Unable to connect while on 3G

[PhilPhonic]

Hi everyone.

I'm hosting my own OpenVPN server and I am unable to connect while I'm using a 3G connection.
This is what my serverlog says while using 3G connection:

Code: Select all

Mon Jun 22 20:10:42 2015 89.XXX.XXX.XXX:32595 TLS: Initial packet from [AF_INET]89.XXX.XXX.XXX:32595, sid=245ef0ae 8dd6deb6
Mon Jun 22 20:10:46 2015 89.XXX.XXX.XXX:32595 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #61 / time = (1434996642) Mon Jun 22 20:10:42 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mon Jun 22 20:10:46 2015 89.XXX.XXX.XXX:32595 TLS Error: incoming packet authentication failed from [AF_INET]89.XXX.XXX.XXX:32595
Mon Jun 22 20:11:30 2015 89.XXX.XXX.XXX:34508 TLS: Initial packet from [AF_INET]89.XXX.XXX.XXX:34508, sid=e7c0549a 0954db71
Mon Jun 22 20:11:34 2015 89.XXX.XXX.XXX:34508 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #61 / time = (1434996690) Mon Jun 22 20:11:30 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mon Jun 22 20:11:34 2015 89.XXX.XXX.XXX:34508 TLS Error: incoming packet authentication failed from [AF_INET]89.XXX.XXX.XXX:34508
Mon Jun 22 20:11:42 2015 89.XXX.XXX.XXX:32595 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jun 22 20:11:42 2015 89.XXX.XXX.XXX:32595 TLS Error: TLS handshake failed
Mon Jun 22 20:11:42 2015 89.XXX.XXX.XXX:32595 SIGUSR1[soft,tls-error] received, client-instance restarting
Mon Jun 22 20:12:30 2015 89.XXX.XXX.XXX:34508 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jun 22 20:12:30 2015 89.XXX.XXX.XXX:34508 TLS Error: TLS handshake failed
Mon Jun 22 20:12:30 2015 89.XXX.XXX.XXX:34508 SIGUSR1[soft,tls-error] received, client-instance restarting

When I'm on a WiFi, I am able to connect, but there are erros, too. This is what server log says while on WiFi:

