iPhone 3g cannot set up OpenVPN Connect 1.4.0

ayahuasca · Post by **ayahuasca** » Thu Jul 24, 2014 10:36 am

Please do not hesitate to tell me if this question has already been answered, although I didn't find any clue browsing this forum.

I am trying to connect a iPhone 3g client with OpenVPN Connect application to a Debian7 OpenVPN server (official package).
The configuration on server side works well with Android and Linux clients and is quite the same as the Debian documentation. Here is the server configuration:

Code: Select all

port 1194
    lport 1194
    proto udp
    dev tun0
    
    ca      /etc/openvpn/easy-rsa/keys/ca.crt
    cert    /etc/openvpn/easy-rsa/keys/vpn.pelicanux.net.crt
    key     /etc/openvpn/easy-rsa/keys/vpn.pelicanux.net.key
    dh      /etc/openvpn/easy-rsa/keys/dh1024.pem
    
    server 10.9.8.0 255.255.255.0
    ifconfig 10.9.8.1 255.255.255.0
    ifconfig-pool-persist ipp.txt
    route-gateway 10.9.8.1
    
    client-to-client
    push "redirect-gateway 10.9.8.1"
    #push "redirect-gateway def1"
    push "dhcp-option DNS 172.17.2.11"
    
    keepalive 10 120
    
    comp-lzo
    persist-key
    persist-tun
    
    status log/openvpn-status.log
    
    verb 5

Here is the openvpn.ovpn file installed on iPhone

Code: Select all

client
    dev tun0
    lport 1194
    
    proto udp
    
    remote 5.39.82.22 1194
    
    mute-replay-warnings
    
    comp-lzo
    persist-key
    persist-tun
    
    set CLIENT_CERT 0
    
    verb 5
    
    pull
    
    <ca>
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    </ca>
    <cert>
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    </cert>
    <key>
    -----BEGIN PRIVATE KEY-----
    -----END PRIVATE KEY-----
    </key>

Here are the error log message from server side:

Code: Select all

Jul 24 12:15:23 server ovpn-server[30830]: client_IP:55890 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
    Jul 24 12:15:23 server ovpn-server[30830]: client_IP:55890 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
    Jul 24 12:15:23 server ovpn-server[30830]: client_IP:55890 Local Options hash (VER=V4): '530fdded'
    Jul 24 12:15:23 server ovpn-server[30830]: client_IP:55890 Expected Remote Options hash (VER=V4): '41690919'
    Jul 24 12:15:23 server ovpn-server[30830]: client_IP:55890 TLS: Initial packet from [AF_INET]client_IP:55890, sid=a6834e43 6d1952d8
    Jul 24 12:15:23 server ovpn-server[30830]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

Apparently some options are missing on client side, while this is quite surprising as I created my certificate following carefully the instructions given at the debian wiki page.
I have tried to write dev-type tun, link-mtu 1542, tun-mtu 1500 on client configuration side, without any change.

On client side, I always got this error:

Code: Select all

Transport Error: PolarSSL: SSL read error: X509 - Certificate verification failed, e.g. CRL,CA or signature check failed

Googling only show a ca pathlen=0 problem, which is not my case.

As this configuration is working on Android and Linux, I think the problem comes from iPhone; but got no clue to go forward.

Any help would be greatly appreciated