TLS Error - TUN/UDP with iPhone/iPad (iOS 9.2)

[dannyprods]

Hi!

I'm new to VPN and have a little problem to connect my iPhone to the server.
On my Asus RT-AC68u Router I enabled the VPN server. First I tested it with the TCP protocol on port 1194, everything works great; on my MacBook (via wifi in the same LAN) and on my iPhone (with 4G cellular and via wifi in the same LAN).

After that I changed one thing in the server settings, I changed the protocol from TCP to UDP, still on default port 1194. I exported the config file again, imported it in the OpenVPN iOS-app and tried to make a connection. With 4G cellular it works great but via wifi I get this TLS Error: "TLS key negotiation failed to occur within 60 seconds". It ends with a connection timeout. I tested it at home (same LAN as the server) and outside on another wifi/LAN. When I connect with my MacBook (Tunnelblick/same config file) to the VPN via wifi there is no problem using UDP.

Firewall on router is off, no port forwarding/-triggering.
Everything enabled at NAT Passthrough, but OpenVPN isn't there.

I also tested it on my iPad (also iOS 9.2), same problem.

I hope u guys can help me with this strange problem.

Thanks in advance!!!
Danny.


THE LOGS
192.168.1.1 = Router
192.168.1.105 = iPhone
(manually assigned)

Server/Router (Asus RT-AC68u):
Jan 8 09:33:06 openvpn[7068]: 192.168.1.105:54933 TLS: Initial packet from [AF_INET]192.168.1.105:54933, sid=bd257b7a ce66acff
Jan 8 09:33:15 openvpn[7068]: 192.168.1.105:51183 TLS: Initial packet from [AF_INET]192.168.1.105:51183, sid=cf8399e7 bba00712
Jan 8 09:33:25 openvpn[7068]: 192.168.1.105:52100 TLS: Initial packet from [AF_INET]192.168.1.105:52100, sid=8ae0c26c 422e09b5
Jan 8 09:33:35 openvpn[7068]: 192.168.1.105:58368 TLS: Initial packet from [AF_INET]192.168.1.105:58368, sid=84608a48 d0187bdb
Jan 8 09:33:45 openvpn[7068]: 192.168.1.105:53538 TLS: Initial packet from [AF_INET]192.168.1.105:53538, sid=af29c7f9 55938467
Jan 8 09:33:55 openvpn[7068]: 192.168.1.105:51671 TLS: Initial packet from [AF_INET]192.168.1.105:51671, sid=eb536368 dbc1c0ff
Jan 8 09:34:06 openvpn[7068]: 192.168.1.105:54933 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 8 09:34:06 openvpn[7068]: 192.168.1.105:54933 TLS Error: TLS handshake failed
Jan 8 09:34:06 openvpn[7068]: 192.168.1.105:54933 SIGUSR1[soft,tls-error] received, client-instance restarting

Client/iPhone (iOS 9.2):
2016-01-08 09:00:44 ----- OpenVPN Start -----
OpenVPN core 3.0 ios arm64 64-bit
2016-01-08 09:00:44 UNUSED OPTIONS
6 [keepalive] [15] [60]
12 [resolv-retry] [infinite]
13 [nobind]