Code: Select all

Mon Jun 22 20:21:18 2015 91.XXX.XXX.XXX:49933 TLS: Initial packet from [AF_INET]91.XXX.XXX.XXX:49933, sid=63cb8768 7cc0894b
Mon Jun 22 20:21:20 2015 91.XXX.XXX.XXX:49933 VERIFY OK: depth=1, C=DE, ST=NW, L=XXX, O=example.com, OU=CA, CN=example.com CA, name=example.com CA, emailAddress=mail@example.com
Mon Jun 22 20:21:20 2015 91.XXX.XXX.XXX:49933 Validating certificate key usage
Mon Jun 22 20:21:20 2015 91.XXX.XXX.XXX:49933 ++ Certificate has key usage  0080, expects 0080
Mon Jun 22 20:21:20 2015 91.XXX.XXX.XXX:49933 VERIFY KU OK
Mon Jun 22 20:21:20 2015 91.XXX.XXX.XXX:49933 Validating certificate extended key usage
Mon Jun 22 20:21:20 2015 91.XXX.XXX.XXX:49933 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Mon Jun 22 20:21:20 2015 91.XXX.XXX.XXX:49933 VERIFY EKU OK
Mon Jun 22 20:21:20 2015 91.XXX.XXX.XXX:49933 VERIFY OK: depth=0, C=DE, ST=NW, L=XXX, O=example.com, OU=CA, CN=username, name=example.com CA, emailAddress=mail@example.com
Mon Jun 22 20:21:20 2015 91.XXX.XXX.XXX:49933 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #59 / time = (1434997278) Mon Jun 22 20:21:18 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mon Jun 22 20:21:20 2015 91.XXX.XXX.XXX:49933 TLS Error: incoming packet authentication failed from [AF_INET]91.XXX.XXX.XXX:49933
Mon Jun 22 20:21:20 2015 91.XXX.XXX.XXX:49933 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #60 / time = (1434997278) Mon Jun 22 20:21:18 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mon Jun 22 20:21:20 2015 91.XXX.XXX.XXX:49933 TLS Error: incoming packet authentication failed from [AF_INET]91.XXX.XXX.XXX:49933
Mon Jun 22 20:21:20 2015 91.XXX.XXX.XXX:49933 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #61 / time = (1434997278) Mon Jun 22 20:21:18 2015 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mon Jun 22 20:21:20 2015 91.XXX.XXX.XXX:49933 TLS Error: incoming packet authentication failed from [AF_INET]91.XXX.XXX.XXX:49933
user : username
authentication ok.
Mon Jun 22 20:21:20 2015 91.XXX.XXX.XXX:49933 TLS: Username/Password authentication succeeded for username 'username' [CN SET]
Mon Jun 22 20:21:20 2015 91.XXX.XXX.XXX:49933 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jun 22 20:21:20 2015 91.XXX.XXX.XXX:49933 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jun 22 20:21:20 2015 91.XXX.XXX.XXX:49933 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jun 22 20:21:20 2015 91.XXX.XXX.XXX:49933 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jun 22 20:21:20 2015 91.XXX.XXX.XXX:49933 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Mon Jun 22 20:21:20 2015 91.XXX.XXX.XXX:49933 [username] Peer Connection Initiated with [AF_INET]91.XXX.XXX.XXX:49933
Mon Jun 22 20:21:20 2015 username/91.XXX.XXX.XXX:49933 OPTIONS IMPORT: reading client specific options from: ccd/username
Mon Jun 22 20:21:20 2015 username/91.XXX.XXX.XXX:49933 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_59cf8575d999279c5db2be1c78b1da88.tmp
Mon Jun 22 20:21:20 2015 username/91.XXX.XXX.XXX:49933 MULTI: Learn: 10.11.12.5 -> username/91.XXX.XXX.XXX:49933
Mon Jun 22 20:21:20 2015 username/91.XXX.XXX.XXX:49933 MULTI: primary virtual IP for username/91.XXX.XXX.XXX:49933: 10.11.12.5
Mon Jun 22 20:21:20 2015 username/91.XXX.XXX.XXX:49933 PUSH: Received control message: 'PUSH_REQUEST'
Mon Jun 22 20:21:20 2015 username/91.XXX.XXX.XXX:49933 send_push_reply(): safe_cap=940
Mon Jun 22 20:21:20 2015 username/91.XXX.XXX.XXX:49933 SENT CONTROL [username]: 'PUSH_REPLY,route 10.11.12.0 255.255.255.0,persist-key,persist-tun,comp-lzo yes,route 10.11.12.1,topology net30,ping 5,ping-restart 60,redirect-gateway def1,ifconfig 10.11.12.5 10.11.12.6' (status=1)

The config files (server & client) seem to be "okay", cause it's working while on WiFi.
It also works fine, if I connect from a computer.

Does anyone have an idea what's causing this?
If you need more info (config files, etc), just tell me.

Thanks in advance!
Phil

[Deimos]

I'm subscribing to a VPN service using OpenVPN Connect on my iPhone and I cannot connect to the VPN server over 3G. Over WiFi it's fine, over 4G works fine, but on a 3G connection it doesn't even seem to try - connect and it immediately shows disconnected.

I've tried with and without Seamless Tunnel and with and without Level 2 Reachability (with Seamless Tunnel) and always the same.

[Traffic]

You configs would help ..

What versions of openvpn are you using ?

[PhilPhonic]

Hi,

I'm using OpenVPN 2.3.7 on my server. My OpenVPN Connect Verison is OpenVPN 1.0.5 build 177 (iOS 32-bit).

server config:

Code: Select all

##protocol port
port 1194
proto udp
dev tun0

##ip server client
server 10.11.12.0 255.255.255.0
client-config-dir ccd
route 10.11.12.0 255.255.255.0
push "route 10.11.12.0 255.255.255.0"

##key
ca /path/ca.crt
cert /path/server.crt
key /path/server.key
dh /path/dh4096.pem

##option
persist-key
persist-tun
keepalive 5 60
reneg-sec 432000

cipher AES-256-CBC
auth SHA512
tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
tls-version-min 1.2
remote-cert-tls client
tls-auth /path/ta.key 0

##option authen.
comp-lzo yes
#comp-lzo
user nobody
group nogroup
#client-to-client
username-as-common-name
;client-cert-not-required
auth-user-pass-verify /etc/openvpn/script/login.sh via-env

##push to client
max-clients 5
push "persist-key"
push "persist-tun"
push "comp-lzo yes"
#push "redirect-gateway def1"
#push "explicit-exit-notify 1"

##DNS-Server
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"

##script connect-disconnect
script-security 3 system
client-connect /etc/openvpn/script/connect.sh
client-disconnect /etc/openvpn/script/disconnect.sh

