Opened 3 years ago

Last modified 8 months ago

#1031 assigned Bug / Defect

iOS: mobileconfig with no cert triggers "OpenVPN error : Missing External PKI alias"

Reported by: seanob Owned by: Antonio
Priority: minor Milestone:
Component: OpenVPN Connect Version: OpenVPN Connect for iOS v1.2.9
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Hi,

This particular issue only started to occur in the latest release v. 1.2.9. Previous versions I was able to connect fine.

Steps to reproduce.

  1. Push mobileconfig file to iPhone with OpenVPN 1.2.9 installed. Note: mobileconfig has the certificate details embedded rather than attaching the client cert separately - which is not possible as I am using a 3rd party VPN service.
  1. Launch OpenVPN application. Enter credentials for VPN connection. Connect
  1. Connection instantly fails with the following error: "OpenVPN error : Missing External PKI alias"

OpenVPN Log in the application:

2018-02-28 00:53:43 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit built on Feb 22 2018 12:39:28
2018-02-28 00:53:43 EVENT: CORE_ERROR Missing External PKI alias [ERR]
2018-02-28 00:53:43 Raw stats on disconnect:
2018-02-28 00:53:43 Performance stats on disconnect:

CPU usage (microseconds): 25588
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0

I have cross referenced my mobileconfig configuration with the following link, but in saying this the mobileconfig was working up until the previous version and all prior versions successfully:
https://docs.openvpn.net/connecting/connecting-to-access-server-with-apple-ios/faq-regarding-openvpn-connect-ios/

I have the OpenVPN 1.2.8 ipa file saved as a backup, so I can always downgrade to test behaviour if you need me to.

mobileconfig configuration:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-AppleDTD PLIST 1.0EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>

<key>PayloadContent?</key>
<array>

<dict>

<key>IPv4</key>
<dict>

<key>OverridePrimary?</key>
<integer>0</integer>

</dict>
<key>PayloadDescription?</key>
<string>Configures VPN settings</string>
<key>PayloadDisplayName?</key>
<string>VPN</string>
<key>PayloadIdentifier?</key>
<string>com.apple.vpn.managed.AD23C943-5F54-40CF-AFED-6FAA71423060</string>
<key>PayloadType?</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>AD23C943-5F54-40CF-AFED-6FAA71423060</string>
<key>PayloadVersion?</key>
<integer>1</integer>
<key>Proxies</key>
<dict>

<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>

</dict>
<key>UserDefinedName?</key>
<string>NordVPN JP16</string>
<key>VPN</key>
<dict>

<key>AuthName?</key>
<string>DEFAULT</string>
<key>AuthenticationMethod?</key>
<string>Password</string>
<key>RemoteAddress?</key>
<string>DEFAULT</string>

</dict>
<key>VPNSubType</key>
<string>net.openvpn.connect.app</string>
<key>VPNType</key>
<string>VPN</string>
<key>VendorConfig?</key>
<dict>

<key>auth</key>
<string>SHA512</string>
<key>auth-user-pass</key>
<string>NOARGS</string>
<key>ca</key>
<string>-----BEGIN CERTIFICATE-----\nREMOVED\n-----END CERTIFICATE-----</string>
<key>cipher</key>
<string>AES-256-CBC</string>
<key>client</key>
<string>NOARGS</string>
<key>comp-lzo</key>
<string>NOARGS</string>
<key>dev</key>
<string>tun</string>
<key>explicit-exit-notify</key>
<string>3</string>
<key>fast-io</key>
<string>NOARGS</string>
<key>key-direction</key>
<string>1</string>
<key>mssfix</key>
<string>1450</string>
<key>nobind</key>
<string>NOARGS</string>
<key>persist-key</key>
<string>NOARGS</string>
<key>persist-tun</key>
<string>NOARGS</string>
<key>ping</key>
<string>15</string>
<key>ping-restart</key>
<string>0</string>
<key>ping-timer-rem</key>
<string>NOARGS</string>
<key>proto</key>
<string>udp</string>
<key>pull</key>
<string>NOARGS</string>
<key>remote</key>
<string>REMOVED 1194</string>
<key>remote-cert-tls</key>
<string>server</string>
<key>remote-random</key>
<string>NOARGS</string>
<key>reneg-sec</key>
<string>0</string>
<key>resolv-retry</key>
<string>infinite</string>
<key>tls-auth</key>
<string>#\n# 2048 bit OpenVPN static key\n#\n-----BEGIN OpenVPN Static key V1-----\nREMOVED\n-----END OpenVPN Static key V1-----</string>
<key>tun-mtu</key>
<string>1500</string>
<key>tun-mtu-extra</key>
<string>32</string>
<key>verb</key>
<string>3</string>
<key>vpn-on-demand</key>
<string>0</string>

</dict>

</dict>

</array>
<key>PayloadDescription?</key>
<string>NordVPN JP16 UDP</string>
<key>PayloadDisplayName?</key>
<string>NordVPN JP16 UDP</string>
<key>PayloadIdentifier?</key>
<string>15AC5240-77B4-4C1C-A60D-106EE01E08B2</string>
<key>PayloadRemovalDisallowed?</key>
<false/>
<key>PayloadType?</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>D8B10C82-B78C-4900-B770-DED78EE693D6</string>
<key>PayloadVersion?</key>
<integer>1</integer>

</dict>
</plist>

Change History (7)

comment:1 Changed 3 years ago by Antonio

In your mobileconfig I don't see any "key" and "cert" directives. How are you "embedding" your key material then?

comment:2 Changed 3 years ago by Antonio

Status: newassigned

comment:3 in reply to:  1 Changed 3 years ago by seanob

Replying to ordex:

In your mobileconfig I don't see any "key" and "cert" directives. How are you "embedding" your key material then?

The only directives that have been provided by the 3rd party VPN service are the "ca" and "tls-auth" directives. Using their ovpn config file with the app instead (with only "ca" and "tls-auth" directives) connects fine, but converting that file into a mobileconfig no longer works from v1.2.9 (which worked fine on previous versions of OpenVPN Connect app).

comment:4 Changed 3 years ago by Antonio

I guess this behaviour changed between 1.2.7 and 1.2.8.
I may know where the issue, could you still paste the provided ovpn config please? Thanks

comment:5 in reply to:  4 Changed 3 years ago by seanob

Replying to ordex:

I guess this behaviour changed between 1.2.7 and 1.2.8.
I may know where the issue, could you still paste the provided ovpn config please? Thanks

client
dev tun
proto udp
remote REMOTE HOST 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0

explicit-exit-notify 3

remote-cert-tls server

#mute 10000
auth-user-pass

comp-lzo
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512

<ca>



</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#



</tls-auth>

comment:6 Changed 3 years ago by Antonio

Priority: majorminor
Summary: iOS: mobileconfig "OpenVPN error : Missing External PKI alias"iOS: mobileconfig with no cert triggers "OpenVPN error : Missing External PKI alias"

comment:7 Changed 8 months ago by DaMac

nvm, opening new ticket.

Last edited 8 months ago by DaMac (previous) (diff)
Note: See TracTickets for help on using tickets.