Page 1 of 2
Upgrade to OpenVPN 1.2.5 (iOS): tls-auth not working
Posted: Tue Jan 09, 2018 6:49 am
by anatoli
Hi,
Just after upgrading to 1.2.5, I can't connect to my server any more. On the iPhone the app tries to connect as if there's no internet, on the server I see:
Tue Jan 9 03:18:19 2018 TLS Error: incoming packet authentication failed from [AF_INET]xxx:yyy
Tue Jan 9 03:18:20 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
I tried to re-deploy the config again (xxx.ovpn), same problem.
Re: Upgrade to OpenVPN 1.2.5 (iOS): tls-auth not working
Posted: Tue Jan 09, 2018 7:09 am
by ordex
Is this the client or the server log? IS it possible to have both?
Could you please also post both configurations (please omit private information such as keys, etc).
Re: Upgrade to OpenVPN 1.2.5 (iOS): tls-auth not working
Posted: Tue Jan 09, 2018 7:46 am
by anatoli
The log from server (OpenVPN community 2.3.17) every second while iPhone tries to connect:
Code: Select all
Tue Jan 9 04:23:33 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Tue Jan 9 04:23:33 2018 TLS Error: incoming packet authentication failed from [AF_INET]xx:yy
The log from the client with OpenVPN Connect 1.2.5 on iPhone 6S with iOS 11.2.1:
Code: Select all
2018-01-09 04:23:29 Server poll timeout, trying next remote entry...
2018-01-09 04:23:29 EVENT: RECONNECTING
2018-01-09 04:23:29 Contacting [xx]:yy/UDP via UDP
2018-01-09 04:23:29 EVENT: WAIT
2018-01-09 04:23:29 Connecting to [xx]:yy (xx) via UDPv4
2018-01-09 04:23:34 EVENT: DISCONNECTED
Server config:
Code: Select all
local xx
lport yy
dev tun
mode server
topology subnet
push "topology subnet"
tun-mtu 1500
ifconfig xx yy
ifconfig-pool xx yy
fast-io
push "route-gateway xx"
push "redirect-gateway def1 autolocal bypass-dhcp"
push "dhcp-option DNS xx"
client-config-dir client_cfg
user xx
group yy
chroot /zz
script-security 2
tls-server
tls-auth keys/xx
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-CBC
auth SHA512
dh keys/xx
ca keys/xx
cert keys/yy
key keys/zz
crl-verify crl 'dir'
remote-cert-ku a0
remote-cert-eku "TLS Web Client Authentication"
verify-x509-name xx name-prefix
comp-lzo
ping 5
push "ping 5"
push "ping-restart 15"
persist-tun
persist-key
push "persist-key"
push "explicit-exit-notify"
Client config:
Code: Select all
remote xx
resolv-retry infinite
server-poll-timeout 5
nobind
dev tun
tun-mtu 1500
allow-pull-fqdn
pull
tls-client
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
xxx
-----END OpenVPN Static key V1-----
</tls-auth>
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-CBC
auth SHA512
<key>
-----BEGIN PRIVATE KEY-----
xxx
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</ca>
remote-cert-tls server
verify-x509-name xx name
comp-lzo
Re: Upgrade to OpenVPN 1.2.5 (iOS): tls-auth not working
Posted: Tue Jan 09, 2018 2:19 pm
by anatoli
ordex, could you please confirm you can reproduce the error? The problem is starting to affect the users as, despite the warning not to update the app, most of them have autoupdate turned on.
Maybe you could publish the previous (1.1.1) version as a new version for the moment so everything is back again?
Re: Upgrade to OpenVPN 1.2.5 (iOS): tls-auth not working
Posted: Tue Jan 09, 2018 2:37 pm
by ordex
anatoli wrote: ↑Tue Jan 09, 2018 2:19 pm
ordex, could you please confirm you can reproduce the error? The problem is starting to affect the users as, despite the warning not to update the app, most of them have autoupdate turned on.
we have tested tls-auth and tis-crypt and they both work as expected.
The log message you reported from the server is printed *after* the tis-auth/crypt mechanism has already performed its check.
