Page 1 of 1

iPad OpenVPN connection timeout

Posted: Sat Dec 28, 2013 1:19 pm
by athena
Hello,

I have the following configuration (some commands are commented out because I get "UNUSED OPTIONS" in the log). This works under PC (Win 7) fine. I load this to my iPad through iTunes OK. But, when I run it, I get connection timeout error after one minute. I tried TCP connection with the same result. Below is the log. What is wrong?

client
dev tun
proto udp
remote xxxxx 1195
;resolv-retry infinite
;nobind
;persist-key
;persist-tun
ns-cert-type server
;route-method exe
;route-delay 2
;ca ca.crt
;cert client4.crt
;key client4.key
;tls-client
;tls-auth ta.key 1
cipher BF-CBC
comp-lzo
;verb 3
reneg-sec 3600

<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>

<cert>
--
</cert>

<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>

<tls-auth>

</tls-auth>

Log file:
2013-12-28 08:01:31 ----- OpenVPN Start (iOS 32-bit) -----
2013-12-28 08:01:31 LZO-ASYM init swap=0 asym=0
2013-12-28 08:01:31 EVENT: RESOLVE
2013-12-28 08:01:31 Contacting xx.yy.zz.tt:1195 via UDP
2013-12-28 08:01:31 EVENT: WAIT
2013-12-28 08:01:31 Connecting to xxxx:yyy(xx.yy.zz.t) via UDPv4
2013-12-28 08:01:41 Server poll timeout, trying next remote entry...
2013-12-28 08:01:41 EVENT: RECONNECTING
2013-12-28 08:01:41 LZO-ASYM init swap=0 asym=0
2013-12-28 08:01:41 EVENT: RESOLVE
2013-12-28 08:01:41 Contacting xx.yy.zz.tt:1195 via UDP
2013-12-28 08:01:41 EVENT: WAIT
2013-12-28 08:01:41 Connecting to xxxx:yyy(xx.yy.zz.t) via UDPv4
2013-12-28 08:01:51 Server poll timeout, trying next remote entry...
2013-12-28 08:01:51 EVENT: RECONNECTING
2013-12-28 08:01:51 LZO-ASYM init swap=0 asym=0
2013-12-28 08:01:51 EVENT: RESOLVE
2013-12-28 08:01:51 Contacting xx.yy.zz.tt:1195 via UDP
2013-12-28 08:01:51 EVENT: WAIT
2013-12-28 08:01:51 Connecting to xxxx:yyy(xx.yy.zz.t) via UDPv4
2013-12-28 08:02:01 Server poll timeout, trying next remote entry...
2013-12-28 08:02:01 EVENT: RECONNECTING
2013-12-28 08:02:01 LZO-ASYM init swap=0 asym=0
2013-12-28 08:02:01 EVENT: RESOLVE
2013-12-28 08:02:01 Contacting xx.yy.zz.tt:1195 via UDP
2013-12-28 08:02:01 EVENT: WAIT
2013-12-28 08:02:01 Connecting to xxxx:yyy(xx.yy.zz.t) via UDPv4
2013-12-28 08:02:11 Server poll timeout, trying next remote entry...
2013-12-28 08:02:11 EVENT: RECONNECTING
2013-12-28 08:02:11 LZO-ASYM init swap=0 asym=0
2013-12-28 08:02:11 EVENT: RESOLVE
2013-12-28 08:02:11 Contacting xx.yy.zz.tt:1195 via UDP
2013-12-28 08:02:11 EVENT: WAIT
2013-12-28 08:02:11 Connecting to xxxx:yyy(xx.yy.zz.t) via UDPv4
2013-12-28 08:02:21 Server poll timeout, trying next remote entry...
2013-12-28 08:02:21 EVENT: RECONNECTING
2013-12-28 08:02:21 LZO-ASYM init swap=0 asym=0
2013-12-28 08:02:21 EVENT: RESOLVE
2013-12-28 08:02:21 Contacting xx.yy.zz.tt:1195 via UDP
2013-12-28 08:02:21 EVENT: WAIT
2013-12-28 08:02:21 Connecting to xxxx:yyy(xx.yy.zz.t) via UDPv4
2013-12-28 08:02:31 EVENT: CONNECTION_TIMEOUT [ERR]
2013-12-28 08:02:31 EVENT: DISCONNECTED
2013-12-28 08:02:31 Raw stats on disconnect:
BYTES_OUT : 1260
PACKETS_OUT : 30
CONNECTION_TIMEOUT : 1
N_RECONNECT : 5
2013-12-28 08:02:31 Performance stats on disconnect:
CPU usage (microseconds): 85815
Network bytes per CPU second: 14682
Tunnel bytes per CPU second: 0
2013-12-28 08:02:31 ----- OpenVPN Stop -----
2013-12-28 08:02:31 EVENT: DISCONNECT_PENDING

