After updateing my VPN server to OpenVPN 2.4.0 (debian stretch) I’ve got the error message “SSL - Verification of the message MAC failed” on my iPad 1 with iOS version 5.1.1. My iOS OpenVPN app has version 1.1.1 build 212.
I didn’t change my configuration files and my iPad Air with iOS version 10.3.3 is still working with the same configuration. Could anybody tell me, if there is a legacy option, to get the same behaviour like in the old OpenVPN 2.3.4 (debian Jessie)? Do you have any other idea to get my iPad 1 connected again?
Thank you and best regards
Here my config files and loggings for this issue.
My Server Config File
1
2
3
server 192.168.5.0 255.255.255.128
4
5
ifconfig-pool-persist ipad/ipp_ipad.txt
6
7
push "redirect-gateway def1"
8
9
tls-server
10
11
dev tun-ipad
12
13
client-to-client
14
15
proto tcp-server
16
17
port XXX
18
19
ca ipad/ca.crt
20
21
cert ipad/server.crt
22
23
key ipad/server.key
24
25
crl-verify ipad/crl.pem
26
27
dh ipad/dh2048.pem
28
29
tls-auth ipad/tls_auth.key
30
31
keepalive 10 60
32
33
ping-timer-rem
34
35
persist-tun
36
37
persist-key
38
39
user nobody
40
41
group nogroup
42
43
daemon openvpn_ipad
44
45
verb 3
46
1
server 192.168.5.0 255.255.255.128
2
ifconfig-pool-persist ipad/ipp_ipad.txt
3
push "redirect-gateway def1"
4
tls-server
5
dev tun-ipad
6
client-to-client
7
proto tcp-server
8
port XXX
9
ca ipad/ca.crt
10
cert ipad/server.crt
11
key ipad/server.key
12
crl-verify ipad/crl.pem
13
dh ipad/dh2048.pem
14
tls-auth ipad/tls_auth.key
15
keepalive 10 60
16
ping-timer-rem
17
persist-tun
18
persist-key
19
user nobody
20
group nogroup
21
daemon openvpn_ipad
22
verb 3
My iPad Config File
1
2
3
client
4
5
tls-client
6
7
dev tun
8
9
remote server_name.de
10
11
resolv-retry infinite
12
13
nobind
14
15
proto tcp-client
16
17
port XXX
18
19
persist-tun
20
21
persist-key
22
23
user nobody
24
25
group nogroup
26
27
<ca>
28
--STRIPPED INLINE CA CERT--
29
</ca>
30
31
<tls-auth>
32
--STRIPPED INLINE TLS-AUTH KEY--
33
</tls-auth>
34
35
<cert>
36
--STRIPPED INLINE CERT--
37
</cert>
38
39
<key>
40
--STRIPPED INLINE KEY--
1
client
2
tls-client
3
dev tun
4
remote server_name.de
5
resolv-retry infinite
6
nobind
7
proto tcp-client
8
port XXX
9
persist-tun
10
persist-key
11
user nobody
12
group nogroup
13
<ca>
14
--STRIPPED INLINE CA CERT--
15
</ca>
16
<tls-auth>
17
--STRIPPED INLINE TLS-AUTH KEY--
18
</tls-auth>
19
<cert>
20
--STRIPPED INLINE CERT--
21
</cert>
22
<key>
23
--STRIPPED INLINE KEY--
Here my iPad logging file. You can see the full exception in row 26.
iPad Logging
1
2
3
2018-04-14 22:04:48 Connecting to server_name.de:XXX (XXX.XXX.XXX.XXX) via TCPv4
Thank you for the reply. First I tried your hint with the key direction, but it didn't helps. Then I removed the tls declarative entirely, but still I've got the error message "Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Verification of the message MAC failed".
By the way, for iPad 1 I cannot install a higher version than 5.1.1. and also for the app I get no offer for a higher version in the app store. Even if I believe that the reason is rather a buggy implemenation in this version, but unfortunately I can only change something on server side. But as I said, with an older version of OpenVPN on server side, it has worked perfectly.
Has maybe somebody any other idea?
Thank you in advance
Thanks a lot, now it es working again. I have downgrade to the version in debian jessie.
I'm wondering if I'm now disconnected from the update path of openvpn and openssl. This could lead in serious security trouble. If you got an idea, how I can still get automatic security updates, please let me know.
Because it was not so easy, I documented here in case someone else got the same problem like me.
First create the file /etc/apt/sources.list.d/jessie.list with the following content.
Then load the new repositories with apt update.
Then install the old version of openssl with apt install openssl/jessie
Then check all available versions of openvpn with apt-cache policy openvpn
Then install the old version of openvpn with this command apt-get install openvpn=2.3.4-5+deb8u2. The version can differ in your case.
Now restart openvpn. You have successfully downgrade both packages
Then lock this version with the following commands. Otherwise you get back to the newest version of these packages with cron-apt.
Lock Version
1
2
3
apt-mark hold openssl
4
5
apt-mark hold openvpn
6
1
apt-mark hold openssl
2
apt-mark hold openvpn
You can check the status of this packages with this command.
State Selection
1
2
3
dpkg --get-selections | grep 'openvpn\|openssl'
4
1
dpkg --get-selections | grep 'openvpn\|openssl'
With this commands you can check the verions of these packages.
Well, I’m absolutely aware, that this is no solution for long time, but could you give me a hint, how I can solve this issue in version 2.4?
And does anybody tell me a date, when 2.3 is running out of maintenance? I plan to replace the iPad 1 in a couple of months, but until then it need to work with it.