##log-status
status /etc/openvpn/log/server.log
log-append /etc/openvpn/log/openvpn.log
verb 3

Client config:

Code: Select all

client
remote example.com 1194
proto udp
dev tun
key-direction 1
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
tls-version-min 1.2
verify-x509-name example.com name
comp-lzo yes
persist-key
persist-tun
nobind
auth-nocache
auth-user-pass
ns-cert-type server
verb 3
<ca>
-----BEGIN CERTIFICATE-----
X
X
X
-----END CERTIFICATE-----
</ca>
<cert>
X
X
X
-----BEGIN CERTIFICATE-----
X
X
X
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
X
X
X
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
X
X
X
-----END OpenVPN Static key V1-----
</tls-auth>

[PhilPhonic]

Hi,

I posted my configs and version information yesterday. I don't know, why it did not work.

Server version: OpenVPN 2.3.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 8 2015
Client version: OpenVPN 1.0.5 build 177 (iOS 32-bit)

Server config:

Code: Select all

port 1194
proto udp
dev tun0

server 10.11.12.0 255.255.255.0
client-config-dir ccd
route 10.11.12.0 255.255.255.0
push "route 10.11.12.0 255.255.255.0"

ca /path/ca.crt
cert /path/example.com.crt
key /path/example.com.key
dh /path/dh4096.pem

persist-key
persist-tun
keepalive 5 60
reneg-sec 432000

cipher AES-256-CBC
auth SHA512
tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
tls-version-min 1.2
remote-cert-tls client
tls-auth /path/ta.key 0

comp-lzo yes
user nobody
group nogroup
#client-to-client
username-as-common-name
;client-cert-not-required
auth-user-pass-verify /etc/openvpn/script/login.sh via-env

max-clients 5
push "persist-key"
push "persist-tun"
push "comp-lzo yes"
#push "redirect-gateway def1"
#push "explicit-exit-notify 1"

##DNS-Server
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"

##script connect-disconnect
script-security 3 system
client-connect /etc/openvpn/script/connect.sh
client-disconnect /etc/openvpn/script/disconnect.sh

##log-status
status /etc/openvpn/log/example.com.log
log-append /etc/openvpn/log/openvpn.log
verb 3

Client config:

Code: Select all

client
remote example.com 1194
proto udp
dev tun
key-direction 1
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
tls-version-min 1.2
verify-x509-name example.com name
comp-lzo yes
persist-key
persist-tun
nobind
auth-nocache
auth-user-pass
ns-cert-type server
verb 3
<ca>
-----BEGIN CERTIFICATE-----
x
x
x
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
x
x
x
-----BEGIN CERTIFICATE-----
x
x
x
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
x
x
x
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
x
x
x
-----END OpenVPN Static key V1-----
</tls-auth>

[PhilPhonic]

Client version: OpenVPN 1.0.5 build 177 (iOS 32-bit)
Server version: OpenVPN 2.3.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 8 2015

Client Config:

Code: Select all

client
remote example.com 1194
proto udp
dev tun
key-direction 1
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
tls-version-min 1.2
verify-x509-name example.com name
comp-lzo yes
persist-key
persist-tun
nobind
auth-nocache
auth-user-pass
ns-cert-type server
verb 3
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
<tls-auth>
...
</tls-auth>

Server config:

Code: Select all

port 1194
proto udp
dev tun0
server 10.11.12.0 255.255.255.0
client-config-dir ccd
route 10.11.12.0 255.255.255.0
push "route 10.11.12.0 255.255.255.0"
ca /path/ca.crt
cert /path/example.com.crt
key /path/example.com.key
dh /path/dh4096.pem
persist-key
persist-tun
keepalive 5 60
reneg-sec 432000
cipher AES-256-CBC
auth SHA512
tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
tls-version-min 1.2
remote-cert-tls client
tls-auth /path/ta.key 0
comp-lzo yes
user nobody
group nogroup
username-as-common-name
auth-user-pass-verify /etc/openvpn/script/login.sh via-env
max-clients 5
push "persist-key"
push "persist-tun"
push "comp-lzo yes"
script-security 3 system
client-connect /etc/openvpn/script/connect.sh
client-disconnect /etc/openvpn/script/disconnect.sh
status /etc/openvpn/log/example.com.log
log-append /etc/openvpn/log/openvpn.log
verb 3

[Deimos]

(4th attempts at posting a response of this forum and I really am at the point of giving-up. If you are going to pre-moderate posts then delays of over a week are just daft and you will be driving away a lot of self-help and useful information.)

