I’ve been trying to get the OpenVPN Roadwarrior set up for hours now and every time I try to import the .ovpn file within iOS, I get prompted for the pkcs12 password and when I enter it, I get “Error. Cannot parse the file.” I was able to get this working in pfSense, so I didn’t think it would be this difficult in Ipfire. The little documentation I was able to find didn’t really help. Can anyone point me in the right direction please? Not getting this to work is a dealbreaker. Thanks.
Also, I noticed that when I downloaded the client package, my only option was the client package zip file. If I tried to download the unsecure version of the client zip file, it just gave me an error message.
Do you have more detailed logs or error messages from your operating system than that?
IPFire’s OpenVPN documentation is available here. Erik (@ummeegge) is the “master of disaster” when it comes to OpenVPN, perhaps he can help in case we have found out what your problem exactly is.
As far as I can recall, this should have been fixed a while ago. @ummeegge: Has it or am I wrong on this?
I’ve noticed that if I create additional VPN users, sometimes I get the option to download the unsecured version of the zip package and sometimes I don’t (it’s not there). I don’t know what I’m doing wrong. I have blown away and recreated the root/host certs as well as the user cert, but I still can’t connect from iOS or from my MacBook using Tunnelblick. I still have the .ovpn file that I downloaded from pfSense a while back (which works on the iOS OpenVPN app) and I compared it against the .ovpn file that is generated from IPfire and they are way different. The IPfire .ovpn file is very sparse and has almost nothing in it. The pfSense .ovpn file has the CA cert embedded in it, along with the user cert, the private key, and the static tls key. As a last resort, I built a new .ovpn file from scratch modeling it after the pfSense .ovpn file, but inserting the cert information from the IPfire side. I tried importing it into Tunnelblick on my MacBook to test it out, but it won’t even import. Are there specific logs I could provide that would help? I’m not sure what else to do here.
I just created a new VPN user and imported the .ovpn file into Tunnelblick on my MacBook, but the OpenVPN connection won’t establish. I’m not sure if it will help, but here are the logs.
2020-12-08 10:42:32.637344 MANAGEMENT: >STATE:1607445752,RESOLVE,
2020-12-08 10:42:32.866182 TCP/UDP: Preserving recently used remote address: [AF_INET]75.132.x.x:1194
2020-12-08 10:42:32.867160 Socket Buffers: R=[786896->786896] S=[9216->9216]
2020-12-08 10:42:32.867213 UDP link local: (not bound)
2020-12-08 10:42:32.867248 UDP link remote: [AF_INET]75.132.x.x:1194
2020-12-08 10:42:32.867517 MANAGEMENT: >STATE:1607445752,WAIT,
2020-12-08 10:42:32.899142 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.15.254:1194[2], expected peer address: [AF_INET]75.132.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float)
2020-12-08 10:42:35.117814 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.15.254:1194[2], expected peer address: [AF_INET]75.132.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float)
2020-12-08 10:42:38.948350 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.15.254:1194[2], expected peer address: [AF_INET]75.132.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float)
2020-12-08 10:42:40.086804 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.15.254:1194[2], expected peer address: [AF_INET]75.132.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float)
2020-12-08 10:42:46.934151 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.15.254:1194[2], expected peer address: [AF_INET]75.132.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float)
2020-12-08 10:42:48.072259 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.15.254:1194[2], expected peer
Hi all,
since i do not use Smart?phones i run a little into the researching fog… OK let´s give it a try.
sounds like the configuration parser cannot find the exact tag string in the ovpn. According to the OpenVPN FAQ → FAQ Regarding OpenVPN Connect IOS | OpenVPN you would need the certificate, ca, key and if configured the ta key in your client.ovpn . This can be made automatically if you do not enter a password while you create a client, by downloading the ZIP package use the right disc icon (not the left) and you should be fine with all that. Did tried it now and it should looks like this:
have tested it on my Laptop and have here no problem at all.
It is always a ZIP file if it is secure (with PKCS#12) or insecure makes there no difference. As mentioned above, you just do not enter a password, in that case you should get an equal result as above. If not, please deliver the log error.
Erik, thanks for the information. I just created a new VPN user and did not specify a password and when I looked at the .ovpn file that was created afterward, it is very similar to the output you have above, with some minor differences, like tun-mtu 1500 (mine is 1400), the remote variable as well as verify-x509 (since we are using different names) and I don’t have the mssfix 0 line. However, when I imported that .ovpn config into Tunnelblick, I receive the below errors:
020-12-08 11:22:36.026891 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.15.254:1194[2], expected peer address: [AF_INET]75.132.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float)
2020-12-08 11:22:38.295688 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.15.254:1194[2], expected peer address: [AF_INET]75.132.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float)
2020-12-08 11:22:42.885243 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.15.254:1194[2], expected peer address: [AF_INET]75.132.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float)
2020-12-08 11:22:50.319813 TCP/UDP: Incoming packet rejected from [AF_INET]192.168.15.254:1194[2], expected peer address: [AF_INET]75.132.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float)
You are welcome,
this can happens if your e.g. IP is changing but all authentication tests has passed, try it like outlined, write a float in one line in the client.ovpn under the other directives and give it a try to check if the first problem has been resolved…
Ok, so I added the float line into the .ovpn config and this time, it looks like the connection succeeded in Tunnelblick, although it complained about my internal DNS server not being public and said my configuration might be wrong, but it still connected. After I disconnected from Tunnelblick, I noticed that the OpenVPN server status is Stopped, which is weird because I just connected with Tunnelblick. I clicked the Start button, but it stays in a red Stopped status. However, on the IPfire home page, it reports the status as “Online” for OpenVPN. I’m not sure what’s going on. Is it running or not?
