iOS issue to connect to OpenVPN (iPhone and iPad)

[CypZ]

Hi guys,

I'm having big troubles to make this working on iOS, whereas it works from windows. I tested from iPhone 5 (not S, I saw there was a bug) and iPad 4, same issue: kind of infinite loop between "connecting" and "waiting for server" every second until timeout (60s). The same client config is working fine in OpenVPNGUI for Windows.

onnect.ios 1.0.4-140
IV_VER=3.0
IV_PLAT=ios
IV_NCP=1


2014-05-02 15:55:01 TCP recv EOF
2014-05-02 15:55:01 Transport Error: Transport error on 'mydomain: NETWORK_EOF_ERROR
2014-05-02 15:55:01 Client terminated, restarting in 2...
2014-05-02 15:55:03 EVENT: RECONNECTING
2014-05-02 15:55:03 LZO-ASYM init swap=0 asym=0
2014-05-02 15:55:03 EVENT: RESOLVE
2014-05-02 15:55:03 Contacting myIP:1194 via TCP
2014-05-02 15:55:03 EVENT: WAIT
2014-05-02 15:55:03 Connecting to mydomain:1194 (myIP) via TCPv4
2014-05-02 15:55:03 EVENT: CONNECTING
2014-05-02 15:55:03 Tunnel Options:V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client
2014-05-02 15:55:03 Creds: Username/Password
2014-05-02 15:55:03 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.0.4-140
IV_VER=3.0
IV_PLAT=ios
IV_NCP=1
IV_LZO=1

2014-05-02 15:55:03 TCP recv EOF
2014-05-02 15:55:03 Transport Error: Transport error on 'mydomain: NETWORK_EOF_ERROR
2014-05-02 15:55:03 Client terminated, restarting in 2...
2014-05-02 15:55:05 EVENT: RECONNECTING
2014-05-02 15:55:05 LZO-ASYM init swap=0 asym=0
2014-05-02 15:55:05 EVENT: RESOLVE
2014-05-02 15:55:05 Contacting myIP:1194 via TCP
2014-05-02 15:55:05 EVENT: WAIT
2014-05-02 15:55:05 Connecting to mydomain:1194 (myIP) via TCPv4
2014-05-02 15:55:05 EVENT: CONNECTING
2014-05-02 15:55:06 Tunnel Options:V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client
2014-05-02 15:55:06 Creds: Username/Password
2014-05-02 15:55:06 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.0.4-140
IV_VER=3.0
IV_PLAT=ios
IV_NCP=1
IV_LZO=1

2014-05-02 15:55:06 TCP recv EOF
2014-05-02 15:55:06 Transport Error: Transport error on 'mydomain: NETWORK_EOF_ERROR
2014-05-02 15:55:06 Client terminated, restarting in 2...
2014-05-02 15:55:06 EVENT: CONNECTION_TIMEOUT [ERR]
2014-05-02 15:55:06 EVENT: DISCONNECTED
2014-05-02 15:55:06 Raw stats on disconnect:
BYTES_IN : 1872
BYTES_OUT : 3216
PACKETS_IN : 86
PACKETS_OUT : 72
NETWORK_EOF_ERROR : 24
CONNECTION_TIMEOUT : 1
N_RECONNECT : 23
2014-05-02 15:55:06 Performance stats on disconnect:
CPU usage (microseconds): 337140
Network bytes per CPU second: 15091
Tunnel bytes per CPU second: 0
2014-05-02 15:55:06 ----- OpenVPN Stop -----
2014-05-02 15:55:06 EVENT: DISCONNECT_PENDING

Etc etc looping on that…


On the server side I have only:

TCP connection established from myIP
My IP : disconnected <TLS failed>

Here is my configuration :

client
auth-user-pass
dev tun0
proto tcp-client

remote myIP 1194

cipher AES-256-CBC
auth SHA1
redirect-gateway

route 10.42.0.0 255.255.255.0 10.42.1.254
route 192.168.1.0 255.255.255.0 10.42.1.254

push "dhcp-option DOMAIN mydomain"
push "dhcp-option DOMAIN-SEARCH mydomain"


<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>

I tried with separate files for certs/keys, same issue.