You could try verifying this by temporary disabling tis-auth and see if the error is still the same.
Actually this error is more related to the authentication of the packets performed with SHA512 in your case.
Is it possible for you to temporary comment that line on client and server and see if the error persists? That would help understanding where the problem is.
anatoli wrote: ↑Tue Jan 09, 2018 2:19 pm
Maybe you could publish the previous (1.1.1) version as a new version for the moment so everything is back again?
Unfortunately the AppStore does not allow that. That why we are striving to collect as much information as possible and fix the bugs.
Re: Upgrade to OpenVPN 1.2.5 (iOS): tls-auth not working
Posted: Tue Jan 09, 2018 4:12 pm
by ahx-fos
ordex wrote: ↑Tue Jan 09, 2018 2:37 pm
Unfortunately the AppStore does not allow that. That why we are striving to collect as much information as possible and fix the bugs.
This isn't good enough.
Applications can _absolutely_ be pulled. You need to pull this application; re-submit the previous version with an incremental version release and put back a working version until you can fix the absolute piss up that is 1.2.5.
Re: Upgrade to OpenVPN 1.2.5 (iOS): tls-auth not working
Posted: Tue Jan 09, 2018 5:08 pm
by ordex
ordex wrote: ↑Tue Jan 09, 2018 2:37 pm
anatoli wrote: ↑Tue Jan 09, 2018 2:19 pm
ordex, could you please confirm you can reproduce the error? The problem is starting to affect the users as, despite the warning not to update the app, most of them have autoupdate turned on.
we have tested tls-auth and tis-crypt and they both work as expected.
The log message you reported from the server is printed *after* the tis-auth/crypt mechanism has already performed its check.
You could try verifying this by temporary disabling tis-auth and see if the error is still the same.
Actually this error is more related to the authentication of the packets performed with SHA512 in your case.
Is it possible for you to temporary comment that line on client and server and see if the error persists? That would help understanding where the problem is.
After digging deeper, it seems this might be related to tls-auth. Would it be possible for you to re-test without "auth SHA512" in the configuration?
Thanks a lot
Re: Upgrade to OpenVPN 1.2.5 (iOS): tls-auth not working
Posted: Tue Jan 09, 2018 5:48 pm
by anatoli
I only have this setup at production, I'll make the tests today COB.
Re: Upgrade to OpenVPN 1.2.5 (iOS): tls-auth not working
Posted: Tue Jan 09, 2018 6:22 pm
by Tg92
Hi,
I have exactly the same trouble.
server side (ipfire with OpenSSL 1.0.2n)
Code: Select all
18:56:09 openvpnserver[25602]: x.x.x.x:55555 Fatal TLS error (check_tls_errors_co), restarting
18:56:09 openvpnserver[25602]: x.x.x.x:55555 TLS Error: incoming packet authentication failed from [AF_INET ]x.x.x.x:55555
18:56:09 openvpnserver[25602]: x.x.x.x:55555 Authenticate/Decrypt packet error: packet HMAC authentication failed
18:56:09 openvpnserver[25602]: TCP connection established with [AF_INET]x.x.x.x:55555
client side
Code: Select all
2018-01-09 18:56:09 EVENT: RESOLVE
2018-01-09 18:56:09 Contacting [y.y.y.y]::1234 /TCP via TCP
2018-01-09 18:56:09 EVENT: WAIT
2018-01-09 18:56:09 Connecting to [y.y.y.y]:1234 (y.y.y.y) via TCPv4
2018-01-09 18:56:09 TCP recv EOF
2018-01-09 18:56:09 Transport Error: Transport error on 'y.y.y.y: NETWORK_EOF_ERROR
2018-01-09 18:56:09 EVENT: TRANSPORT_ERROR Transport error on 'y.y.y.y: NETWORK_EOF_ERROR [ERR]
2018-01-09 18:56:09 Client terminated, restarting in 5000 ms...
my server is still working fine with another device with the openVPN 1.2.4
can you help me?
