OpenVPN Support Forum

Posted: **Sat Apr 26, 2014 11:18 am**

I have OpenVPN server 2.3.3 and I am able to reach it from my desktop as a client w/o issues. The problem is the OpenVPN app for the IOS, it is showing a message similar to this topic topic14115.html. It seems the highest version that I can install on my ipad is 1.0.1 build 88. Any clues of how to resolve this issue? I can't upgrade my ipad because I don't want to lose the jailbreak, and I am not sure about the possibility of resolving the issue by downgrading my OpenVPN server...

thnx

Posted: **Sat Apr 26, 2014 11:46 am**

Code: Select all

2014-04-26 14:42:51 Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Verification of the message MAC failed
2014-04-26 14:42:51 Client terminated, restarting in 2...
2014-04-26 14:42:53 EVENT: RECONNECTING

client

Code: Select all

client
dev tun
proto udp
remote xx.xx.xx.xx xxxx

resolv-retry infinite
nobind
persist-key
persist-tun

#ca ca.crt
#cert ipad.crt
#key ipad.key
#dh dh1024.pem
ns-cert-type server

comp-lzo
verb 3
explicit-exit-notify 2
ping 10
ping-restart 60

route-method exe
route-delay 2

#last updated June 04, 2011
#source : https://forums.openvpn.net/topic7806.html

<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>

<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>

<dh>
-----BEGIN DH PARAMETERS-----

-----END DH PARAMETERS-----
</dh>

<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>

Posted: **Sat Apr 26, 2014 12:36 pm**

server

Code: Select all

port xxxx
proto udp
dev tun
server 10.0.0.0 255.255.255.0   #you may choose any subnet. 10.0.0.x is used for this example.

ca ca.crt                    #certs are optional. you may choose to go with keys or passwords instead.
cert server.crt
key server.key 
dh dh1024.pem

push "redirect-gateway def1"

push "dhcp-option DNS 8.8.8.8"     

#the following commands are optional
keepalive 10 120         
comp-lzo                   
persist-key               
persist-tun               
verb 3                     

#last updated May 29, 2011
#source : https://forums.openvpn.net/topic7806.html

Judging by the timestamp, I think this server log was generated when the ipad was trying to reach the server

Code: Select all

Sat Apr 26 14:42:54 2014 xx.xx.xx.xx:61957 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:61957, sid=0112ed34 f6afdf1c
Sat Apr 26 14:42:55 2014 xx.xx.xx.xx:61957 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, OU=changeme, CN=openVPN-ca, name=changeme, emailAddress=mail@host.domain
Sat Apr 26 14:42:55 2014 xx.xx.xx.xx:61957 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, OU=changeme, CN=[color=#FF0000]ipad[/color], name=changeme, emailAddress=mail@host.domain
Sat Apr 26 14:42:58 2014 xx.xx.xx.xx:53375 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:53375, sid=f805f39c e8ce6d37
Sat Apr 26 14:43:55 2014 xx.xx.xx.xx:61957 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Apr 26 14:43:55 2014 xx.xx.xx.xx:61957 TLS Error: TLS handshake failed
Sat Apr 26 14:43:55 2014 xx.xx.xx.xx:61957 SIGUSR1[soft,tls-error] received, client-instance restarting
Sat Apr 26 14:43:58 2014 xx.xx.xx.xx:53375 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Apr 26 14:43:58 2014 xx.xx.xx.xx:53375 TLS Error: TLS handshake failed
Sat Apr 26 14:43:58 2014 xx.xx.xx.xx:53375 SIGUSR1[soft,tls-error] received, client-instance restarting

Posted: **Sat Apr 26, 2014 12:40 pm**

Server

Code: Select all

Fri Apr 25 23:09:53 2014 OpenVPN 2.3.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Apr 14 2014

Client

Code: Select all

OpenVPN 1.0.1 build 88 (IOS)

Posted: **Sat Apr 26, 2014 4:57 pm**

al7amimi wrote:Server
Code: Select all
OpenVPN 1.0.1 build 88 (IOS)

This is fairly ancient, and has a buggy PolarSSL library which chokes when talking to a server that does "tls version negotiation" - which 2.3.3 enables.

Workaround: downgrade to 2.3.2 on the server (windows build I004 has the bugfixed OpenSSL version, so just for heartbleed, there is no reason to go to 2.3.3).

Workaround 2: upgrade to 2.3.4, which will not enable tls version negotiation by default (to be released next week).

Fix: upgrade your OpenVPN Connect client. I can't find the release notes right now, but I think it was fixed in 1.0.3, which still runs on iOS 5 and iOS 6. What does the App Store offer you if you check for OpenVPN Connect updates? It should only give you a version that works, and since this bug has been fixed before iOS 7 was around, the version should work.

Posted: **Sat Apr 26, 2014 7:41 pm**

cron2 wrote: Workaround 2: upgrade to 2.3.4, which will not enable tls version negotiation by default (to be released next week).

Fix: upgrade your OpenVPN Connect client. I can't find the release notes right now, but I think it was fixed in 1.0.3, which still runs on iOS 5 and iOS 6. What does the App Store offer you if you check for OpenVPN Connect updates? It should only give you a version that works, and since this bug has been fixed before iOS 7 was around, the version should work.

Upgrading to 2.3.4 is a possible option. I will do the upgrade once the new version is released.

The problem is the app store refuses to update OpenVPN connect past 1.0.1 build 88. It just shows the update button, but does nothing.

thnx for the help...

OpenVPN Support Forum

IOS 6.0.1 jailbroken and connect

IOS 6.0.1 jailbroken and connect

Re: IOS 6.0.1 jailbroken and connect

Re: IOS 6.0.1 jailbroken and connect

Re: IOS 6.0.1 jailbroken and connect

Re: IOS 6.0.1 jailbroken and connect

Re: IOS 6.0.1 jailbroken and connect