How to setup a newCore 191: OPNVPN Connection for a android handy

Hi,

I had a working OpnVPN connection, but based on the reason, that the certificate is running out of date, i had to reconnfigure the opnVPN service.

I already recreate a “Host (Zertifikat)”, but I am unable to configure the
OPNVPN Program on the android handy.
I have created a stored on the handy
the cacert.pem, Androidhandy-to-IPFire.ovpn, AndroidHandy.p12, ta.key and the servercert.pem.

I mostly get the failure “TLS failure” and I also tried the modification of the .vpn File, but I still failed.

Is there a better description how to configure the service on a android handy. I remember that there was a good description for this, but I am unable to find it.

Best regards
R.

Which Android OpenVPN app are you using.

I use the OpenVPN for Android by Arne Schwabe. I have had this working for a long time with no problems.

There is also the OpenVPN Connect, which is the OpenVPN based App.
I have tried getting this one working but have never succeeded myself. There was someone else in the forum who got it going but his description was only in a forum post. If you are using this app then try searching for OpenVPN Connect Android. That might help to find the post, although I haven’t tried the search myself.

If you are using the OpenVPN for Android app then I will try and see when I can find some time to describe how I did it.
It is on my list of things to do to create a page for that in the IPFire documentation as the mobile phone/handy descriptions in there are quite old and I am not sure that all of it is still valid.

Hi,
Yes. I am also using the opnvpn from arne schwabe, version 0.7.55.
Best regards
R.

I use https://play.google.com/store/apps/details?id=net.openvpn.openvpn and that works flawlessly.

I tried this app now, but I get the following messages, when I will try to connect.

[März 21, 2025, 16:28:23] ----- OpenVPN Start -----

[März 21, 2025, 16:28:23] EVENT: CORE_THREAD_ACTIVE

[März 21, 2025, 16:28:23] OpenVPN core 3.10.5(3.git::ba9c8e61:RelWithDebInfo) android arm64 64-bit PT_PROXY

[März 21, 2025, 16:28:23] Frame=512/2112/512 mssfix-ctrl=1250

[März 21, 2025, 16:28:23] NOTE: This configuration contains options that were not used:

[März 21, 2025, 16:28:23] Option allowed only to be pushed by the server

[März 21, 2025, 16:28:23] 0 [auth-token-user] [USER]

[März 21, 2025, 16:28:23] 1 [auth-token] [TOTP]

[März 21, 2025, 16:28:23] UNKNOWN/UNSUPPORTED OPTIONS

[März 21, 2025, 16:28:23] 0 [pkcs12] [AndroidHandy.p12]

[März 21, 2025, 16:28:23] Unsupported option (ignored)

[März 21, 2025, 16:28:23] 0 [auth-retry] [interact]

[März 21, 2025, 16:28:23] EVENT: UNUSED_OPTIONS_ERROR info='Option allowed only to be pushed by the server: auth-token-user,auth-token
UNKNOWN/UNSUPPORTED OPTIONS: pkcs12
Unsupported option (ignored): auth-retry
'

I just used the created file by the system and load him into the app.
Best regards
R.

That is the app that I couldn’t get to work but someone else specified steps to make it work but I never got round to following it as my existing OpenVPN for Android is working okay.

Did you just use the .p12, .ta and .ovpn files as they come from IPFire. That is what I tried and I put all three into one directory in the phone and then pointed the OpenVPN Connect app to the .ovpn file in that directory and it cam back and said it could not find the files it needed.

I have tried it a couple more times since I first tried it and have never got it working.

I am sure there must be a way but I haven’t found it yet and the motivation is not there as I have the other app working fine.

Hi.

I seem to remember that in my case, to make it work, I edit the .ovpn file and comment out all the lines that begin with “auth.” This way, it works for me.

Best regards.

That’s the one that I remembered. Thanks for finding it.

I will have to try and find some time to test it and see if it also works for me but that might be difficult in the current timeframe.

See also Pkcs12 is going to be unsupported?

This is pkcs12 in OpenVPN Connect.

pkcs12 as a certificate container is still being used but when OpenVPN created their Connect app and server they didn’t implement any code to handle a pkcs12 container.