Thank you
Re: Upgrade to OpenVPN 1.2.5 (iOS): tls-auth not working
Posted: Tue Jan 09, 2018 6:24 pm
by ordex
Tg92 wrote: ↑Tue Jan 09, 2018 6:22 pm
Hi,
I have exactly the same trouble.
server side (ipfire with OpenSSL 1.0.2n)
Code: Select all
18:56:09 openvpnserver[25602]: x.x.x.x:55555 Fatal TLS error (check_tls_errors_co), restarting
18:56:09 openvpnserver[25602]: x.x.x.x:55555 TLS Error: incoming packet authentication failed from [AF_INET ]x.x.x.x:55555
18:56:09 openvpnserver[25602]: x.x.x.x:55555 Authenticate/Decrypt packet error: packet HMAC authentication failed
18:56:09 openvpnserver[25602]: TCP connection established with [AF_INET]x.x.x.x:55555
client side
Code: Select all
2018-01-09 18:56:09 EVENT: RESOLVE
2018-01-09 18:56:09 Contacting [y.y.y.y]::1234 /TCP via TCP
2018-01-09 18:56:09 EVENT: WAIT
2018-01-09 18:56:09 Connecting to [y.y.y.y]:1234 (y.y.y.y) via TCPv4
2018-01-09 18:56:09 TCP recv EOF
2018-01-09 18:56:09 Transport Error: Transport error on 'y.y.y.y: NETWORK_EOF_ERROR
2018-01-09 18:56:09 EVENT: TRANSPORT_ERROR Transport error on 'y.y.y.y: NETWORK_EOF_ERROR [ERR]
2018-01-09 18:56:09 Client terminated, restarting in 5000 ms...
my server is still working fine with another device with the openVPN 1.2.4
can you help me?
Thank you
I guess you mean v1.1.1? The app that was in AppStore earlier?
By the way, could you please post the client config? thanks
Re: Upgrade to OpenVPN 1.2.5 (iOS): tls-auth not working
Posted: Tue Jan 09, 2018 7:22 pm
by Tg92
yes version 1.1.1
I can complete my client log with
Code: Select all
OpenVPN core 3.1.2 ios arm64 64-bit built on Jan 5 2018 23:09:59
2018-01-09 19:22:56 Keychain Cert Extraction: 1 certificate(s) found
2018-01-09 19:22:56 Frame=512/2048/512 mssfix-ctrl=1250
2018-01-09 19:22:56 UNUSED OPTIONS
0 [tls-client]
2 [nobind]
9 [verb] [3]
13 [verify-x509-name] [a.mydomain.com] [name]
client config
Code: Select all
#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto tcp
tun-mtu 1400
remote a.mydomain.com 1234
cipher AES-256-CBC
auth SHA256
verb 3
ns-cert-type server
redirect-gateway def1
tls-remote a.mydomain.com
verify-x509-name a.mydomain.com name
#mssfix ##optional!
Re: Upgrade to OpenVPN 1.2.5 (iOS): tls-auth not working
Posted: Tue Jan 09, 2018 8:28 pm
by Tg92
I am a suggestion for the trouble
with a windows connection which is working, I have
Code: Select all
ultrahp/x.x.x.x:55555 TCPv4_SERVER READ [96] from [AF_INET]x.x.x.x:55555 : P_CONTROL_V1 kid=0 COUIC_CONFIDENTIAL
ultrahp/x.x.x.x:55555 TLS: control channel, op=P_CONTROL_V1, IP=[AF_INET]192 .168.2.2:55555
and with my ios I have :
Code: Select all
x.x.x.x:55555 TCPv4_SERVER READ [54] from [AF_INET]x.x.x.x:55555: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 COUIC_CONFIDENTIAL
x.x.x.x:55555 TLS: control channel, op=P_CONTROL_HARD_RESET_CLIENT_V2, IP=[A F_INET]x.x.x.x:55555
it looks like it is not the right authentication type P_CONTROL_V1 vs P_CONTROL_HARD_RESET_CLIENT_V2
in openvpn/ssl.h
Code: Select all
/* packet opcodes -- the V1 is intended to allow protocol changes in the future */
#define P_CONTROL_HARD_RESET_CLIENT_V1 1 /* initial key from client, forget previous state */
#define P_CONTROL_HARD_RESET_SERVER_V1 2 /* initial key from server, forget previous state */
#define P_CONTROL_SOFT_RESET_V1 3 /* new key, graceful transition from old to new key */
#define P_CONTROL_V1 4 /* control channel packet (usually TLS ciphertext) */
#define P_ACK_V1 5 /* acknowledgement for packets received */
#define P_DATA_V1 6 /* data channel packet */
#define P_DATA_V2 9 /* data channel packet with peer-id */
/* indicates key_method >= 2 */
#define P_CONTROL_HARD_RESET_CLIENT_V2 7 /* initial key from client, forget previous state */
#define P_CONTROL_HARD_RESET_SERVER_V2 8 /* initial key from server, forget previous state */
how can we define it in the client config?
