Upgrade to OpenVPN 1.2.5 (iOS): tls-auth not working

[ordex]

Sure, I'll keep you posted by updating this thread!

[ordex]

Can any of you confirm that this error exists also when the server is running OpenVPN 2.4.x ?
Or have you seen it only against 2.3.x servers?

thanks

[markymarrow]

Getting the Authenticate/Decrypt packet error on a server running 2.4.4

I've been using a mobileconfig for VoD, have just switched to embedding the cert/key in the vendor config instead of a payload (as that no longer works).
If I set vpn-on-demand:0, I can connect without a problem via the OpenVPN app, but I get the above issue when trying to connect via the settings app.

[ordex]

Regarding the tls-auth issue: I believe we have found the root cause. It is a subtle change in behaviour that diverted from the community edition.

As far as I can see from the posted configurations, those of you having the issue are using the *tls-auth* option without *key-direction*.
The *key-direction* is a number (either 0 or 1) that is specified after the tls-auth file. Would you please specify it and see if it works?
An option is to have 0 on the server and 1 on the client, like this:

server:

Code: Select all

tls-auth file.key 0

client:

Code: Select all

tls-auth file.key 1

Those of you using an embedded tls-auth, can specify the key direction with an additional config option like this:

Code: Select all

<tls-auth>
XXXXXXX
xxxxxxxxx
XXXXXXX
</tls-auth>
key-direction Z

where Z is either 0 or 1 like above.

[ordex]

Getting the Authenticate/Decrypt packet error on a server running 2.4.4

I've been using a mobileconfig for VoD, have just switched to embedding the cert/key in the vendor config instead of a payload (as that no longer works).
If I set vpn-on-demand:0, I can connect without a problem via the OpenVPN app, but I get the above issue when trying to connect via the settings app.

could you please open another thread and paste the full log? Given what you are saying it seems like a different problem.
Thanks!

[Tg92]

hi,

I have solve my trouble. On server side I replace
tls-auth /path/ta.key
by
tls-auth /path/ta.key 1

and in the ovpn client configuration file I add
key-direction 0

It is just the opposite of the documentation found on https://gist.github.com/frengky/79597bad4eda1a3f1f24

Code: Select all

In the server configuration, add:
    tls-auth ta.key 0
In the client configuration, add:
    tls-auth ta.key 1

but it is working.


Now, I have another trouble. When I establish the connection and lock my iPhone version 11.2.2. When I unlock it after 2-3 minutes, the vpn connection is not established automatically like before.
I have sometimes this behavior with the old version but with the new one it is systematic

[anatoli]

I can confirm that with 'tls-auth file.key 0/1' and/or 'key-direction X' on *both* client and server 1.2.5 works fine. When do you expect the new release to be available in the AppStore?

[anatoli]

With respect to what @Tg92 reports at the bottom of his/her latest message that:

when I unlock it after 2-3 minutes, the vpn connection is not established automatically like before

I'm testing this for more than a hour already and everything looks fine (I have in the iOS settings: Seamless tunnel, Reconnect on wakeup, Timeout none, NW state detection active and Layer 2 reachability). Moreover, it looks to work better than the 1.1.1 version in the sense that 1.1.1 was dropping the connection on sleep and reconnecting on wakeup, but this version maintains it permanently on, so push notifications while on WiFi and some apps that depend on the tunnel (e.g. VoIP with inside-VPN PBX) are working better now.

I can imagine this should have some impact on battery, but in my case the latest phones have enough energy for a working day so no problem.

Anyway, I'm waiting for a fix to the 'tls-auth' option requiring the direction in 1.2.5 as it's not feasible to update all the endpoints currently in production. BTW, according to the official documentation, the direction is an optional param both in 2.3 and 2.4.

[ordex]

With respect to what @Tg92 reports at the bottom of his/her latest message that:

when I unlock it after 2-3 minutes, the vpn connection is not established automatically like before

I'm testing this for more than a hour already and everything looks fine (I have in the iOS settings: Seamless tunnel, Reconnect on wakeup, Timeout none, NW state detection active and Layer 2 reachability). Moreover, it looks to work better than the 1.1.1 version in the sense that 1.1.1 was dropping the connection on sleep and reconnecting on wakeup, but this version maintains it permanently on, so push notifications while on WiFi and some apps that depend on the tunnel (e.g. VoIP with inside-VPN PBX) are working better now.

Glad to hear that. However, if anybody wants to continue this topic, please let's open another thread so we can continue the discussion there.

I can imagine this should have some impact on battery, but in my case the latest phones have enough energy for a working day so no problem.

Yeah, that's the drawback.

Anyway, I'm waiting for a fix to the 'tls-auth' option requiring the direction in 1.2.5 as it's not feasible to update all the endpoints currently in production. BTW, according to the official documentation, the direction is an optional param both in 2.3 and 2.4.

Yeah, it's optional. That's why a fix is required

[anatoli]

ordex, now that the root causes for most of the reported bugs are identified, any ETA for the new release?

[ordex]

ordex, now that the root causes for most of the reported bugs are identified, any ETA for the new release?

We're already rolling out a beta release including what we have fixed so far. If you are interested in joining the beta program, please drop me a PM.

Thanks

[peter_sm]

[
We're already rolling out a beta release including what we have fixed so far. If you are interested in joining the beta program, please drop me a PM.

Thanks

Hi , I'm not authorised to send private messages.
Can you add me to the beta program?

Thanks

[Tg92]

With respect to what @Tg92 reports at the bottom of his/her latest message that:

when I unlock it after 2-3 minutes, the vpn connection is not established automatically like before

I'm testing this for more than a hour already and everything looks fine (I have in the iOS settings: Seamless tunnel, Reconnect on wakeup, Timeout none, NW state detection active and Layer 2 reachability). Moreover, it looks to work better than the 1.1.1 version in the sense that 1.1.1 was dropping the connection on sleep and reconnecting on wakeup, but this version maintains it permanently on, so push notifications while on WiFi and some apps that depend on the tunnel (e.g. VoIP with inside-VPN PBX) are working better now.

Glad to hear that. However, if anybody wants to continue this topic, please let's open another thread so we can continue the discussion there.

I can imagine this should have some impact on battery, but in my case the latest phones have enough energy for a working day so no problem.

Yeah, that's the drawback.

Anyway, I'm waiting for a fix to the 'tls-auth' option requiring the direction in 1.2.5 as it's not feasible to update all the endpoints currently in production. BTW, according to the official documentation, the direction is an optional param both in 2.3 and 2.4.

Yeah, it's optional. That's why a fix is required

I have still the trouble. I have an iPhone SE with the last version of IOS.
I put my openVPN configuration below

[anatoli]

I suggest you open a new post with the detailed description of the problem, the steps to reproduce it (if you know) and the server and client configs and logs, as this thread is about a different problem.

[anatoli]

For me this issue is solved in the 1.2.6.1-3 betas. Waiting for the release in AppStore.

[samide]

We're already rolling out a beta release including what we have fixed so far. If you are interested in joining the beta program, please drop me a PM.

Thanks

Hi , I tried to message you but I’m still not allowed to send private messages.

can you add me to the beta program ?

Thanks

[ordex]

OpenVPN Connect for iOS 1.2.6 is out!

Please refer to this post if you want to submit bugs of feature requests: viewtopic.php?f=36&t=25650

Thanks!