Re: iPad OpenVPN connection timeout

Posted: Sat Dec 28, 2013 1:25 pm
by jacob_g
Wow.. we posted pretty well the exact same problem within 2 minutes of each other. Hopefully someone will have an answer for one of us! :)

Re: iPad OpenVPN connection timeout

Posted: Sun Dec 29, 2013 4:33 am
by athena
Hello Jacob,

If you Google this question you will find many such posts with no solution. Too many reviewed our posts but not a single one answered. The script I am using for iPad works well for PC. So I am puzzled what is special in iOS for this script that OpenVPN cannot handle. You think, it should be obvious to many who have more sophisticated scripts. Let's hope that somebody will come up with a solution. Otherwise, I will not be able to use VPN on my iPad unfortunately.

If I get any answer not public I will let you know.

Re: iPad OpenVPN connection timeout

Posted: Tue Dec 31, 2013 2:33 am
by jamesyonan
The log file shows that the server isn't responding to the connection request.

If you are able to look at the server-side log file, check that as well to see if there's any error message when the connection is failing.

James

Re: iPad OpenVPN connection timeout

Posted: Tue Jan 14, 2014 10:04 pm
by celsowebber
Hi, I hate saying "me too", but this exactly problem is happening to me right now.

Environment:
* Device: iPad mini iOS 7.0.4 (11B554a)
* Client: OpenVPN 1.0.3 build 108 (iOS 32-bit)
* Server: OpenVPN 2.0.9 x86_64-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar 8 2007

Symptoms:
* Windows PC or Mac OS X connects fine, using TUN over TCP (works with TAP too, but it's not supported on iOS client)
* Client logs:
2014-01-14 19:43:24 ----- OpenVPN Start (iOS 32-bit) -----
2014-01-14 19:43:24 UNUSED OPTIONS
5 [resolv-retry] [infinite]
6 [nobind]
7 [persist-key]
8 [persist-tun]
9 [mute-replay-warnings]
19 [verb] [3]

2014-01-14 19:43:24 LZO-ASYM init swap=0 asym=0
2014-01-14 19:43:24 EVENT: RESOLVE
2014-01-14 19:43:24 Contacting 177.19.224.132:9907 via TCP
2014-01-14 19:43:24 EVENT: WAIT
2014-01-14 19:43:24 Connecting to vpn.webbertek.com.br:9907 (177.19.224.132) via TCPv4
2014-01-14 19:43:24 EVENT: CONNECTING
2014-01-14 19:44:04 Session invalidated: KEEPALIVE_TIMEOUT

<<< wait 40 seconds >>>

2014-01-14 19:44:04 Client terminated, restarting in 2...
2014-01-14 19:44:06 EVENT: RECONNECTING
2014-01-14 19:44:06 LZO-ASYM init swap=0 asym=0
2014-01-14 19:44:06 EVENT: RESOLVE
2014-01-14 19:44:06 Contacting 177.19.224.132:9907 via TCP
2014-01-14 19:44:06 EVENT: WAIT
2014-01-14 19:44:06 Connecting to vpn.webbertek.com.br:9907 (177.19.224.132) via TCPv4
2014-01-14 19:44:07 EVENT: CONNECTING
2014-01-14 19:44:24 EVENT: CONNECTION_TIMEOUT [ERR]
2014-01-14 19:44:24 EVENT: DISCONNECTED
2014-01-14 19:44:24 Raw stats on disconnect:
BYTES_IN : 304
BYTES_OUT : 304
PACKETS_IN : 6
PACKETS_OUT : 6
REPLAY_ERROR : 2
KEEPALIVE_TIMEOUT : 1
CONNECTION_TIMEOUT : 1
N_RECONNECT : 1
PKTID_TCP_OUT_OF_SEQ : 2
2014-01-14 19:44:24 Performance stats on disconnect:
CPU usage (microseconds): 48745
Network bytes per CPU second: 12473
Tunnel bytes per CPU second: 0
2014-01-14 19:44:24 ----- OpenVPN Stop -----
2014-01-14 19:44:24 EVENT: DISCONNECT_PENDING