Re: Upgrade to OpenVPN 1.2.5 (iOS): tls-auth not working
Posted: Wed Jan 10, 2018 3:21 am
by ordex
Tg92 wrote: ↑Tue Jan 09, 2018 7:22 pm
yes version 1.1.1
I can complete my client log with
Code: Select all
OpenVPN core 3.1.2 ios arm64 64-bit built on Jan 5 2018 23:09:59
2018-01-09 19:22:56 Keychain Cert Extraction: 1 certificate(s) found
2018-01-09 19:22:56 Frame=512/2048/512 mssfix-ctrl=1250
2018-01-09 19:22:56 UNUSED OPTIONS
0 [tls-client]
2 [nobind]
9 [verb] [3]
13 [verify-x509-name] [a.mydomain.com] [name]
client config
Code: Select all
#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto tcp
tun-mtu 1400
remote a.mydomain.com 1234
cipher AES-256-CBC
auth SHA256
verb 3
ns-cert-type server
redirect-gateway def1
tls-remote a.mydomain.com
verify-x509-name a.mydomain.com name
#mssfix ##optional!
do you have tls-auth or tls-crypt enabled on the server?
Re: Upgrade to OpenVPN 1.2.5 (iOS): tls-auth not working
Posted: Wed Jan 10, 2018 3:23 am
by ordex
Tg92 wrote: ↑Tue Jan 09, 2018 8:28 pm
how can we define it in the client config?
This is not correct. The HARD_RESET_V2 is sent also by the iOS client. This is essential for the protocol to work and it is sent also when no tls-auth/crypt is used. You can see it when dumping the traffic with tcpdump/wireshark if you are curious.
Re: Upgrade to OpenVPN 1.2.5 (iOS): issues
Posted: Wed Jan 10, 2018 6:12 am
by peter_sm
I got my server working with latest version of the app. I think the key was to move from
tls-auto to
tls-crypt
PLEASE, if you see any bad or missing settings feel free to let me know 
Server config
Code: Select all
server 10.33.0.0 255.255.255.0
local 192.168.0.190
dev tun
port 1199
proto udp
dh /mnt/disks/SSD1/appdata/myVPNserver_rsa/dh.pem
ca /mnt/disks/SSD1/appdata/myVPNserver_rsa/ca.crt
cert /mnt/disks/SSD1/appdata/myVPNserver_rsa/server.crt
key /mnt/disks/SSD1/appdata/myVPNserver_rsa/server.key
push "dhcp-option DNS 192.168.0.1"
tls-server
verb 3
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
tls-crypt /mnt/disks/SSD1/appdata/myVPNserver_rsa/ta.key
persist-key
persist-tun
keepalive 10 120
user nobody
group users
cipher AES-256-GCM
ncp-disable
auth sha512
comp-lzo adaptive
push "route 192.168.0.0 255.255.255.0"
push "resolv-retry infinite"
status /var/log/openvpnserver-status.log 5
log-append /var/log/openvpnserver.log
status-version 2
explicit-exit-notify 0
remote-cert-tls client
remote-cert-eku "TLS Web Client Authentication"
Client
Code: Select all
remote my.vpnserver.com
tls-client
cipher AES-256-GCM
tls-version-min 1.2
auth sha512
client
dev tun
proto udp
port 1199
nobind
persist-key
persist-tun
resolv-retry infinite
comp-lzo adaptive
verb 3
remote-cert-tls server
remote-cert-eku "TLS Web Server Authentication"
route-delay 2
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>
Log
Code: Select all
2018-01-10 06:42:19 ----- OpenVPN Start -----
OpenVPN core 3.1.2 ios arm64 64-bit built on Jan 5 2018 23:09:59
2018-01-10 06:42:19 Frame=512/2048/512 mssfix-ctrl=1250
