iOS on-demand-VPN inactivity issue with 3.3.2

[KennyDW]

Hi all


I am using OpenVPN per-app-VPN-connections for over 2 years now in combination with an MDM to push the configs to the device. Whenever one of the apps is opened, the iOS system is starting the OpenVPN tunnel in the background. I've setted up inactivity timers (30 sec 1000 bytes) to prevent the tunnels from being active all the time. The per-app-VPN is reopened once there's traffic again from one of these apps. This worked very well with all versions of OpenVPN Connect App >= 3.2.3. Last weeks, when I installed new smartphones with the OpenVPN Connect App version 3.3.2, there is this strange behaviour:

- my inactivity timeout of 30 seconds is ignored
- instead, OpenVPN Connect App closes the tunnel after 60 seconds
- meanwhile, the tunnel keeps it's "connected" status in iOS, the tunnel keeps working as well
- once there's a internet connectivity issue, let's say a switch between WiFi/4G, iOS per-app-VPN status goes to "connecting" and stays there untill reboot of the smartphone

It seems like OpenVPN Connect App is ignoring my inactivity timeout, exiting the tunnel itself at 60 seconds, without letting iOS know.

View OriginalServer config

1

2

3

port 11XX

4

5

server 10.8.6.0 255.255.255.0

6

7

push "dhcp-option DNS 1.1.1.1"

8

9

push "dhcp-option DNS 1.0.0.1"

10

11

12

13

replay-window 10000

14

15

16

17

proto tcp4

18

19

dev tun

20

21

ca ca.crt

22

23

cert server.crt

24

25

key server.key

26

27

dh dh.pem

28

29

auth SHA512

30

31

tls-auth tc.key

32

33

topology subnet

34

35

push "redirect-gateway def1 bypass-dhcp"

36

37

push "persist-key"

38

39

push "persist-tun"

40

41

duplicate-cn

42

43

keepalive 10 120

44

45

cipher AES-256-CBC

46

47

user nobody

48

49

group nogroup

50

51

persist-key

52

53

persist-tun

54

55

status /var/log/openvpn/openvpn-status.log

56

57

log /var/log/openvpn/openvpn.log

58

59

log-append /var/log/openvpn/openvpn.log

60

61

verb 3

62

63

mute 20

64

1

port 11XX

2

server 10.8.6.0 255.255.255.0

3

push "dhcp-option DNS 1.1.1.1"

4

push "dhcp-option DNS 1.0.0.1"

5

replay-window 10000

6

proto tcp4

7

dev tun

8

ca ca.crt

9

cert server.crt

10

key server.key

11

dh dh.pem

12

auth SHA512

13

tls-auth tc.key

14

topology subnet

15

push "redirect-gateway def1 bypass-dhcp"

16

push "persist-key"

17

push "persist-tun"

18

duplicate-cn

19

keepalive 10 120

20

cipher AES-256-CBC

21

user nobody

22

group nogroup

23

persist-key

24

persist-tun

25

status /var/log/openvpn/openvpn-status.log

26

log /var/log/openvpn/openvpn.log

27

log-append /var/log/openvpn/openvpn.log

28

verb 3

29

mute 20

Here is the client config, just the keys and their values since it is pushed by the MDM.

View OriginalClient config

1

2

3

client

4

5

dev tun

6

7

remote remotedomainname 11XX tcp4

8

9

nobind

10

11

block-outside-dns

12

13

inactive 30 1000

14

15

cipher AES-256-CBC

16

17

auth SHA512

18

19

persist-key

20

21

persist-tun

22

23

remote-cert-tls server

24

25

tls-auth -----KEY-----

26

27

ignore-unknown-option outside-dns

28

29

ca ------CERT-----

30

31

cert -----CERTIFICATE------

32

33

key -----KEY------

34

1

client

2

dev tun

3

remote remotedomainname 11XX tcp4

4

nobind

5

block-outside-dns

6

inactive 30 1000

7

cipher AES-256-CBC

8

auth SHA512

9

persist-key

10

persist-tun

11

remote-cert-tls server

12

tls-auth -----KEY-----

13

ignore-unknown-option outside-dns

14

ca ------CERT-----

15

cert -----CERTIFICATE------

16

key -----KEY------

I haven't found a solution for this. I tried playing with ping-exit instead of inactivity, but I couldn't find a working solution.

I am aware of the workaround of installing the old version via TestFlight. Unfortunately, we are on iOS devices without iCloud-account which are managed by an MDM. TestFlight doesn't seem a solution to me.

Thanks for your advice

[16r]

Hey, I'm having exact same issue. iOS unreliable closes the tunnel (from time to time it does seem to work), but often it's says in settings its "connected", while the OpenVPN app shows disconnected. Even after going to sleep.

Running 3.3.3 (b 5109) on iOS 16.3.1

Did you manage to solve this?

TestFlight doesn't accept new testers, so I have no means to downgrade.

[KennyDW]

No, unfortunately I have no resolution for this. I am looking to switch to another VPN protocol for our iOS devices

[16r]

I have a strong feeling the issue is caused by the OpenVPN software self.

When the connection time out occurs, the OpenVPN shows a dialog box (alert). It looks like it closes the connection once you clicked on that that dialog. Basically the dialog stops OPN of telling iOS to close the connection (until you open OPN app and click the message away, or you to Settings -> VON and stop it manually.

Any idea where we can we file a bug ?

[16r]

Just a quick update.

After a lengthy emails back and forth with OpenVPN support, I (finally) for confirmation they can reproduce this problem. It’s in the pipeline to be fixed, but no ETA.

[ktykls]

Same problem for me.