2016-01-08 09:00:44 LZO-ASYM init swap=0 asym=0
2016-01-08 09:00:44 EVENT: RESOLVE
2016-01-08 09:00:45 Contacting 12.34.567.89:1194 via UDP
2016-01-08 09:00:45 EVENT: WAIT
2016-01-08 09:00:45 SetTunnelSocket returned 1
2016-01-08 09:00:45 Connecting to blablabla.net:1194 (12.34.567.89) via UDPv4
2016-01-08 09:00:54 Server poll timeout, trying next remote entry...
2016-01-08 09:00:54 EVENT: RECONNECTING
2016-01-08 09:00:54 LZO-ASYM init swap=0 asym=0
2016-01-08 09:00:54 EVENT: RESOLVE
2016-01-08 09:00:54 Contacting 12.34.567.89:1194 via UDP
2016-01-08 09:00:54 EVENT: WAIT
2016-01-08 09:00:54 SetTunnelSocket returned 1
2016-01-08 09:00:54 Connecting to blablabla.net:1194 (12.34.567.89) via UDPv4
2016-01-08 09:01:04 Server poll timeout, trying next remote entry...
2016-01-08 09:01:04 EVENT: RECONNECTING
2016-01-08 09:01:04 LZO-ASYM init swap=0 asym=0
2016-01-08 09:01:04 EVENT: RESOLVE
2016-01-08 09:01:04 Contacting 12.34.567.89:1194 via UDP
2016-01-08 09:01:04 EVENT: WAIT
2016-01-08 09:01:04 SetTunnelSocket returned 1
2016-01-08 09:01:04 Connecting to blablabla.net:1194 (12.34.567.89) via UDPv4
2016-01-08 09:01:14 Server poll timeout, trying next remote entry...
2016-01-08 09:01:14 EVENT: RECONNECTING
2016-01-08 09:01:14 LZO-ASYM init swap=0 asym=0
2016-01-08 09:01:14 EVENT: RESOLVE
2016-01-08 09:01:14 Contacting 12.34.567.89:1194 via UDP
2016-01-08 09:01:14 EVENT: WAIT
2016-01-08 09:01:14 SetTunnelSocket returned 1
2016-01-08 09:01:14 Connecting to blablabla.net:1194 (12.34.567.89) via UDPv4
2016-01-08 09:01:24 Server poll timeout, trying next remote entry...
2016-01-08 09:01:24 EVENT: RECONNECTING
2016-01-08 09:01:24 LZO-ASYM init swap=0 asym=0
2016-01-08 09:01:24 EVENT: RESOLVE
2016-01-08 09:01:24 Contacting 12.34.567.89:1194 via UDP
2016-01-08 09:01:24 EVENT: WAIT
2016-01-08 09:01:24 SetTunnelSocket returned 1
2016-01-08 09:01:24 Connecting to blablabla.net:1194 (12.34.567.89) via UDPv4
2016-01-08 09:01:34 Server poll timeout, trying next remote entry...
2016-01-08 09:01:34 EVENT: RECONNECTING
2016-01-08 09:01:34 LZO-ASYM init swap=0 asym=0
2016-01-08 09:01:34 EVENT: RESOLVE
2016-01-08 09:01:34 Contacting 12.34.567.89:1194 via UDP
2016-01-08 09:01:34 EVENT: WAIT
2016-01-08 09:01:34 SetTunnelSocket returned 1
2016-01-08 09:01:34 Connecting to blablabla.net:1194 (12.34.567.89) via UDPv4
2016-01-08 09:01:44 EVENT: CONNECTION_TIMEOUT [ERR]
2016-01-08 09:01:44 EVENT: DISCONNECTED
2016-01-08 09:01:44 Raw stats on disconnect:
BYTES_OUT : 420
PACKETS_OUT : 30
CONNECTION_TIMEOUT : 1
N_RECONNECT : 5
2016-01-08 09:01:44 Performance stats on disconnect:
CPU usage (microseconds): 45231
Network bytes per CPU second: 9285
Tunnel bytes per CPU second: 0
2016-01-08 09:01:44 EVENT: DISCONNECT_PENDING
2016-01-08 09:01:44 ----- OpenVPN Stop -----

Config File:
client
dev tun
proto udp
remote blablabla.net 1194
float
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
blablabla

[dannyprods]

Hmmm... I think the problem is even bigger.
I tested the server again with protocol TCP. I thought this worked well on my iPhone with 4g cellular. When the connection is made, I go to http://whatsmyip.org and see the IP adres of my iPhone, not the IP adres at home, where my server is.

I made a port forwarding rule (1191 to 192.168.1.1 = my router), no change.
This isn't good, right?