2018-01-10 06:42:19 UNUSED OPTIONS
1 [tls-client]
9 [nobind]
10 [persist-key]
11 [persist-tun]
12 [resolv-retry] [infinite]
14 [verb] [3]
17 [route-delay] [2]
2018-01-10 06:42:19 EVENT: RESOLVE
2018-01-10 06:42:19 Contacting [yy.yyy.yyy.yyy]:1199/UDP via UDP
2018-01-10 06:42:19 EVENT: WAIT
2018-01-10 06:42:19 Connecting to [xxx.xxx.com]:1199 (yy.yyy.yyy.yyy) via UDPv4
2018-01-10 06:42:19 EVENT: CONNECTING
2018-01-10 06:42:19 Tunnel Options:V4,dev-type tun,link-mtu 1522,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-GCM,auth SHA512,keysize 256,key-method 2,tls-client
2018-01-10 06:42:19 Creds: UsernameEmpty/PasswordEmpty
2018-01-10 06:42:19 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.2.5-1
IV_VER=3.1.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=1
IV_AUTO_SESS=1
2018-01-10 06:42:19 VERIFY OK : depth=1
cert. version : 3
serial number : A6:8E:1D:AD:5B:E2:A0:D1
issuer name : CN=Easy-RSA CA
subject name : CN=Easy-RSA CA
issued on : 2018-01-09 17:25:06
expires on : 2028-01-07 17:25:06
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true
key usage : Key Cert Sign, CRL Sign
2018-01-10 06:42:19 VERIFY OK : depth=0
cert. version : 3
serial number : 91:9F:27:18:FE:5E:3F:EC:48:4F:84:7E:00:FF:0F:F6
issuer name : CN=Easy-RSA CA
subject name : CN=server
issued on : 2018-01-09 17:25:07
expires on : 2028-01-07 17:25:07
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
subject alt name : server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication
2018-01-10 06:42:19 SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
2018-01-10 06:42:19 Session is ACTIVE
2018-01-10 06:42:19 EVENT: GET_CONFIG
2018-01-10 06:42:19 Sending PUSH_REQUEST to server...
2018-01-10 06:42:19 OPTIONS:
0 [dhcp-option] [DNS] [192.168.0.1]
1 [route] [192.168.0.0] [255.255.255.0]
2 [resolv-retry] [infinite]
3 [route] [10.33.0.1]
4 [topology] [net30]
5 [ping] [10]
6 [ping-restart] [120]
7 [ifconfig] [10.33.0.6] [10.33.0.5]
8 [peer-id] [0]
2018-01-10 06:42:19 PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: SHA512
compress: LZO
peer ID: 0
2018-01-10 06:42:19 EVENT: ASSIGN_IP
2018-01-10 06:42:19 NIP: preparing TUN network settings
2018-01-10 06:42:19 NIP: init TUN network settings with endpoint: yy.yyy.yyy.yyy
2018-01-10 06:42:19 NIP: adding IPv4 address to network settings 10.33.0.6/255.255.255.252
2018-01-10 06:42:19 NIP: adding (included) IPv4 route 192.168.0.0/24
2018-01-10 06:42:19 NIP: adding (included) IPv4 route 10.33.0.1/32
2018-01-10 06:42:19 NIP: adding DNS 192.168.0.1
2018-01-10 06:42:19 NIP: adding search domain
2018-01-10 06:42:19 Connected via NetworkExtensionTUN
2018-01-10 06:42:19 LZO-ASYM init swap=0 asym=0
2018-01-10 06:42:19 EVENT: CONNECTED @xxx.xxx.com:1199 (yy.yyy.yy.yyy) via /UDPv4 on NetworkExtensionTUN/10.33.0.6/ gw=[/]
Re: Upgrade to OpenVPN 1.2.5 (iOS): tls-auth not working
Posted: Wed Jan 10, 2018 6:56 am
by Tg92
ordex wrote: ↑Wed Jan 10, 2018 3:21 am
do you have tls-auth or tls-crypt enabled on the server?
