id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc 1251,iPhone OpenVPN app - TLS Errors when screen is locked,devinsysadmin,OpenVPN Inc.,"Posted on: https://www.reddit.com/r/OpenVPN/comments/f1enpp/iphone_openvpn_app_tls_errors_when_screen_is/ Hey guys, I have something interesting to point out, maybe others are curious. I've done some brief research and didn't find much. I've recently started using OpenVPN and the official app on my iPhone - Everything works perfect when my phone is being used. I locked my iPhone and when I came back to it, I opened it and the VPN wouldn't connect. Interesting. I checked fail2ban, and saw that my phone IP had been banned I was puzzled, so I started looking in my OpenVPN logs and this is where it got interesting. For reference, here is the regex filter I am using in fail2ban: {{{ [Definition] failregex = [a-b]*ovpn-server.*:.:[0-9]{4,5} TLS Auth Error:.* [a-b]*ovpn-server.*:.:[0-9]{4,5} VERIFY ERROR:.* [a-b]*ovpn-server.*:.:[0-9]{4,5} TLS Error: TLS handshake failed.* }}} Below are the logs when the iPhone is locked and showing a black screen - this goes on to repeat infinitely by the way. Please note: My real IP has been changed to %RemovedMyIp% Logs are here: https://pastebin.com/7KabZvbV I'm not sure what causes this, when the iPhone is locked it still clearly has an internet connection - and is attempting to contact the server, but is failing TLS. Server information: Ubuntu 18.04 LTS server, installed OpenVPN using https://github.com/angristan/openvpn-install Client information: iPhone X on iOS 13.3.1 using the official OpenVPN app Version 3.1.1(2819) I've highlighted two options that I believe cause/contribute to this problem Client settings: Battery saver - OFF Seamless Tunnel - ON VPN Protocol - Adaptive IPv6 - No Preference Connection Timeout - Continuously Retry Allow Compression (insecure) - NO AES-CBC Cipher Algorithm - OFF Minimum TLS Version - Profile Default DNS Fallback - OFF Connect Via - Any Network Layer 2 Reachability - ON Theme - DARK I have the logs from the OpenVPN app here, these logs were taken after recreating the issue. Obviously time stamps will not match. https://pastebin.com/FY734Lbu I also found another thread that mentioned this but was much less detailed reddit.com/r/OpenVPN/comments/aorzda/lots_of_tls_errors_from_iphone_clients_in_server/ Here is how I understand the OpenVPN app logs: Lock happens at Line 124. 1. OS goes to sleep 2. An event happens that pauses...something? 3. OS wakes up (Note: I did not unlock or touch the phone, it is still locked with a black screen) 4. App tests to see if internet is reachable 5. App tries to reconnect, os goes back to sleep before auth (this would be repeating if the log was longer) 6. Line #149 is where I actually wakeup the device So my question is, in this setup, is there a chance for data leakage if the phone is locked, and an app in the background is refreshing and pulling information? If I can't get a sensible answer then I'm going to investigate further and see if there is any network activity other than the app trying to reach the OpenVPN server during this time. ",Bug / Defect,closed,minor,,Access Server,,"Not set (select this one, unless your'e a OpenVPN developer)",wontfix,"iphone, ios, openvpn app, tls error, locked, lock screen",