OPENVPN LOG:
2016-01-09 11:37:12 ----- OpenVPN Start -----
OpenVPN core 3.0 ios arm64 64-bit
2016-01-09 11:37:12 UNUSED OPTIONS
6 [keepalive] [15] [60]
12 [resolv-retry] [infinite]
13 [nobind]

2016-01-09 11:37:12 LZO-ASYM init swap=0 asym=0
2016-01-09 11:37:12 EVENT: RESOLVE
2016-01-09 11:37:13 Contacting 12.34.567.89:1194 via TCP
2016-01-09 11:37:13 EVENT: WAIT
2016-01-09 11:37:13 SetTunnelSocket returned 1
2016-01-09 11:37:13 Connecting to blablabla.net:1194 (12.34.567.89) via TCPv4
2016-01-09 11:37:13 EVENT: CONNECTING
2016-01-09 11:37:13 Tunnel Options:V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
2016-01-09 11:37:13 Creds: Username/Password
2016-01-09 11:37:13 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
IV_VER=3.0
IV_PLAT=ios
IV_NCP=1
IV_LZO=1

2016-01-09 11:37:13 VERIFY OK: depth=1
cert. version : 3
serial number : D4:6D:B4:6D:05:FF:47:1E
issuer name : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
subject name : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
issued on : 2016-01-04 19:38:18
expires on : 2026-01-01 19:38:18
signed using : RSA with SHA1
RSA key size : 1024 bits
basic constraints : CA=true

2016-01-09 11:37:13 VERIFY OK: depth=0
cert. version : 3
serial number : 01
issuer name : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
subject name : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
issued on : 2016-01-04 19:38:20
expires on : 2026-01-01 19:38:20
signed using : RSA with SHA1
RSA key size : 1024 bits
basic constraints : CA=false
cert. type : SSL Server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication

2016-01-09 11:37:14 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-AES-256-CBC-SHA
2016-01-09 11:37:14 Session is ACTIVE
2016-01-09 11:37:14 EVENT: GET_CONFIG
2016-01-09 11:37:14 Sending PUSH_REQUEST to server...
2016-01-09 11:37:14 OPTIONS:
0 [route] [192.168.1.0] [255.255.255.0]
1 [route] [10.8.0.1]
2 [topology] [net30]
3 [ping] [15]
4 [ping-restart] [60]
5 [ifconfig] [10.8.0.6] [10.8.0.5]

2016-01-09 11:37:14 LZO-ASYM init swap=0 asym=0
2016-01-09 11:37:14 EVENT: ASSIGN_IP
2016-01-09 11:37:14 Connected via tun
2016-01-09 11:37:14 EVENT: CONNECTED bla@blablabla.net:1194 (12.34.567.89) via /TCPv4 on tun/10.8.0.6/
2016-01-09 11:37:14 SetStatus Connected
2016-01-09 11:37:23 TUN reset routes
2016-01-09 11:37:23 EVENT: DISCONNECTED
2016-01-09 11:37:23 Raw stats on disconnect:
BYTES_IN : 3836
BYTES_OUT : 2822
PACKETS_IN : 22
PACKETS_OUT : 39
2016-01-09 11:37:23 Performance stats on disconnect:
CPU usage (microseconds): 243570
Network bytes per CPU second: 27335
Tunnel bytes per CPU second: 0
2016-01-09 11:37:23 ----- OpenVPN Stop -----

[dannyprods]

Just updated to iOS 9.2.1, problem not solved.
Why works VPN over TCP great, and UDP gives me a connection time out?

[dannyprods]

Hmmm... I think the problem is even bigger.
I tested the server again with protocol TCP. I thought this worked well on my iPhone with 4g cellular. When the connection is made, I go to http://whatsmyip.org and see the IP adres of my iPhone, not the IP adres at home, where my server is.

This is solved, I activated the button "Direct clients to redirect Internet traffic" in the VPN configuration. So, TCP works great but UDP not. Can't connect via UDP, does somebody have a sollution?