Opened 4 years ago
Closed 9 months ago
#1233 closed Bug / Defect (wontfix)
Connect not working with iOS 13.2 but configuration works with Catalina, TLS handshake failed
| Reported by: | nextcounter | Owned by: | OpenVPN Inc. |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | OpenVPN Connect | Version: | |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: |
Description
OpenVPN Connect on iOS 13.2(.2) is not establishing TLS with my OpenVPN server, although the same configuration works on a Macbook with Catalina and Tunnelblick 3.8.1. The server log shows the "TLS handshake failed"; the network, firewall, and port routing are all fine.
I have also checked:
- network connection works (in fact, as mentioned, I can connect using my macbook with the same configuration and certificates)
- server and clients certificates comply with https://support.apple.com/en-us/HT210176
The server is on Linux kernel 5.3.9, openvpn 2.4.7 .
server log:
MULTI: multi_create_instance called
172.21.18.1:4561 Re-using SSL/TLS context
172.21.18.1:4561 LZO compression initializing
172.21.18.1:4561 Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
172.21.18.1:4561 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
172.21.18.1:4561 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
172.21.18.1:4561 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
R172.21.18.1:4561 TLS: Initial packet from [AF_INET]172.21.18.1:4561, sid=60dc6925 7ca3e47d
W172.21.18.1:4561 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
172.21.18.1:4561 TLS Error: TLS handshake failed
172.21.18.1:4561 SIGUSR1[soft,tls-error] received, client-instance restarting
server.conf:
port 1194
proto udp4
dev tun
topology subnet
tls-server
tls-timeout 60
remote-cert-eku "TLS Web Client Authentication"
ca xx/xx/xx/ca.crt
cert /xx/xx/xx/server.crt
key /xx/xx/xx/server.key
dh /xx/xx/xx/dh.pem
server 10.94.176.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "route 172.21.18.0 255.255.255.0"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
daemon
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
tls-crypt /xx/xx/xx/ta.key
user nobody
group users
cipher AES-256-CBC
verb 5
The client configuration, which is the one loaded on the OpenVPN Connect app on the iPhone:
tls-client
remote x.x.x.x 1194
ca ca.crt
cert clientIphone.crt
key clientIphone.key
dev tun
proto udp
remote-cert-eku "TLS Web Server Authentication"
topology subnet
pull
comp-lzo
persist-key
persist-tun
# hardened security
tls-crypt ta.key
cipher AES-256-CBC
the client log:
2019-11-16 11:24:39 1
2019-11-16 11:24:39 ----- OpenVPN Start -----
OpenVPN core 3.git::728733ae ios arm64 64-bit PT_PROXY built on Aug 15 2019 06:21:05
2019-11-16 11:24:39 OpenVPN core 3.git::728733ae ios arm64 64-bit PT_PROXY built on Aug 15 2019 06:21:05
2019-11-16 11:24:39 Frame=512/2048/512 mssfix-ctrl=1250
2019-11-16 11:24:39 UNUSED OPTIONS
0 [tls-client]
8 [topology] [subnet]
9 [pull]
11 [persist-key]
12 [persist-tun]
2019-11-16 11:24:39 EVENT: RESOLVE
2019-11-16 11:24:39 Contacting [x.x.x.x]:1194/UDP via UDP
2019-11-16 11:24:39 EVENT: WAIT
2019-11-16 11:24:39 Connecting to [x.x.x.x]:1194 (x.x.x.x) via UDPv4
2019-11-16 11:24:39 EVENT: CONNECTING
2019-11-16 11:24:39 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client
2019-11-16 11:24:39 Creds: UsernameEmpty/PasswordEmpty?
2019-11-16 11:24:39 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.0.3-2104
IV_VER=3.git::728733ae
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1
2019-11-16 11:25:09 EVENT: CONNECTION_TIMEOUT [ERR]
2019-11-16 11:25:09 Raw stats on disconnect:
BYTES_IN : 66
BYTES_OUT : 7652
PACKETS_IN : 1
PACKETS_OUT : 30
CONNECTION_TIMEOUT : 1
2019-11-16 11:25:09 Performance stats on disconnect:
CPU usage (microseconds): 48539
Network bytes per CPU second: 159006
Tunnel bytes per CPU second: 0
2019-11-16 11:25:09 EVENT: DISCONNECTED
2019-11-16 11:25:09 Raw stats on disconnect:
BYTES_IN : 66
BYTES_OUT : 7652
PACKETS_IN : 1
PACKETS_OUT : 30
CONNECTION_TIMEOUT : 1
2019-11-16 11:25:09 Performance stats on disconnect:
CPU usage (microseconds): 48539
Network bytes per CPU second: 159006
Tunnel bytes per CPU second: 0
Change History (3)
comment:1 Changed 3 years ago by
| Owner: | changed from yuriy to denys |
|---|---|
| Status: | new → assigned |
comment:2 Changed 2 years ago by
| Owner: | changed from denys to OpenVPN Inc. |
|---|
comment:3 Changed 9 months ago by
| Resolution: | → wontfix |
|---|---|
| Status: | assigned → closed |
OpenVPN Inc does not want to receive any feedback for the "Connect"
OpenVPN clients via the community bug trackers (here and in GH issues).
Please resubmit - if still relevant - via https://support.openvpn.net/