Openvpn access stalls on IPFire with no password response

I am running IPFire 2.23 (x86_64) - Core Update 139, ios 13.3 and OSx 10.14.6.

I have created a road warrior connection on the IPFire OpenVPN web page. Following the directions at both https://wiki.ipfire.org/configuration/services/openvpn/ios/ios_manual and https://wiki.ipfire.org/configuration/services/openvpn/ios/ios_script

When connecting, the IOS OpenVPN log is:

2020-01-19 14:26:24 ----- OpenVPN Start -----
OpenVPN core 3.git::2ae73415 ios arm64 64-bit PT_PROXY built on Dec 2 2019 14:44:28

2020-01-19 14:26:24 OpenVPN core 3.git::2ae73415 ios arm64 64-bit PT_PROXY built on Dec 2 2019 14:44:28

2020-01-19 14:26:24 Frame=512/2048/512 mssfix-ctrl=1250

2020-01-19 14:26:24 UNUSED OPTIONS
0 [tls-client]
2 [nobind]
10 [verb] [3]
12 [verify-x509-name] [xxxxx.xxx] [name]

2020-01-19 14:26:24 EVENT: RESOLVE

2020-01-19 14:26:24 Contacting [n.n.n.n]:1194/UDP via UDP

2020-01-19 14:26:24 EVENT: WAIT

2020-01-19 14:26:24 Connecting to [xxx.xxx]:1194 (n.n.n.n) via UDPv4

2020-01-19 14:26:34 Server poll timeout, trying next remote entry…

2020-01-19 14:26:34 EVENT: RECONNECTING

2020-01-19 14:26:34 EVENT: RESOLVE

2020-01-19 14:26:34 Contacting n.n.n.n]:1194/UDP via UDP

2020-01-19 14:26:34 EVENT: WAIT

2020-01-19 14:26:34 Connecting to [xxx.xxx]:1194 (n.n.n.n) via UDPv4

2020-01-19 14:26:45 Server poll timeout, trying next remote entry…

2020-01-19 14:26:45 EVENT: RECONNECTING

2020-01-19 14:26:45 EVENT: RESOLVE

2020-01-19 14:26:45 Contacting [n.n.n.n]:1194/UDP via UDP

2020-01-19 14:26:45 EVENT: WAIT

2020-01-19 14:26:45 Connecting to [xxx.xxx]:1194 (n.n.n.n) via UDPv4

2020-01-19 14:26:54 EVENT: CONNECTION_TIMEOUT [ERR]

2020-01-19 14:26:54 Raw stats on disconnect:
BYTES_OUT : 2494
PACKETS_OUT : 29
CONNECTION_TIMEOUT : 1
N_RECONNECT : 2

2020-01-19 14:26:54 Performance stats on disconnect:
CPU usage (microseconds): 62406
Network bytes per CPU second: 39964
Tunnel bytes per CPU second: 0

2020-01-19 14:26:54 EVENT: DISCONNECTED

2020-01-19 14:26:54 Raw stats on disconnect:
BYTES_OUT : 2494
PACKETS_OUT : 29
CONNECTION_TIMEOUT : 1
N_RECONNECT : 2

2020-01-19 14:26:54 Performance stats on disconnect:
CPU usage (microseconds): 77460
Network bytes per CPU second: 32197
Tunnel bytes per CPU second: 0

The IPFire log is:

14:27:44 openvpnserver[1541]: n.n.n.n:61770 SIGUSR1[soft,tls-error] received, client-instance restarting
14:27:44 openvpnserver[1541]: n.n.n.n:61770 TLS Error: TLS handshake failed
14:27:44 openvpnserver[1541]: n.n.n.n:61770 TLS Error: TLS key negotiation failed to occur within 60 seco nds (check your network connectivity)
14:27:34 openvpnserver[1541]: n.n.n.n:53891 SIGUSR1[soft,tls-error] received, client-instance restarting
14:27:34 openvpnserver[1541]: n.n.n.n:53891 TLS Error: TLS handshake failed
14:27:34 openvpnserver[1541]: n.n.n.n:53891 TLS Error: TLS key negotiation failed to occur within 60 seco nds (check your network connectivity)
14:27:24 openvpnserver[1541]: n.n.n.n:54146 SIGUSR1[soft,tls-error] received, client-instance restarting
14:27:24 openvpnserver[1541]: n.n.n.n:54146 TLS Error: TLS handshake failed
14:27:24 openvpnserver[1541]: n.n.n.n:54146 TLS Error: TLS key negotiation failed to occur within 60 seco nds (check your network connectivity)
14:26:53 openvpnserver[1541]: n.n.n.n:61770 TLS Error: reading acknowledgement record from packet
14:26:52 openvpnserver[1541]: n.n.n.n:61770 TLS Error: reading acknowledgement record from packet
14:26:44 openvpnserver[1541]: n.n.n.n:61770 TLS Error: reading acknowledgement record from packet
14:26:44 openvpnserver[1541]: n.n.n.n:61770 TLS: Initial packet from [AF_INET]n.n.n.n:61770, sid=a77 d9a51 e1304647
14:26:44 openvpnserver[1541]: n.n.n.n:61770 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
14:26:34 openvpnserver[1541]: n.n.n.n:53891 TLS Error: reading acknowledgement record from packet
14:26:34 openvpnserver[1541]: n.n.n.n:53891 TLS: Initial packet from [AF_INET]n.n.n.n:53891, sid=86e bd8b9 7bd09929
14:26:34 openvpnserver[1541]: n.n.n.n:53891 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
14:26:33 openvpnserver[1541]: 1n.n.n.n:54146 TLS Error: reading acknowledgement record from packet
14:26:26 openvpnserver[1541]: n.n.n.n:54146 TLS Error: reading acknowledgement record from packet
14:26:25 openvpnserver[1541]: n.n.n.n:54146 TLS Error: reading acknowledgement record from packet
14:26:24 openvpnserver[1541]: n.n.n.n:54146 TLS Error: reading acknowledgement record from packet
14:26:24 openvpnserver[1541]: n.n.n.n:54146 TLS: Initial packet from [AF_INET]n.n.n.n:54146, sid=2c4 dab41 43004ebc
14:26:24 openvpnserver[1541]: n.n.n.n:54146 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)

A few weeks ago I had given the scripts a try and all worked well. I’ll try again in the next few days to see if I get the same errors you saw.

When testing, make sure your IOS device is not connected to the green network. LTE (or cellular data) should work A-OK.

Thanks.

  I have been testing by turning off WiFi on my iPhone and using my

carrier’s external network. That gives the iPhone an external
address.

I tried the script last week with the same result.

I gave things a quick test just to make sure they hadn’t changed since the Core Update 139 was released. All looks A-OK.

Just to double check - Did you enter a password here?:

 

So where are you in the process that things stall and there is no password response?

Are you here?

Jon,

Thanks for your reply. Still no joy.

  I defined a new connection, using just alphanumeric characters as

a password. When I run the script, a new .ovpn file is created. I
download the .zip file to my Mac and unzip it. I use sftp to copy
the new .ovpn from my Mac to IPFire, run the script on IPFire,
sftp the output .ovpn to my Mac, and then use iTunes to copy it to
OpenVPN on my iPhone via File Sharing. That works and the OpenVPN
app detects the new combined OVPN file. I add it and enter the
correct password for the connection. The connection times out. On
my iPhone, under Settings->VPN, I can see the new VPN checked.

  If I touch the info icon, I can see that the VPN points to my

IPFire’s dynamic VPN address/name. If I use the switch icon in the
OpenVPN App, it doesn’t connect.

  I have turned off the iPhone's WiFi, so it will use my carrier's

provided IP address. This winds up on the 144.n.n.n net. I have
used the iNetTools APP to verify I can Traceroute to my dynamic
VPN address and that I can’t ping anything on my green or blue
network.

(BTW

key-direction bidirectional

I’m not experienced enough with OpenVPN to be able to figure out this issue… I’m guessing there is a step missing but without lots of screenshots I’m not sure I can help.

When you go thru all of the steps here does everything work (except for the green CONNECTED screen)??

Are you entering a password in Step 5 and it is accepted?

Still fighting with OpenVPN.

Is it possible I need to (un)configure something using the IPFire Firewall Rules page. My OpenVPN seems to have picked subnet 10.212.18.0/255.255.255.0 as its Dynamic OpenVPN IP address pool.

Hi all,
this message
TLS Error: reading acknowledgement record from packet
happens mostly if one side provides an ta.key (TLS Authentication) whereby the other misses the appropriate entry and/or the ta.key.

If you check for a ‘tls-auth’ directive line in server.conf and client.ovpn you should be able to track it down if this is the problem.

Have seen this topic is a kind of old, sorry but haven´t seen it earlier.

Best,

Erik