Connect not working with iOS 13.2 but configuration works with Catalina, TLS handshake failed

nextcounter · Post by **nextcounter** » Sat Nov 16, 2019 6:16 am

Hi all,

I can't get to work OpenVPN Connect on iOS 13.2(.2) with my OpenVPN server, although the same configuration works on a Macbook with Catalina and Tunnelblick 3.8.1. The server log shows the "TLS handshake failed", although the network, firewall, and port routing are all fine.

The server log:

Code: Select all

MULTI: multi_create_instance called
172.21.18.1:4561 Re-using SSL/TLS context
172.21.18.1:4561 LZO compression initializing
172.21.18.1:4561 Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
172.21.18.1:4561 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
172.21.18.1:4561 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
172.21.18.1:4561 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
R172.21.18.1:4561 TLS: Initial packet from [AF_INET]172.21.18.1:4561, sid=60dc6925 7ca3e47d
W172.21.18.1:4561 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
172.21.18.1:4561 TLS Error: TLS handshake failed
172.21.18.1:4561 SIGUSR1[soft,tls-error] received, client-instance restarting

The server configuration:

Code: Select all

port 1194
proto udp4
dev tun
topology subnet
tls-server
tls-timeout 60
remote-cert-eku "TLS Web Client Authentication"

ca xx/xx/xx/ca.crt
cert /xx/xx/xx/server.crt
key /xx/xx/xx/server.key
dh /xx/xx/xx/dh.pem

server 10.94.176.0 255.255.255.0

push "redirect-gateway def1 bypass-dhcp"
push "route 172.21.18.0 255.255.255.0"

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

duplicate-cn

keepalive 10 120
comp-lzo
persist-key
persist-tun
daemon

status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log

tls-crypt /xx/xx/xx/ta.key

user nobody
group users

cipher AES-256-CBC

verb 5

The client configuration, which is the one loaded on the OpenVPN Connect app on the iPhone:

Code: Select all

  tls-client
  remote x.x.x.x 1194
  ca ca.crt
  cert clientIphone.crt
  key clientIphone.key
  dev tun
  proto udp
  remote-cert-eku "TLS Web Server Authentication"
  topology subnet
  pull
  comp-lzo
  persist-key
  persist-tun
  # hardened security
  tls-crypt ta.key
  cipher AES-256-CBC

and finally the client log:

Code: Select all

2019-11-16 11:24:39 1

2019-11-16 11:24:39 ----- OpenVPN Start -----
OpenVPN core 3.git::728733ae ios arm64 64-bit PT_PROXY built on Aug 15 2019 06:21:05

2019-11-16 11:24:39 OpenVPN core 3.git::728733ae ios arm64 64-bit PT_PROXY built on Aug 15 2019 06:21:05

2019-11-16 11:24:39 Frame=512/2048/512 mssfix-ctrl=1250

2019-11-16 11:24:39 UNUSED OPTIONS
0 [tls-client] 
8 [topology] [subnet] 
9 [pull] 
11 [persist-key] 
12 [persist-tun] 

2019-11-16 11:24:39 EVENT: RESOLVE

2019-11-16 11:24:39 Contacting [x.x.x.x]:1194/UDP via UDP

2019-11-16 11:24:39 EVENT: WAIT

2019-11-16 11:24:39 Connecting to [x.x.x.x]:1194 (x.x.x.x) via UDPv4

2019-11-16 11:24:39 EVENT: CONNECTING

2019-11-16 11:24:39 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client

2019-11-16 11:24:39 Creds: UsernameEmpty/PasswordEmpty

2019-11-16 11:24:39 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.0.3-2104
IV_VER=3.git::728733ae
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1


2019-11-16 11:25:09 EVENT: CONNECTION_TIMEOUT [ERR]

2019-11-16 11:25:09 Raw stats on disconnect:
BYTES_IN : 66
BYTES_OUT : 7652
PACKETS_IN : 1
PACKETS_OUT : 30
CONNECTION_TIMEOUT : 1

2019-11-16 11:25:09 Performance stats on disconnect:
CPU usage (microseconds): 48539
Network bytes per CPU second: 159006
Tunnel bytes per CPU second: 0

2019-11-16 11:25:09 EVENT: DISCONNECTED

2019-11-16 11:25:09 Raw stats on disconnect:
BYTES_IN : 66
BYTES_OUT : 7652
PACKETS_IN : 1
PACKETS_OUT : 30
CONNECTION_TIMEOUT : 1

2019-11-16 11:25:09 Performance stats on disconnect:
CPU usage (microseconds): 48539
Network bytes per CPU second: 159006
Tunnel bytes per CPU second: 0

I have also checked:

network connection works (in fact, as mentioned, I can connect using my macbook with the same configuration and certificates

server and clients certificates comply with https://support.apple.com/en-us/HT210176

The server is on Linux kernel 5.3.9, openvpn 2.4.7 .

Thanks for your help.

TinCanTech · Post by **TinCanTech** » Sat Nov 16, 2019 2:19 pm

See your server log for problems.

nextcounter · Post by **nextcounter** » Sun Nov 17, 2019 3:53 am

Yes, the log says the TLS connection fails. This is indeed what puzzles me: the same connection, with the same configuration file, works on another client (Catalina). So, it may be an issue with the iOS app.

Is anyone else experiencing the same problem?

adirbd · Post by **adirbd** » Fri Dec 13, 2019 11:03 am

Yes, I have the same problem after update to iOS 13. It works on every device except iOS devices.
I use pivpn with the newest version, but it look like a problem with the app.

OpenVPN Support Forum

Connect not working with iOS 13.2 but configuration works with Catalina, TLS handshake failed

Connect not working with iOS 13.2 but configuration works with Catalina, TLS handshake failed

Re: Connect not working with iOS 13.2 but configuration works with Catalina, TLS handshake failed

Re: Connect not working with iOS 13.2 but configuration works with Catalina, TLS handshake failed

Re: Connect not working with iOS 13.2 but configuration works with Catalina, TLS handshake failed