The Community OpenVPN server and the OpenVPN for Android app by Arne Schwabe still supports a pkcs12 container as do many software packages.

OpenVPN added some workaround code to their Connect Server to enable it to handle pkcs12 containers but then after some time they decided they didn’t want to continue with that and decided to remove the workaround, which means that OpenVPN Connect, both as a server and an App will not support any .p12 files.

OpenVPN Connect Server is their commercial product.

Maybe it is no longer going to be unsupported but is now unsupported so that might explain why I had the problems I did.

That might also mean that the guide that @tphz re-found may not work, unless he was already splitting the .p12 container into separate .key and .pem files. I haven’t had the time to look through it yet.

I did tests between

1. smartphone with Android15 + OpenVPNConnect 3.6.0 (10461) - IPFire Core-Update 193 Development Build: master/64f50cf5

2. smartphone with Android15 OpenVPNConnect 3.6.0 (10461) - IPFire 2.29 (x86_64) - Core-Update 192

After importing the files o I kept the message

[edit]

Screenshot_20250321-204310_OpenVPN_Connect_11080×1583 153 KB

After commenting out the following lines

#pkcs12 androidtest.p12
#auth-token-user USER
#auth-token TOTP
#auth-retry interact

I re-imported the configuration
I then obtained a VPN connection and was able to connect to remote resources through the tunnel

OpenVPN WUI IPFire Settings.

wui2943×247 32.7 KB

Hi,

cacert.pem <--- Certificate Autority (CA)
test2.pem <--- Client certificate
test2-TO-IPFire.ovpn <--- configuration file
ta.key <--- TA certificate
test2.key <--- Private Key

I miss the test2.key <---- Private key within the ZIP file.
I have only the “.ovpn” and “.p12” within the zip file.

I also remarked the files as recomment, but it stay moreless in the connction state.
The iffire log does not say anything and the connection was aborted because of “timeout Error”.

I have one entry within the logfile, which says

[März 22, 2025, 09:19:02] EVENT: CONNECTING
[März 22, 2025, 09:19:02] Tunnel Options:V4,dev-type tun,link-mtu 1501,tun-mtu 1400,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client
[März 22, 2025, 09:19:02] Creds: UsernameEmpty/PasswordEmpty
[März 22, 2025, 09:19:02] Clearing credentials

[März 22, 2025, 09:19:02] Sending Peer Info:
IV_VER=3.10.5
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2974
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.android_3.6.0-10461
IV_SSO=webauth,crtext


[März 22, 2025, 09:19:02] VERIFY OK: depth=1, /C=DE/ST=<state>/L=<Town>/O=<Name>/OU=Private/CN=<Name> CA/emailAddress=<eMail>, signature: RSA-SHA512
[März 22, 2025, 09:19:02] VERIFY OK: depth=0, /C=DE/ST=<state>/O=<Name>/OU=Private/CN=<Name of ipfire>, signature: RSA-SHA256
[März 22, 2025, 09:19:02] EPKI sign request: RSA_PKCS1_PSS_PADDING SHA256 saltlen=digest
[März 22, 2025, 09:19:02] EPKI sign request: completed
[März 22, 2025, 09:19:19] EVENT: CONNECTION_TIMEOUT info='  BYTES_IN : 8372
  BYTES_OUT : 137902
  PACKETS_IN : 16
  PACKETS_OUT : 132
  KEEPALIVE_TIMEOUT : 1
  CONNECTION_TIMEOUT : 1
  N_RECONNECT : 1
'
[März 22, 2025, 09:19:19] EVENT: DISCONNECTED
[März 22, 2025, 09:19:19] Tunnel bytes per CPU second: 0

I do not see any entries within the IP File system regard openvpn.

Best regards
R.