<<< wait 20 seconds >>>


* Server logs:
Tue Jan 14 19:55:19 2014 us=162995 MULTI: multi_create_instance called
Tue Jan 14 19:55:19 2014 us=163066 Re-using SSL/TLS context
Tue Jan 14 19:55:19 2014 us=163082 LZO compression initialized
Tue Jan 14 19:55:19 2014 us=163167 Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]
Tue Jan 14 19:55:19 2014 us=163184 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jan 14 19:55:19 2014 us=163222 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Tue Jan 14 19:55:19 2014 us=163232 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Tue Jan 14 19:55:19 2014 us=163251 Local Options hash (VER=V4): 'bd577cd1'
Tue Jan 14 19:55:19 2014 us=163264 Expected Remote Options hash (VER=V4): 'ee93268d'
Tue Jan 14 19:55:19 2014 us=163295 TCP connection established with 186.212.46.195:53547
Tue Jan 14 19:55:19 2014 us=163309 Socket Buffers: R=[131072->131072] S=[131072->131072]
Tue Jan 14 19:55:19 2014 us=163322 TCPv4_SERVER link local: [undef]
Tue Jan 14 19:55:19 2014 us=163360 TCPv4_SERVER link remote: 186.212.46.195:53547
Tue Jan 14 19:55:19 2014 us=166980 186.212.46.195:53547 TLS: Initial packet from 186.212.46.195:53547, sid=14d644fe 6a08c999

<<< wait 40 seconds >>>

Tue Jan 14 19:55:59 2014 us=261178 186.212.46.195:53547 Connection reset, restarting [0]
Tue Jan 14 19:55:59 2014 us=261233 186.212.46.195:53547 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Jan 14 19:55:59 2014 us=261319 TCP/UDP: Closing socket
Tue Jan 14 19:56:01 2014 us=291318 MULTI: multi_create_instance called
Tue Jan 14 19:56:01 2014 us=291414 Re-using SSL/TLS context
Tue Jan 14 19:56:01 2014 us=291427 LZO compression initialized
Tue Jan 14 19:56:01 2014 us=291500 Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]
Tue Jan 14 19:56:01 2014 us=291514 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jan 14 19:56:01 2014 us=291551 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Tue Jan 14 19:56:01 2014 us=291558 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Tue Jan 14 19:56:01 2014 us=291574 Local Options hash (VER=V4): 'bd577cd1'
Tue Jan 14 19:56:01 2014 us=291585 Expected Remote Options hash (VER=V4): 'ee93268d'
Tue Jan 14 19:56:01 2014 us=291611 TCP connection established with 186.212.46.195:53548
Tue Jan 14 19:56:01 2014 us=291623 Socket Buffers: R=[131072->131072] S=[131072->131072]
Tue Jan 14 19:56:01 2014 us=291633 TCPv4_SERVER link local: [undef]
Tue Jan 14 19:56:01 2014 us=291641 TCPv4_SERVER link remote: 186.212.46.195:53548
Tue Jan 14 19:56:01 2014 us=294063 186.212.46.195:53548 TLS: Initial packet from 186.212.46.195:53548, sid=a1609616 577c11c1

<<< wait 20 seconds >>>

Tue Jan 14 19:56:19 2014 us=141510 186.212.46.195:53548 Connection reset, restarting [0]
Tue Jan 14 19:56:19 2014 us=141564 186.212.46.195:53548 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Jan 14 19:56:19 2014 us=141634 TCP/UDP: Closing socket

<<< client gives up >>>



* It seems the connection doesn't go further after exchanging the initial TLS packet.

I'll try to investigate the TLS certificates and post any news I find out, ok?

Best regards, Celso.