I have been unable to get OpenVPN to connect over 3G.

Works fine over WiFi and 4G (immediate connect when you manually connect), but when in 3G cover when you manually connect it just immediately flips back to the disconnected state - like it does not even recognise the 3G as a network.

Being rural, I only rarely get 4G coverage and it's all 3G. When in 3G coverage (when OpenVPN refuses to connect - ever), everything else internet based (Safari, Mail, etc.) all work fine.

[Traffic]

Sorry about the delays in moderation .. I guess they are all busy ..

As for 3G .. have you tried using TCP protocol for your VPN ?

[PhilPhonic]

I switched my server- & client-configs to tcp.

connections on 3G still are not possible.

Here's my server log:

Code: Select all

Sun Dec  6 14:33:55 2015 TCP connection established with [AF_INET]89.XXX.XXX.XXX:38987
Sun Dec  6 14:33:55 2015 89.XXX.XXX.XXX:38987 TLS: Initial packet from [AF_INET]89.XXX.XXX.XXX:38987, sid=b7a38f61 b41f10da
Sun Dec  6 14:34:01 2015 89.XXX.XXX.XXX:38987 VERIFY OK: depth=1, C=DE, ST=NW, L=XXX, O=example.com, OU=CA, CN=example.com CA, name=example.com CA, emailAddress=mail@example.com
Sun Dec  6 14:34:01 2015 89.XXX.XXX.XXX:38987 Validating certificate key usage
Sun Dec  6 14:34:01 2015 89.XXX.XXX.XXX:38987 ++ Certificate has key usage  0080, expects 0080
Sun Dec  6 14:34:01 2015 89.XXX.XXX.XXX:38987 VERIFY KU OK
Sun Dec  6 14:34:01 2015 89.XXX.XXX.XXX:38987 Validating certificate extended key usage
Sun Dec  6 14:34:01 2015 89.XXX.XXX.XXX:38987 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Sun Dec  6 14:34:01 2015 89.XXX.XXX.XXX:38987 VERIFY EKU OK
Sun Dec  6 14:34:01 2015 89.XXX.XXX.XXX:38987 VERIFY OK: depth=0, C=DE, ST=NW, L=XXX, O=example.com, OU=CA, CN=username, name=example.com CA, emailAddress=mail@example.com
Sun Dec  6 14:34:43 2015 89.XXX.XXX.XXX:38987 Connection reset, restarting [0]
Sun Dec  6 14:34:43 2015 89.XXX.XXX.XXX:38987 SIGUSR1[soft,connection-reset] received, client-instance restarting

Here's my client log:

Code: Select all

2015-12-06 14:33:55 ----- OpenVPN Start -----
OpenVPN core 3.0 ios armv7s thumb2 32-bit
2015-12-06 14:33:55 UNUSED OPTIONS
8 [tls-cipher] [TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC...] 
10 [verify-x509-name] [vpn.example.com] [name] 
12 [persist-key] 
13 [persist-tun] 
14 [user] [nobody] 
15 [group] [nogroup] 
16 [nobind] 
17 [auth-nocache] 
20 [verb] [3] 

2015-12-06 14:33:55 EVENT: RESOLVE
2015-12-06 14:33:55 LZO-ASYM init swap=0 asym=0
2015-12-06 14:33:55 Contacting 5.XXX.XXX.XXX:1194 via TCP
2015-12-06 14:33:55 EVENT: WAIT
2015-12-06 14:33:55 SetTunnelSocket returned 1
2015-12-06 14:33:55 Connecting to vpn.example.com:1194 (5.XXX.XXX.XXX) via TCPv4
2015-12-06 14:33:55 EVENT: CONNECTING
2015-12-06 14:33:55 Tunnel Options:V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client
2015-12-06 14:33:55 Creds: Username/Password
2015-12-06 14:33:55 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
IV_VER=3.0
IV_PLAT=ios
IV_NCP=1
IV_LZO=1

2015-12-06 14:33:57 VERIFY OK: depth=1
cert. version    : 3
serial number    : EC:56:3B:58:53:9D:12:B9
issuer name      : C=DE, ST=NW, L=XXX, O=example.com, OU=CA, CN=example.com CA, ??=example.com CA, emailAddress=mail@example.com
subject name      : C=DE, ST=NW, L=XXX, O=example.com, OU=CA, CN=example.com CA, ??=example.com CA, emailAddress=mail@example.com
issued  on        : 2015-12-05 18:10:40
expires on        : 2025-12-02 18:10:40
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=true