Hello,

i checked again the log file of the opnvpn after I upgrade to core 192 and I noticed now, that the following entries within ipfire where shown

10:17:24 	openvpnserver[7590]: 	176.6.55.213:37971 SIGUSR1[soft,tls-error] received, client-instance restarting
10:17:24 	openvpnserver[7590]: 	176.6.55.213:37971 TLS Error: TLS handshake failed
10:17:24 	openvpnserver[7590]: 	176.6.55.213:37971 TLS Error: TLS object -> incoming plaintext read error
10:17:24 	openvpnserver[7590]: 	176.6.55.213:37971 TLS_ERROR: BIO read tls_read_plaintext error
10:17:24 	openvpnserver[7590]: 	176.6.55.213:37971 OpenSSL: error:0A000086:SSL routines::certificate verify failed
10:17:24 	openvpnserver[7590]: 	176.6.55.213:37971 VERIFY ERROR: depth=1, error=certificate revoked: C=DE, ST=<state>, L=<Town>, O=<Name>, OU=Private, CN=<Name> CA, emailAddress=<eMail>, serial=<Lon Serialnumber>

I deleted all certificates on my handy and reinstalled the certifcate, which has the following valid dates

Validity
            Not Before: Mar 19 18:35:15 2025 GMT
            Not After : Dec 13 18:35:15 2029 GMT

But I still get the same error with IP fire system log / Open VPN

But within the opnVPN App, its says, that the verification is o.k.

Where is the problem ?

Best regards
R.

Directly from IPFire in the zip file you only get a separate .pem and .key file if you have not filled in the password fields in the certificate generation.

However OpenVPN Connect no longer accepts .p12 container files. You can take the .p12 container file from the secure zip file (with password provided) and extract the .pem and .key files manually from it to be able to provide OpenVPN Connect the separate files, if that is what it requires.

The commands to do that if your Root/Host x509 certificates in the OpenVPN page were created after the OpenSSL version in IPFire was moved to 3.x (CU175 onwards) are:-

to get .key file
openssl pkcs12 -in infilename.p12 -out outfilename.key -nocerts
and for the .pem file
openssl pkcs12 -in infilename.p12 -out outfilename.pem -nokeys

The filename commands should include a path if you are not in the directory where the infilename.p12 is situated.

You will then have the .p12 file and the .pem & .key files that are inside that .p12 container.

This log line includes this

error=certificate revoked

which is telling you that the certificate has been marked as no longer usable. Once a certificate has been revoked it can no longer be used even if its expiry date is still some way off.

As the revocation message is on the server and not the client, it means that the revocation action occurred on your IPFire server.

You will need to remove that certificate from your client but also delete that client connection from your IPFire OpenVPN Server and create a new client connection, effectively start from scratch for that client connection.

So your screenshot of the OpenVPN Connect message shows that they now no longer support the pkcs12 capability and therefore .p12 files are not recognised.

It also indicates that OpenVPN Connect doesn’t support some of the 2FA functions that are used in the Community OpenVPN package.

OpenVPN Connect has been designed to work with the OpenVPN Access Server and not with the OpenVPN Community Server that is used in IPFire whereas OpenVPN for Android has been designed to work with the OpenVPN server running in IPFire.

So I think I am coming to the conclusion to avoid OpenVPN Connect unless I had no alternative.

For Android and Linux there are alternatives that work with no problems.

It may be more of an issue with Windows. OpenVPN Connect has documentation pages targeted at Windows client systems.

Just did a quick search and found that there are Windows msi installer files for OpenVPN (Community) and apparently they do include a Windows GUI client, so it should be possible to also use a client for Windows that is designed to work with the OpenVPN Community Server.

Hi,

after I complete removed all Certificate (incl. Hosts/Root) and reinstall all the opnvpn from scratch, the installation of the opnvpn was successfully with the opnvpn Connection app.

I have also admit, that the installation was much easier, then with the other app. Just removed the 4 items

#pkcs12 androidtest.p12
#auth-token-user USER
#auth-token TOTP
#auth-retry interact

from the .ovpn file.
Copy the files to the handy as descripted (without the “test2.key <— Private Key”) and create a new connection.

Thanks to all, that help me to fix the problem.

Edit: I had to reboot the system, because after the first connection, the opnvpn service stops and did not restart via start button. After reboot everything works fine.
Best regards
R.