OK, let´s go step by step.
the first problem should then be solved ?
According to the --float directive, this should normally not needed except when you are connecting to a peer which holds a dynamic address such as a dial-in user or DHCP client since it allows the remote peer to change its IP address which should normally not so often be the case ?!
is Tunnelblick available for iOS ? Just know it from the Mac´s, did you changed your environment ?
So may this can be understand as a warning from Tunnelblick, don´t know what you have configured and what do you want to reach, reaching your client inside your LAN shouldn´t be no problem at all. Otherwise you can push the DNS also globally or client specific via CCD you just need to configure it.
What was the server status while you created and downloaded the client ? Did you changed something on the WUI or internally via commanline after that ? If the global status is stopped you should not be able to connect, in any case i am not.
Am getting a little confused, you wrote before it is stopped ???
OK an idea. Let´s not discuss a whole bunch of problems under one topic. Bring a little time in it and check may also the suggestions to deliver the next issue in an own topic if needed.
Sorry, I put a lot of information in there. Let me try to clarify it. I’m not sure the first issue is actually resolved. Even though it appeared to connect from Tunnelblick, when I move that same .ovpn profile onto the OpenVPN app on my iPhone, it will try to connect, but time out, which is still better than the “cannot parse” errors I was getting before.
Right now, the OpenVPN service is in a Stopped state on the OpenVPN page. However, if I go to to the IPFire main page (System > Home), the OpenVpn status is “Online.” I’m confused because in one place, it says it is Online but on the Services page, it says it is Stopped. I don’t think I can do any reliable testing with the system in this state.
I was able to download the zip package and able to load the .ovpn file on my iPhone, but it timed out when trying to connect. Right now, I don’t know if OpenVPN is actually working since the service status is stopped, but. the status on the main page is Online. It seems odd that I’m seeing two completely different status messages. How can it be both Stopped and Online?
I don’t think that error indicates that it is working though because the connection status in Tunnelblick is Red and shows 0 bytes in and out. I don’t understand why this is so difficult. I’ve also watched a few YouTube videos on how to set this up and as far as I can tell, I did the same steps that they did in the video and it worked for them, but did not work for me. I really want to keep using IPfire, but if I can’t get OpenVPN working, I’ll have to go back to pfSense.
this is no error it just tells you that your IP address has been been changed but all authentication tests has been passed . Have here also no problem with this. Wish you all the best, PFSense is also a great solution.
This still doesn’t work properly on iOS and the OpenVPN status is still Stopped. This doesn’t make any sense. I’m going to have to go back to pfSense because I need OpenVPN to work. Luckily, it’s a VM on the same ESXi host that is running IPfire, so all I have to do is turn it on again. Thanks anyway. I really like IPfire, but this problem has cost me nearly two days of troubleshooting and it’s still not working, so I have to move on.
Just want to chime in here too. I urgently need open vpn to work and spent a whole day on this yesterday.
I can export the config from ipfire and import the ovpn file into android openvpn app and it just works as expected. Unfortunately what I need is Windows configs to work. Dropping the opvn file into the windows openvpn does not install the certificate so I also have to drop the pcks12 file in to the app which then silently installs the cert. I can then choose the cert when I edit the config in openvpn app.
I know this is not helpful not giving any other info but I too must bail ipfire and install pfsense as I need this working yesterday. This I am sure is easily replicable and seems to be an issue with the configs files being imperfect.
I’ve also tried getting this to work on Linux Mint and it also wont connect.
In the Windows ovpn log it says sss-context-error. openvpnSSLcontent CA not defined.
I hope this can be fixed real soon.
Also wanted to add that you ipfire does not allow you to connect to the VPN from the green interface. Obviously this is just for testing purposes and I can do this on a Sophos FW OK. Not sure of this is another potential issue altogether, or if the firewall rules need a tweak to make this work.
The only time my phone can connect is from the cell network, not wifi which is on green in my setup. So to test road warrior configs requires a mobile hotspot.
Potential trap for some. I can send windows logs if this would help.
I’m glad I’m not the only one experiencing this issue. Craig, I ended up seeing the same error as you on my phone using the OpenVPN app. No idea why it’s not working, but it is very frustrating. For what it’s worth, it works great within pfSense and I can connect to it from within my network at home or using my cellular data. I think I might give OPNsense a spin this time since I run these virtually. If I can’t get OpenVPN working there either, I can just turn it off and turn on pfSense and be up and running again.
Cheers Kevin,
I’m wondering if it may be an issue with the newer version of openVPN being incompatible with ipfires export files. It looks like openVPN has simplified their import method in recent versions and according to older videos ipfire is also not exporting the .ta file either. Maybe is not needed anymore?
I will be back to ipfire after this urgent VPN need is gone as I find ipfire simpler to manage than PFSense, but I’m off topic now.
.