Here is the logs on the working windows client :

Fri May 02 15:49:01 2014 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Fri May 02 15:49:06 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri May 02 15:49:06 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri May 02 15:49:06 2014 LZO compression initialized
Fri May 02 15:49:08 2014 Attempting to establish TCP connection with myIP:1194
Fri May 02 15:49:08 2014 TCP connection established with myIP:1194
Fri May 02 15:49:08 2014 TCPv4_CLIENT link local: [undef]
Fri May 02 15:49:08 2014 TCPv4_CLIENT link remote: myIP:1194
Fri May 02 15:49:08 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri May 02 15:49:09 2014 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1560', remote='link-mtu 1559'
Fri May 02 15:49:09 2014 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Fri May 02 15:49:09 2014 [mydomain] Peer Connection Initiated with myIP:1194
Fri May 02 15:49:22 2014 TAP-WIN32 device [Local Area Connection 5] opened: \\.\Global\{F49D6D85-7B05-4117-9EDC-1E70E01626A8}.tap
Fri May 02 15:49:22 2014 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.42.1.253/255.255.255.252 on interface {F49D6D85-7B05-4117-9EDC-1E70E01626A8} [DHCP-serv: 10.42.1.254, lease-time: 31536000]
Fri May 02 15:49:22 2014 Successful ARP Flush on interface [23] {F49D6D85-7B05-4117-9EDC-1E70E01626A8}
Fri May 02 15:49:27 2014 Initialization Sequence Completed

I have tried since 4 days many different certificates, client side, server side, different client conf, always the same issue right at the beginning of the conf during TLS negotiation, I’m now out of ideas…

Hope you can help guys,

Thanks a lot in advance,
Best regards,

[CypZ]

BTW, I just tested and there is the exact same behavior on Android...

[CypZ]

Anyone guys please ?

[CypZ]

Hello,

Thanks for your answer. Here is my server config (OpenVPN server is hosted on Mikrotik RouterOS Router) :

Code: Select all

[admin@MikroTik] > /ip pool print
 # NAME                                         RANGES
 0 default-dhcp                                 10.42.0.10-10.42.0.89
 1 pool-VPN                                     10.42.1.252/31



[admin@MikroTik] > /ppp profile print

 1   name="profile-VPN" local-address=10.42.1.254 remote-address=pool-VPN
     use-mpls=default use-compression=default use-vj-compression=default
     use-encryption=required only-one=default change-tcp-mss=default
     address-list="" dns-server=10.42.0.201,10.42.0.202,192.168.1.253



 [admin@MikroTik] > /ppp secret print detail
Flags: X - disabled
 0   name="XXXXX" service=any caller-id="" password="XXXXX"
     profile=profile-VPN routes="" limit-bytes-in=0 limit-bytes-out=0
     last-logged-out=may/07/2014 11:41:21

[admin@MikroTik] > /interface ovpn-server server print
                     enabled: yes
                        port: 1194
                        mode: ip
                     netmask: 24
                 mac-address: XXXXXX
                     max-mtu: 1500
           keepalive-timeout: 60
             default-profile: profile-VPN
                 certificate: cert_2
  require-client-certificate: no
                        auth: sha1,md5
                      cipher: blowfish128,aes128,aes192,aes256



[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 …
 5   ;;; OpenVPN
     chain=input action=accept protocol=tcp dst-address=192.168.1.254
     dst-port=1194

 6   ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway



[admin@MikroTik] > /certificate print detail
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority,
I - issued, R - revoked, E - expired, T - trusted
 0        T name="cert_1"
            issuer=C=CO,ST=State,L=City,O=Home,OU=Home,CN=OpenVPN-CA,
       name=OpenVPN-CA,emailAddress=mail@host.domain
            country="CO" state="State" locality="City"
            organization="Home" unit="Home" common-name="OpenVPN-CA"
            key-size=2048 subject-alt-name=email:mail@host.domain
            days-valid=7300 trusted=yes serial-number="…"
            fingerprint="0y0cc6cdfsc07f34efcf58e42023a8276edbc09"
            invalid-before=apr/30/2014 17:58:17
            invalid-after=apr/25/2034 17:58:17

 1 K      T name="cert_2"
            issuer=C=CO,ST=State,L=City,O=Home,OU=Home,CN=OpenVPN-CA,
       name=OpenVPN-CA,emailAddress=mail@host.domain
            country="CO" state="State" locality="City"
            organization="Home" unit="Home" common-name="mydomain.fr"
            key-size=2048 subject-alt-name=email:mail@host.domain
            days-valid=7300 trusted=yes
            key-usage=digital-signature,key-encipherment,tls-server
            serial-number="…"
            fingerprint="a712b4a6a750494878dfs9da8d2dbdc78b83156b1"
            invalid-before=apr/30/2014 18:00:27
            invalid-after=apr/25/2034 18:00:27

[CypZ]

OK I just tried without any cipher setting in the client configuration :

Code: Select all

#cipher BF-CBC
#cipher AES-128-CBC
#cipher AES-256-CBC

On windows it only worked when I checked blowfish-128 on the server side, so I guess this is the default by the client.