I have a tls-auth. This is my configuration server.
Code: Select all
#OpenVPN Server conf
daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange
;local a.myDomain.name
dev tun
proto tcp
port 1234
script-security 3 system
ifconfig-pool-persist /path/leases.db 3600
client-config-dir /another/Path
tls-server
ca /path/cacert.pem
cert /path/servercert.pem
key /path/serverkey.pem
dh /path/dh1024.pem
server x.x.x.x 255.255.255.0
tun-mtu 1500
mtu-disc maybe
keepalive 15 47
status-version 1
status /path/log.log 30
cipher AES-256-CBC
auth SHA256
tls-auth /path/ta.key
push "redirect-gateway def1"
push "dhcp-option DNS y.y.y.y"
max-clients 100
tls-verify /path/verify
crl-verify /path/cacrl.pem
user nobody
group nobody
persist-key
persist-tun
verb 3
Re: Upgrade to OpenVPN 1.2.5 (iOS): tls-auth not working
Posted: Wed Jan 10, 2018 6:59 am
by ordex
Tg92 wrote: ↑Wed Jan 10, 2018 6:56 am
ordex wrote: ↑Wed Jan 10, 2018 3:21 am
do you have tls-auth or tls-crypt enabled on the server?
I have a tls-auth. This is my configuration server.
Code: Select all
#OpenVPN Server conf
daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange
;local a.myDomain.name
dev tun
proto tcp
port 1234
script-security 3 system
ifconfig-pool-persist /path/leases.db 3600
client-config-dir /another/Path
tls-server
ca /path/cacert.pem
cert /path/servercert.pem
key /path/serverkey.pem
dh /path/dh1024.pem
server x.x.x.x 255.255.255.0
tun-mtu 1500
mtu-disc maybe
keepalive 15 47
status-version 1
status /path/log.log 30
cipher AES-256-CBC
auth SHA256
tls-auth /path/ta.key
push "redirect-gateway def1"
push "dhcp-option DNS y.y.y.y"
max-clients 100
tls-verify /path/verify
crl-verify /path/cacrl.pem
user nobody
group nobody
persist-key
persist-tun
verb 3
but then you have no tls-auth option in the client config (at least looking at the configuration you posted before)
Re: Upgrade to OpenVPN 1.2.5 (iOS): tls-auth not working
Posted: Wed Jan 10, 2018 7:43 am
by anatoli
OK, done the tests...
With 'auth SHA512' removed both on server and client nothing improves, same problem.
If 'tls-auth' is removed from both server and client, the connection is immediately established.
Re: Upgrade to OpenVPN 1.2.5 (iOS): tls-auth not working
Posted: Wed Jan 10, 2018 7:58 am
by ordex
anatoli wrote: ↑Wed Jan 10, 2018 7:43 am
OK, done the tests...
With 'auth SHA512' removed both on server and client nothing improves, same problem.
If 'tls-auth' is removed from both server and client, the connection is immediately established.
Thanks for testing, this was very helpful. I am adding it to the internal ticket.
In the meantime, as peter_sm said, you can use tls-crypt instead of tls-auth as workaround (assuming that all your clients support it).
Re: Upgrade to OpenVPN 1.2.5 (iOS): tls-auth not working
Posted: Wed Jan 10, 2018 8:05 am
by anatoli
ordex, thanks for the workaround, but we have a lot of desktops with 2.3.17, we're not ready to migrate everything to 2.4 right now. Also, the mobiles are deployed manually, so also no way to roll out new configs now. Will be waiting for the fix to the iOS app. Please let us know when you identify the cause of this problem.