[ SOLVED ] iPad OpenVPN connection timeout

Posted: Tue Jan 14, 2014 11:32 pm
by celsowebber
Hello all,

I've just solved the problem for me. As mentioned, I was using OpenVPN version 2.0.9 at the server side:
# rpm -qa|grep vpn
openvpn-2.0.9-1.el5.rf

Just updated to version 2.3.2, restarted (after solving another bug), and it worked ok:
# yum update openvpn
...
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* epel: mirror.globo.com
* base: centos.xpg.com.br
* updates: centos.xpg.com.br
* addons: centos.xpg.com.br
* extras: centos.xpg.com.br
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package openvpn.x86_64 0:2.3.2-2.el5 set to be updated
--> Processing Dependency: libpkcs11-helper.so.1()(64bit) for package: openvpn
--> Running transaction check
---> Package pkcs11-helper.x86_64 0:1.07-2.el5.1 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================================
Package Arch Version Repository Size
==============================================================================================================================================
Updating:
openvpn x86_64 2.3.2-2.el5 epel 419 k
Installing for dependencies:
pkcs11-helper x86_64 1.07-2.el5.1 epel 54 k

Transaction Summary
==============================================================================================================================================
Install 1 Package(s)
Update 1 Package(s)
Remove 0 Package(s)

Total download size: 473 k
Is this ok [y/N]: y
Downloading Packages:
(1/2): pkcs11-helper-1.07-2.el5.1.x86_64.rpm | 54 kB 00:00
(2/2): openvpn-2.3.2-2.el5.x86_64.rpm | 419 kB 00:00
----------------------------------------------------------------------------------------------------------------------------------------------
Total 893 kB/s | 473 kB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : pkcs11-helper [1/3]
Updating : openvpn [2/3]
Cleanup : openvpn [3/3]

Dependency Installed: pkcs11-helper.x86_64 0:1.07-2.el5.1
Updated: openvpn.x86_64 0:2.3.2-2.el5
Complete!


PLEASE NOTE: in my case, after updating, the OpenVPN server didn't start OK because I had the following line in my configuration:
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so system-auth

The new OpenVPN RPM package (if you use RedHat, CentOS or derivatives) changed this file to another place (please check https://bugzilla.redhat.com/show_bug.cgi?id=966373), so you'll need to change that line to:
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so system-auth


Hope this helps!

Best regards, Celso.

Re: [ SOLVED ] iPad OpenVPN connection timeout

Posted: Mon Mar 10, 2014 6:43 am
by Lossengwath
celsowebber wrote:Hello all,

I've just solved the problem for me. As mentioned, I was using OpenVPN version 2.0.9 at the server side:
# rpm -qa|grep vpn
openvpn-2.0.9-1.el5.rf

Just updated to version 2.3.2, restarted (after solving another bug), and it worked ok:
# yum update openvpn
...
Hi,

Actually, I am not quite sure it was a version issue. I also have this problem and also have version 2.3.2 of OpenVpn on the server side.

Code: Select all

OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Mar  6 2014
Originally developed by James Yonan
My configuration works perfectly with my laptops but not with my iOS nor Android mobile devices. Then, just as others did before me, I realized if I changed the protocol to TCP instead of UDP in my configuration, everything would work out. Still no reasonable explanation for it. And then, I got the strangest piece of the puzzle... I found this:
The connection stalls on startup when using a proto udp configuration, the server log file shows this line:

TLS: Initial packet from x.x.x.x:x, sid=xxxxxxxx xxxxxxxx
however the client log does not show an equivalent line.

Solution: You have a one-way connection from client to server. The server to client direction is blocked by a firewall, usually on the client side. The firewall can either be (a) a personal software firewall running on the client, or (b) the NAT router gateway for the client. Modify the firewall to allow returning UDP packets from the server to reach the client.
This is exactly my problem. However, if I switch to another client app on my Android device (which is based on OpenVPN Connect), everything works out immediately... I really don't understand what's going on.

Re: iPad OpenVPN connection timeout

Posted: Mon Sep 08, 2014 5:27 pm
by tideniscimaf
Solved here too:

I had the same problem while testing our new OpenVPN server (TUN + UDP). I was trying to connect with an iPad, connected to the wifi of an iPhone, which was in turn connected to Internet via 3G cellular connection. Reading comments about firewall in a few places, I eventually decided to connect the iPad to another wifi (of a router, hard-wired to landline Internet). Bam, connection went through in just a few seconds.

My understanding is that the either the iPhone has an internal firewall, or the cell service provider has some kind of traffic screening, that prevents the communication between the client and the server (at least with the settings we used). My bet's on the iPhone, I'll have some more testing to do…

Hoping this will help...