Opened 4 years ago
Closed 16 months ago
#1251 closed Bug / Defect (wontfix)
iPhone OpenVPN app - TLS Errors when screen is locked
| Reported by: | devinsysadmin | Owned by: | OpenVPN Inc. |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | Access Server | Version: | |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | iphone, ios, openvpn app, tls error, locked, lock screen |
| Cc: |
Description
Posted on: https://www.reddit.com/r/OpenVPN/comments/f1enpp/iphone_openvpn_app_tls_errors_when_screen_is/
Hey guys,
I have something interesting to point out, maybe others are curious. I've done some brief research and didn't find much.
I've recently started using OpenVPN and the official app on my iPhone - Everything works perfect when my phone is being used.
I locked my iPhone and when I came back to it, I opened it and the VPN wouldn't connect. Interesting.
I checked fail2ban, and saw that my phone IP had been banned I was puzzled, so I started looking in my OpenVPN logs and this is where it got interesting.
For reference, here is the regex filter I am using in fail2ban:
[Definition] failregex = [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Auth Error:.*
[a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} VERIFY ERROR:.*
[a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*
Below are the logs when the iPhone is locked and showing a black screen - this goes on to repeat infinitely by the way.
Please note: My real IP has been changed to %RemovedMyIp?%
Logs are here: https://pastebin.com/7KabZvbV
I'm not sure what causes this, when the iPhone is locked it still clearly has an internet connection - and is attempting to contact the server, but is failing TLS.
Server information: Ubuntu 18.04 LTS server, installed OpenVPN using https://github.com/angristan/openvpn-install
Client information: iPhone X on iOS 13.3.1 using the official OpenVPN app Version 3.1.1(2819)
I've highlighted two options that I believe cause/contribute to this problem
Client settings:
Battery saver - OFF
Seamless Tunnel - ON
VPN Protocol - Adaptive IPv6 - No Preference
Connection Timeout - Continuously Retry
Allow Compression (insecure) - NO
AES-CBC Cipher Algorithm - OFF
Minimum TLS Version - Profile Default
DNS Fallback - OFF
Connect Via - Any Network
Layer 2 Reachability - ON
Theme - DARK
I have the logs from the OpenVPN app here, these logs were taken after recreating the issue. Obviously time stamps will not match.
https://pastebin.com/FY734Lbu
I also found another thread that mentioned this but was much less detailed
reddit.com/r/OpenVPN/comments/aorzda/lots_of_tls_errors_from_iphone_clients_in_server/
Here is how I understand the OpenVPN app logs:
Lock happens at Line 124.
- OS goes to sleep
- An event happens that pauses...something?
- OS wakes up (Note: I did not unlock or touch the phone, it is still locked with a black screen)
- App tests to see if internet is reachable
- App tries to reconnect, os goes back to sleep before auth (this would be repeating if the log was longer)
- Line #149 is where I actually wakeup the device
So my question is, in this setup, is there a chance for data leakage if the phone is locked, and an app in the background is refreshing and pulling information? If I can't get a sensible answer then I'm going to investigate further and see if there is any network activity other than the app trying to reach the OpenVPN server during this time.
Change History (4)
comment:1 Changed 4 years ago by
| Owner: | changed from jamesyonan to yuriy |
|---|---|
| Status: | new → assigned |
comment:2 Changed 3 years ago by
| Owner: | changed from yuriy to denys |
|---|
comment:3 Changed 3 years ago by
| Owner: | changed from denys to OpenVPN Inc. |
|---|
comment:4 Changed 16 months ago by
| Resolution: | → wontfix |
|---|---|
| Status: | assigned → closed |
OpenVPN Inc does not want to receive any feedback for the "Connect"
OpenVPN clients via the community bug trackers (here and in GH issues).
Please resubmit - if still relevant - via https://support.openvpn.net/