2015-12-06 14:33:57 VERIFY OK: depth=0
cert. version    : 3
serial number    : 01
issuer name      : C=DE, ST=NW, L=XXX, O=example.com, OU=CA, CN=example.com CA, ??=example.com CA, emailAddress=mail@example.com
subject name      : C=DE, ST=NW, L=XXX, O=example.com, OU=CA, CN=vpn.example.com, ??=example.com CA, emailAddress=mail@example.com
issued  on        : 2015-12-05 18:12:57
expires on        : 2025-12-02 18:12:57
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=false
subject alt name  : vpn.example.com
cert. type        : SSL Server
key usage        : Digital Signature, Key Encipherment
ext key usage    : TLS Web Server Authentication

2015-12-06 14:34:41 Session invalidated: KEEPALIVE_TIMEOUT
2015-12-06 14:34:41 Client terminated, restarting in 2...
2015-12-06 14:34:43 EVENT: RECONNECTING
2015-12-06 14:34:43 LZO-ASYM init swap=0 asym=0
2015-12-06 14:34:43 Contacting 5.XXX.XXX.XXX:1194 via TCP
2015-12-06 14:34:43 EVENT: WAIT
2015-12-06 14:34:43 SetTunnelSocket returned 1
2015-12-06 14:34:44 Connecting to vpn.example.com:1194 (5.XXX.XXX.XXX) via TCPv4
2015-12-06 14:34:44 EVENT: CONNECTING
2015-12-06 14:34:44 Tunnel Options:V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client
2015-12-06 14:34:44 Creds: Username/Password
2015-12-06 14:34:44 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
IV_VER=3.0
IV_PLAT=ios
IV_NCP=1
IV_LZO=1

2015-12-06 14:34:46 VERIFY OK: depth=1
cert. version    : 3
serial number    : EC:56:3B:58:53:9D:12:B9
issuer name      : C=DE, ST=NW, L=XXX, O=example.com, OU=CA, CN=example.com CA, ??=example.com CA, emailAddress=mail@example.com
subject name      : C=DE, ST=NW, L=XXX, O=example.com, OU=CA, CN=example.com CA, ??=example.com CA, emailAddress=mail@example.com
issued  on        : 2015-12-05 18:10:40
expires on        : 2025-12-02 18:10:40
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=true

2015-12-06 14:34:46 VERIFY OK: depth=0
cert. version    : 3
serial number    : 01
issuer name      : C=DE, ST=NW, L=XXX, O=example.com, OU=CA, CN=example.com CA, ??=example.com CA, emailAddress=mail@example.com
subject name      : C=DE, ST=NW, L=XXX, O=example.com, OU=CA, CN=vpn.example.com, ??=example.com CA, emailAddress=mail@example.com
issued  on        : 2015-12-05 18:12:57
expires on        : 2025-12-02 18:12:57
signed using      : RSA with SHA-256
RSA key size      : 4096 bits
basic constraints : CA=false
subject alt name  : vpn.example.com
cert. type        : SSL Server
key usage        : Digital Signature, Key Encipherment
ext key usage    : TLS Web Server Authentication

2015-12-06 14:34:55 EVENT: CONNECTION_TIMEOUT [ERR]
2015-12-06 14:34:55 EVENT: DISCONNECTED
2015-12-06 14:34:55 Raw stats on disconnect:
  BYTES_IN : 22666
  BYTES_OUT : 18388
  PACKETS_IN : 66
  PACKETS_OUT : 127
  REPLAY_ERROR : 7
  KEEPALIVE_TIMEOUT : 1
  CONNECTION_TIMEOUT : 1
  N_RECONNECT : 1
  PKTID_TCP_OUT_OF_SEQ : 7
2015-12-06 14:34:55 Performance stats on disconnect:
  CPU usage (microseconds): 4055626
  Network bytes per CPU second: 10122
  Tunnel bytes per CPU second: 0
2015-12-06 14:34:55 ----- OpenVPN Stop -----

[Traffic]

I am not absolutely sure but your problem sounds like it is similar to this:
https://community.openvpn.net/openvpn/ticket/428

Perhaps you could try disabling --tls-auth ?

[PhilPhonic]

Disabling tls-auth worked. But that's not really what I want to do
So is this a bug in OpenVPN Connect Client?