248 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1443717154) Thu Oct  1 18:32:34 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Thu Oct  1 18:32:42 2015 192.168.1.204:51248 TLS Error: incoming packet authentication failed from [AF_INET]192.168.1.204:51248
Thu Oct  1 18:33:34 2015 192.168.1.204:51248 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Oct  1 18:33:34 2015 192.168.1.204:51248 TLS Error: TLS handshake failed
Thu Oct  1 18:33:34 2015 192.168.1.204:51248 SIGUSR1[soft,tls-error] received, client-instance restarting

OpenVPN server log succesvol attempt to connect iOS from an outside Network

Code: Select all

Thu Oct  1 18:35:40 2015 OpenVPN 2.3.6 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 24 2015
Thu Oct  1 18:35:40 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.08
Thu Oct  1 18:35:40 2015 WARNING: --keepalive option is missing from server config
Thu Oct  1 18:35:40 2015 Diffie-Hellman initialized with 2048 bit key
Thu Oct  1 18:35:40 2015 Control Channel Authentication: using '/etc/openvpn/tls-auth.key' as a OpenVPN static key file
Thu Oct  1 18:35:40 2015 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Oct  1 18:35:40 2015 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Oct  1 18:35:40 2015 Socket Buffers: R=[163840->131072] S=[163840->131072]
Thu Oct  1 18:35:40 2015 TUN/TAP device tun0 opened
Thu Oct  1 18:35:40 2015 TUN/TAP TX queue length set to 100
Thu Oct  1 18:35:40 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Oct  1 18:35:40 2015 /sbin/ifconfig tun0 10.0.0.1 pointopoint 10.0.0.2 mtu 1500
Thu Oct  1 18:35:40 2015 /sbin/route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.2
Thu Oct  1 18:35:40 2015 UDPv4 link local (bound): [undef]
Thu Oct  1 18:35:40 2015 UDPv4 link remote: [undef]
Thu Oct  1 18:35:40 2015 MULTI: multi_init called, r=256 v=256
Thu Oct  1 18:35:40 2015 IFCONFIG POOL: base=10.0.0.4 size=62, ipv6=0
Thu Oct  1 18:35:40 2015 Initialization Sequence Completed
Thu Oct  1 18:35:50 2015 xx.xxx.xxx.xxx:57009 TLS: Initial packet from [AF_INET]xx.xxx.xxx.xxx:57009, sid=e1751e10 de3e3892
Thu Oct  1 18:35:51 2015 xx.xxx.xxx.xxx:57009 VERIFY OK: depth=1, C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=XX CA, name=EasyRSA, emailAddress=gijs@mydomain.com
Thu Oct  1 18:35:51 2015 xx.xxx.xxx.xxx:57009 Validating certificate key usage
Thu Oct  1 18:35:51 2015 xx.xxx.xxx.xxx:57009 ++ Certificate has key usage  0080, expects 0080
Thu Oct  1 18:35:51 2015 xx.xxx.xxx.xxx:57009 VERIFY KU OK
Thu Oct  1 18:35:51 2015 xx.xxx.xxx.xxx:57009 Validating certificate extended key usage
Thu Oct  1 18:35:51 2015 xx.xxx.xxx.xxx:57009 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Thu Oct  1 18:35:51 2015 xx.xxx.xxx.xxx:57009 VERIFY EKU OK
Thu Oct  1 18:35:51 2015 xx.xxx.xxx.xxx:57009 VERIFY OK: depth=0, C=XX, ST=XX, L=XX, O=XX, OU=XX, CN=gijs-iphone, name=EasyRSA, emailAddress=gijs@mydomain.com
Thu Oct  1 18:35:51 2015 xx.xxx.xxx.xxx:57009 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Oct  1 18:35:51 2015 xx.xxx.xxx.xxx:57009 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Oct  1 18:35:51 2015 xx.xxx.xxx.xxx:57009 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Oct  1 18:35:51 2015 xx.xxx.xxx.xxx:57009 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Oct  1 18:35:51 2015 xx.xxx.xxx.xxx:57009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Oct  1 18:35:51 2015 xx.xxx.xxx.xxx:57009 [gijs-iphone] Peer Connection Initiated with [AF_INET]xx.xxx.xxx.xxx:57009
Thu Oct  1 18:35:51 2015 gijs-iphone/xx.xxx.xxx.xxx:57009 MULTI_sva: pool returned IPv4=10.0.0.6, IPv6=(Not enabled)
Thu Oct  1 18:35:51 2015 gijs-iphone/xx.xxx.xxx.xxx:57009 MULTI: Learn: 10.0.0.6 -> gijs-iphone/xx.xxx.xxx.xxx:57009
Thu Oct  1 18:35:51 2015 gijs-iphone/xx.xxx.xxx.xxx:57009 MULTI: primary virtual IP for gijs-iphone/xx.xxx.xxx.xxx:57009: 10.0.0.6
Thu Oct  1 18:35:51 2015 gijs-iphone/xx.xxx.xxx.xxx:57009 PUSH: Received control message: 'PUSH_REQUEST'
Thu Oct  1 18:35:51 2015 gijs-iphone/xx.xxx.xxx.xxx:57009 send_push_reply(): safe_cap=940
Thu Oct  1 18:35:51 2015 gijs-iphone/xx.xxx.xxx.xxx:57009 SENT CONTROL [gijs-iphone]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 185.83.217.248,dhcp-option DNS 93.158.205.94,route 10.0.0.0 255.255.255.0,topology net30,ifconfig 10.0.0.6 10.0.0.5' (status=1)
Thu Oct  1 18:35:55 2015 gijs-iphone/xx.xxx.xxx.xxx:57009 IP packet with unknown IP version=2 seen

Post by **maikcat** » Fri Oct 02, 2015 5:56 am

trying to connect to wan ip while in the same lan is not a good idea...
generally trying to connect while pushing routes to your client while in the same lan is not a good idea..

can you try to use your routers lan ip instead?

Michael.

ghmfranken · Post by **ghmfranken** » Sun Oct 04, 2015 2:30 am

I replaced the external want IP with the internal IP of the VPN Server (i.e. remote 192.168.1.1 1194). The iOS client now succesfully connects.

Is it unpredictable routing behaviour that the Windows client in fact can log on with thee external wan IP whereas the iOS client can not? Is there a wat I can configure the OpenWRT router to change this routing behaviour?

Traffic · Post by **Traffic** » Mon Oct 05, 2015 11:13 am

FYI:

NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.

ghmfranken · Post by **ghmfranken** » Sun Oct 18, 2015 8:34 pm

@Traffic: thank you for the tip. I changed my subnet address to 10.5.1.x. I assume this is less common? Or do you have an other suggestion?

Traffic · Post by **Traffic** » Mon Oct 19, 2015 11:17 am

ghmfranken wrote:I changed my subnet address to 10.5.1.x. I assume this is less common?

Good choice .. The simple problem is that many private LANs used at f.e CoffeeShops are 192.168.0.0 or 1.0 .. If your server side LAN uses the same subnet then this can cause routing conflicts. Any other random RFC1918 LAN is more suitable for the server LAN.

OpenVPN Support Forum

Unable to connect w/ iOS to VPN server on same network

Unable to connect w/ iOS to VPN server on same network

Re: Unable to connect w/ iOS to VPN server on same network

Re: Unable to connect w/ iOS to VPN server on same network

Re: Unable to connect w/ iOS to VPN server on same network

Re: Unable to connect w/ iOS to VPN server on same network

Re: Unable to connect w/ iOS to VPN server on same network