OpenVPN Connect fails to connect after push requests
Posted: Wed Nov 07, 2018 4:36 pm
Setup an OpenVPN server on a SUSE Linux system running under VirtualBox. Tested it by connect to it from another linux box using shared secret and then migrated both ends to use full certs etc. All working fine. Created a .ovpn file and that works fine on a windows 10 machine but fails on iOS (iPad with iOS 12).
File imports fine on both Windows and iOS systems:
Logfile on the iPad ends as follows:
The server log shows:
Push requests appear to be sent from the iPad and received by the server but not auctioned. As I say, the server can be connected to from a linux box (manual config), and windows (same .ovpn file). Anyone got any suggestions?
I note the warning about ifconfig but I have complimentary ifconfig statements in both the server.cong file and the .ovpn file! As it's a warning I am assuming its not the cause of my issue.
Thanks.
File imports fine on both Windows and iOS systems:
Code: Select all
client
dev tun
proto udp
remote yyy.yyy.yy.yyy
port 1194
ifconfig xxx.xxx.xxx.2 xxx.xxx.xxx.1
remote-cert-tls server
persist-key
persist-tun
key-direction 1
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<tls-auth>
</tls-auth>
Code: Select all
2018-05-07 15:05:08 VERIFY OK : depth=1
cert. version : 3
serial number : 9A:8C:ED:62:89:B3:FB:AA
issuer name : CN=Cumulus
subject name : CN=Cumulus
issued on : 2018-11-05 14:09:45
expires on : 2028-11-02 14:09:45
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true
key usage : Key Cert Sign, CRL Sign
2018-05-07 15:05:08 VERIFY OK : depth=0
cert. version : 3
serial number : 38:90:51:C4:07:09:2F:84:5A:36:26:32:FA:ED:9F:60
issuer name : CN=Cumulus
subject name : CN=server
issued on : 2018-11-05 14:11:00
expires on : 2028-11-02 14:11:00
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
subject alt name : server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication
2018-05-07 15:05:08 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2018-05-07 15:05:08 Session is ACTIVE
2018-05-07 15:05:08 EVENT: GET_CONFIG
2018-05-07 15:05:08 Sending PUSH_REQUEST to server...
2018-05-07 15:05:10 Sending PUSH_REQUEST to server...
2018-05-07 15:05:12 Sending PUSH_REQUEST to server...
2018-05-07 15:05:15 Sending PUSH_REQUEST to server...
2018-05-07 15:05:18 Sending PUSH_REQUEST to server...
2018-05-07 15:05:21 Sending PUSH_REQUEST to server...
2018-05-07 15:05:24 Sending PUSH_REQUEST to server...
2018-05-07 15:05:27 Sending PUSH_REQUEST to server...
2018-05-07 15:05:30 Sending PUSH_REQUEST to server...
2018-05-07 15:05:34 Sending PUSH_REQUEST to server...
2018-05-07 15:05:37 EVENT: CONNECTION_TIMEOUT [ERR]
2018-05-07 15:05:37 Raw stats on disconnect:
BYTES_IN : 6530
BYTES_OUT : 5468
PACKETS_IN : 26
PACKETS_OUT : 25
CONNECTION_TIMEOUT : 1
N_RECONNECT : 1
Code: Select all
VERIFY OK: depth=1, CN=Cumulus
VERIFY KU OK
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
VERIFY EKU OK
VERIFY OK: depth=0, CN=client
peer info: IV_GUI_VER=net.openvpn.connect.ios_3.0.2-894
peer info: IV_VER=3.2
peer info: IV_PLAT=ios
peer info: IV_NCP=2
peer info: IV_TCPNL=1
peer info: IV_PROTO=2
peer info: IV_AUTO_SESS=1
peer info: IV_BS64DL=1
WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig xxx.xxx.xxx.1 xxx.xxx.x.2'
Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
TLS: tls_multi_process: untrusted session promoted to semi-trusted
Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
[client] Peer Connection Initiated with [AF_INET]xxx.xxx.xx.xxx:61248
PUSH: Received control message: 'PUSH_REQUEST'
PUSH: Received control message: 'PUSH_REQUEST'
PUSH: Received control message: 'PUSH_REQUEST'
PUSH: Received control message: 'PUSH_REQUEST'
PUSH: Received control message: 'PUSH_REQUEST'
PUSH: Received control message: 'PUSH_REQUEST'
PUSH: Received control message: 'PUSH_REQUEST'
PUSH: Received control message: 'PUSH_REQUEST'
PUSH: Received control message: 'PUSH_REQUEST'
PUSH: Received control message: 'PUSH_REQUEST'
I note the warning about ifconfig but I have complimentary ifconfig statements in both the server.cong file and the .ovpn file! As it's a warning I am assuming its not the cause of my issue.
Thanks.