OpenVPN Support Forum

Hi!

I was thrilled to finally see an OpenVPN client for iOS devices!

I'm struggling with getting my client to work. I have laptop and desktop clients all working with my VPN server using the easy-RSA approach for authentication.

I've created a similar client-config and key/cert for my iOS device but I get the following error when trying to connect to my OpenVPN server:

2013-01-23 13:29:22 EVENT: CORE_ERROR PolarSSL: error parsing config private key: X509 - Invalid RSA key tag or value : ASN1 - ASN1 tag was of an unexpected value [ERR]

My private key for the iOS device is RSA in PEM mode.

My cert is also in x509 mode.

Do you guys know what the error code means and/or how to fix this?

Thanks,

Bobby

If you can generate a test certificate/key pair that causes this error in PolarSSL, we can certainly take a look at it.

James

Hi!

I guess it would be nice to know first if the iOS openvpn software will use keys/certs/CA using the easy-ca distro included in the UNIX/Linux openvpn software. I'm currently using that for my desktop/laptop/net-to-net VPNs.

Does the iOS openvpn software work with easy-ca generated keys/certs?

What format do the keys and certs need to be in when loaded onto an iOS device?

Thanks,

Bobby

The easy-rsa scripts generate standard X509 certs and RSA keys in PEM format which should be compatible with any OpenVPN version.

James

Hi!

I used the standard easy-rsa scripts and they are working with my existing openvpn setup. So, while they should work with iOS openvpn, its clear that there are cases where they don't.

Did the openvpn folks test with easy-rsa?

I'm not sure I want to post my certs and key as I would then need to invalidate and re-issue them for all my existing clients.

Any other pointers to error messages and what they mean? Is polar_ssl an iOS package?

Thanks,

Bobby

I am also seeing the same issue.

I just tested this with a set of certs/keys generated by easy-rsa, and I'm not seeing any problems. I used the 2.0 version on Linux, and made one edit to the vars file to set KEY_SIZE=2048.

I generated ca, dh, client, and server certs with standard commands: I then wrapped these up into a test client/server configuration and connected using the iOS client. Everything worked as expected.

Hi!

My easy-rsa was set up similarly.

However, I'm using the default 1024 key size. Is this going to be a problem?

Also, did you create a single .ovpn file and put the keys in it?

I'm using a separate files for .ovpn, keys, and certs.

Thanks,

Bobby

I am also seeing the same issue.

Config file plus certificates are working fine in Tunnelblick and with OpenVPN GUI under windows but not in OpenVPN Connect under IOS.

2013-01-30 22:54:06 ----- OpenVPN Start -----
2013-01-30 22:54:06 EVENT: CORE_ERROR PolarSSL: error parsing config private key : X509 - Invalid RSA key tag or value : ASN1 - ASN1 tag was of an unexpected value [ERR]
2013-01-30 22:54:06 Raw stats on disconnect:
2013-01-30 22:54:06 Performance stats on disconnect:
CPU usage (microseconds): 5887
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
2013-01-30 22:54:06 ----- OpenVPN Stop -----
2013-01-30 22:54:06 EVENT: DISCONNECT_PENDING

I'm also using separate opva and cert files. Works fine with Tunnelblick, not with the iOS client.

If somebody can send over a test priv key we can have a look at it!

Paul Bakker
Lead Maintainer for the PolarSSL SSL Library (https://polarssl.org)

Hi Paul!

I filled out the contact form on Polarssl.org website in order to get your email address. I'll email a private key to you directly to test out. If/when you figure out what I'm doing wrong, I'll post a workaround/solution to this forum.

Thanks!

Bobby

Hi Bobby,

The keyfile is read just fine with the current version of PolarSSL.

@James: Which version of PolarSSL is used within the iOS client?
Maybe I can write a small patch to fix this issue then.

Paul

Hi!

I'm using an iPad running iOS 5.1.1

What version of iOS/PolarSSL did you test my key on? (Thanks by the way for testing it for me!)

Is it possible to upgrade the PolarSSL w/o upgrading my iOS?

Did the OpenVPN folks test on any iOS releases < than 6.0?

I hate come off as so demanding for support for something I got for free!

If I have to upgrade iOS, I will but I'd like to avoid upgrading unless there is a compelling reason. I don't want to break my other software.

Thanks,

Bobby

OpenVPN Connect on iOS (1.0.0) uses PolarSSL 1.1.4.

There is no difference as far as which iOS release is used -- it should work on iOS 5 or higher.

But if there is an issue with PolarSSL that requires an update to the library, we would need to release a new build of OpenVPN to incorporate that.

James

Hi,

I had the same problem withkeys generated by openssl >= 1.0.0, but not with keys generated by openssl <= 0.9.X

The difference is the key format, which was RSA in the past but seems to be PKCS8 in 1.0.0. The PKCS8-format is not parsed by PolarSSL.

One solution is to generate the keys with 'openssl genrsa ....'

You can also convert your existing keys with: openssl rsa -in original.key -out converted.key

This did it for me, both on iOS and Android devices.

Hi!

My keys were generated by pkitool script included in the easy-rsa component of OpenSSL.

This is already getting not easy.

What is the current version of PolarSSL that was used to test my key? I take it that it is not 1.0?

I'm now wondering how I can generate keys that will work with openvpn 1.0 on my ipad and also work with my existing deployed openvpn server.

Thanks,

Bobby

Hi!

My keys are RSA in pem format.

Not sure what else I can do.

Bobby

Hi!

Re ungaghllalek

I think I see what you mean. I more closely examined my key files for previously generated keys vs. what is generating now. What I see is:

older keys: -----BEGIN RSA PRIVATE KEY-----

new key: -----BEGIN PRIVATE KEY-----

I converted my key explicitly to rsa using your command above and will try this key out on my iPad today. I'll report my results. I'm wondering what the default key format is for openssl in later versions?

Thanks,

Bobby

Hi!

Converting the key from the unknown format to RSA via openssl rsa command did the trick and fixed my issue. I can now openvpn into my network using OpenVPN connect on my iOS iPad.

My openvpn server is running 2.x and its interoperating just fine with the current version of OpenVPN on iOS.

Thanks,

Bobby