Opened 9 months ago

Last modified 2 months ago

#1251 assigned Bug / Defect

iPhone OpenVPN app - TLS Errors when screen is locked

Reported by: devinsysadmin Owned by: yuriy
Priority: minor Milestone:
Component: Access Server Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: iphone, ios, openvpn app, tls error, locked, lock screen
Cc:

Description

Posted on: https://www.reddit.com/r/OpenVPN/comments/f1enpp/iphone_openvpn_app_tls_errors_when_screen_is/

Hey guys,

I have something interesting to point out, maybe others are curious. I've done some brief research and didn't find much.

I've recently started using OpenVPN and the official app on my iPhone - Everything works perfect when my phone is being used.

I locked my iPhone and when I came back to it, I opened it and the VPN wouldn't connect. Interesting.

I checked fail2ban, and saw that my phone IP had been banned I was puzzled, so I started looking in my OpenVPN logs and this is where it got interesting.

For reference, here is the regex filter I am using in fail2ban:

[Definition] failregex = [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Auth Error:.*
      [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} VERIFY ERROR:.*
      [a-b]*ovpn-server.*:.<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*

Below are the logs when the iPhone is locked and showing a black screen - this goes on to repeat infinitely by the way.

Please note: My real IP has been changed to %RemovedMyIp?%

Logs are here: https://pastebin.com/7KabZvbV
I'm not sure what causes this, when the iPhone is locked it still clearly has an internet connection - and is attempting to contact the server, but is failing TLS.

Server information: Ubuntu 18.04 LTS server, installed OpenVPN using https://github.com/angristan/openvpn-install

Client information: iPhone X on iOS 13.3.1 using the official OpenVPN app Version 3.1.1(2819)

I've highlighted two options that I believe cause/contribute to this problem

Client settings:
Battery saver - OFF
Seamless Tunnel - ON
VPN Protocol - Adaptive IPv6 - No Preference
Connection Timeout - Continuously Retry
Allow Compression (insecure) - NO
AES-CBC Cipher Algorithm - OFF
Minimum TLS Version - Profile Default
DNS Fallback - OFF
Connect Via - Any Network
Layer 2 Reachability - ON
Theme - DARK

I have the logs from the OpenVPN app here, these logs were taken after recreating the issue. Obviously time stamps will not match.

https://pastebin.com/FY734Lbu
I also found another thread that mentioned this but was much less detailed
reddit.com/r/OpenVPN/comments/aorzda/lots_of_tls_errors_from_iphone_clients_in_server/

Here is how I understand the OpenVPN app logs:
Lock happens at Line 124.

  1. OS goes to sleep
  2. An event happens that pauses...something?
  3. OS wakes up (Note: I did not unlock or touch the phone, it is still locked with a black screen)
  4. App tests to see if internet is reachable
  5. App tries to reconnect, os goes back to sleep before auth (this would be repeating if the log was longer)
  6. Line #149 is where I actually wakeup the device

So my question is, in this setup, is there a chance for data leakage if the phone is locked, and an app in the background is refreshing and pulling information? If I can't get a sensible answer then I'm going to investigate further and see if there is any network activity other than the app trying to reach the OpenVPN server during this time.

Change History (1)

comment:1 Changed 2 months ago by Gert Döring

Owner: changed from jamesyonan to yuriy
Status: newassigned
Note: See TracTickets for help on using tickets.