On iOS same behaviour than before (same logs) whatever the cipher setting I tried on the server side...

[CypZ]

Hello guys,

Here an additional information, it works actually with "OpenVPN Client Free" on Android... So this could be a good workaround except... That there is no alternative of OpenVPN Connect on iOS (Android only)

So this additional test makes me think even more that the problem is on the OpenVPN connect application !! A bug maybe ? Any developper here to help ?

Thanks in advance,
Best regards,

[bloodroses]

Any solution for this problem? I have exactly the same issue on my mikrotik server

[silvio]

there are different threads for this problem in this forum, but there is no solutions available so far

Actually i thried the "redirect-gateway" configuration propertie, but it doesn help or change anything - i still cant reach any server with OpenVPN and iOS.

[CypZ]

Help guys please !

I also opened a ticket to report a bug : https://community.openvpn.net/openvpn/ticket/409#ticket

[seaserpent]

Hi, Please if anyone could help.

Also have an issue then trying to connect to OpenVPN with my iPad/iPhone, using the OpenVPN app and Witopias Pro package.

2014-07-09 19:41:53 ----- OpenVPN Start (iOS 32-bit) -----
2014-07-09 19:41:53 EVENT: CORE_ERROR PolarSSL: error parsing cert certificate : PEM - PEM string is not as expected : BASE64 - Invalid character in input [ERR]
2014-07-09 19:41:53 Raw stats on disconnect:
2014-07-09 19:41:53 Performance stats on disconnect:
CPU usage (microseconds): 5462
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
2014-07-09 19:41:53 ----- OpenVPN Stop -----
2014-07-09 19:41:53 EVENT: DISCONNECT_PENDING
2014-07-09 19:42:45 ----- OpenVPN Start (iOS 32-bit) -----
2014-07-09 19:42:45 EVENT: CORE_ERROR PolarSSL: error parsing cert certificate : PEM - PEM string is not as expected : BASE64 - Invalid character in input [ERR]
2014-07-09 19:42:45 Raw stats on disconnect:
2014-07-09 19:42:45 Performance stats on disconnect:
CPU usage (microseconds): 2872
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
2014-07-09 19:42:45 ----- OpenVPN Stop -----
2014-07-09 19:42:45 EVENT: DISCONNECT_PENDING
2014-07-09 19:52:57 ----- OpenVPN Start (iOS 32-bit) -----
2014-07-09 19:52:57 EVENT: CORE_ERROR PolarSSL: error parsing cert certificate : PEM - PEM string is not as expected : BASE64 - Invalid character in input [ERR]
2014-07-09 19:52:57 Raw stats on disconnect:
2014-07-09 19:52:57 Performance stats on disconnect:
CPU usage (microseconds): 5894
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
2014-07-09 19:52:57 ----- OpenVPN Stop -----
2014-07-09 19:52:57 EVENT: DISCONNECT_PENDING

My Config file, Certificate and key numbers removed.

#####################################
# Configuration file for use with #
# WiTopia's personalVPN service #
#####################################

client
dev tun
proto udp
remote [vpn.stockholm.witopia.net] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
cipher bf-cbc
comp-lzo
verb 3
mute 20
ca ca.crt
mssfix 1300
key CNXXXXX.key
cert CNXXXXXX.crt
#tls-auth ta.key 1

-----BEGIN CERTIFICATE-----
INSERT YOUR CA.CRT DETAILS HERE
-----END CERTIFICATE-----
</ca>
mssfix 1450
<key>
-----BEGIN RSA PRIVATE KEY-----
INSERT YOUR CNXXXXXX.key DETAILS HERE
-----END RSA PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
INSERT YOUR CNXXXXXXX.crt DETAILS HERE
-----END CERTIFICATE-----
</cert>

[nickonline]

I have the exactly the same question when I installed version 1.0.5 today. Now I have solved it and connected successfully.
You just go to the setting app, find OpenVpn, turn off the option of Force AES-CBC ciphersuites, then it might work, at least it works for me.

[jamesyonan]

Fri May 02 15:49:09 2014 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1560', remote='link-mtu 1559'
Fri May 02 15:49:09 2014 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'

Make sure that you are using comp-lzo consistently in both client and server configs.

James