OpenVPN connection no longer possible

I need your analysis knowledge regarding OpenVPN.

So far I was able to establish an OpenVPN connection to my router (Core Update 175) from my iPhone (iOS 16.5).
Establishing the connection is now no longer possible and the iOS app (OpenVPN) spins steadily. I had already turned off the IP block lists on the firewall but it did not improve.

My configuration has not been adjusted for more than a year in the area of OpenVPN. Maybe you can have a look at the following pictures and tell me if there is something noticeable or if I should reconfigure OpenVPN.

Many thanks in advance.




1 Like

I suspect that your effect is because IPFire now has openssl-3.x and no longer openssl-1.1.1x

This will likely mean that you need to activate the legacy option in your .ovpn file. I can’t be 100% certain of that as I don’t have any iOS based systems just Linux and Android but it worked for them.

See the following wiki page.

Let us know if this guidance does or does not fix the problem for you.


Hi all,
@pablo78, your connection log looks like your OpenVPN server simply starts and waits for connection attempts at 21:31:15 with an “Initialization Sequence Completed” . There is an “TLS Error” at 00:00:36 {before} (it might be an idea to hide personal information) with an HMAC problem, this one can be an NOT wanted connection attempt or your client simply misses the ta.key (OpenVPN TLS FW).

Possibly something on the way before the OpenVPN server blocks the traffic ?



1 Like

If I now want to rebuild OpenVPN from scratch how should I proceed?

Do I have to reissue or generate the “certificate authorities and keys” because they are from 2020 and how would I have to do that?

But is also only necessary to delete certificates or objects under “Connection status and control” and reissue so that OpenSSL 3 comes into play?

Should I perhaps also raise the “Hash Algorithm” and/or “Encryption” under “Global Settings” and if so what do you recommend there?

Sorry for the many questions :wink:

I don’t believe that you need to re-generate the certificate authorities and keys. I will do a check on that and report back to confirm.

You don’t have to delete the old ones but in that case the new ones need a different connection name and a different user/hostname for the certificate. The Openvpn WUI page will tell you if you are duplicating a name. However if you want to change the Hash Algorithm or Encryption then the old client connections will no longer work and then it make sense to delete them.
You can always bring them back by a restore (make sure you do a backup before deleting everything so you can restore if needed.

If you are creating new client certs then it makes sense to use the strongest security options.

For the Hash Algorithm the best currently is SHA2 512 bit or Whirlpool 512 bit. I use the SHA2 512 bit as that is more commonly used and therefore most clients will be good with that… The Whirlpool 512 bit is also good but not so commonly used. The SHA2 works with my Linux and Android clients with no problems.

For the Encryption the best is usually at the top of the list in the drop down box. In this case that bis AES-GCM 256 bit. That is the one that I use and it works with my Linux and Android clients.

If you want to use the Openssl-3.x based certificates note that for Android you will need version 13 (or possibly 12, not yet confirmed). See

No problems at all, that is what the forum is for. :+1:


I have done a check.
If you press the blue i icon on the Root certificate line then near the top you should see the following:-
For the Host certificate line it could either be like the Root certificate with a value of 4096 bits or it might be at 2048 bits.
If it is the latter case then removing the x509 root/host certificate set and re-generating it will make both the root and the host at 4096 bits. If you are going to re-do everything anyway then it is worth while to make both the root and host certificates for the server at 4096 bits.

Removing the x509 will clear everything from the server and the client connection table. Again have a backup stored somewhere as doing a restore will bring back the previous root/host certificates and the Client Connection packages if needed.


My certificates have the values you pointed out.
Root: 4096
Host: 2048


The TLS key is always 2048 bit. There is only one value for that key.

I have now deleted the root and host certificate and completely recreated it.
After that I created a new device.
Using the script “” here I could generate a .ovpn file.

#OpenVPN Client conf
dev tun
proto udp
tun-mtu 1400
remote 1194
#pkcs12 iPhonePaul.p12
cipher AES-256-CBC
auth SHA512
#tls-auth ta.key
verb 3
remote-cert-tls server
verify-x509-name name
mssfix 0
auth-token-user USER
auth-token TOTP
auth-retry interact
providers legacy default
key-direction bidirectional

I loaded this file into my Nextcloud and then opened the file on my iPhone (iOS 16.5.1) with OpenVPN Client (Version: 3.3.3 5109).
The import worked but it asks for a “Private Key Password”. Can someone tell me which password I should enter here?
I have above the “” the “PKCS12 File Password” what it should not be.

After I entered the string of “PKCS12 File Password” in “Private Key Password” the VPN was created and I could connect.

5min later the connection did not work again. Also stopping and starting the OpenVPN service did not bring any improvement.

OpenVPN Log

Must probably look here if there is something. :face_with_raised_eyebrow:

Can you confirm that in your OpenVPN Client conf file shown above there are the actual certificates, key and ta.key inserted after the line key-direction bidirectional

Yes this content is available.

This is the password that you entered when you set up the client certificate for the connection. It will also be the same password that you will have entered as the second command line option when running the script.

If that password successfully made the connection then the connection profile and password are correct but something else must have caused the connection to be closed after 5 mins.

There must be some clue in the logs on your iPhone as to why the connection was dropped after 5 mins. I can’t help more on this part as I don’t have any apple products and so have no experience on OpenVPN on the iPhone.

Also in the IPFire OpenVPN Server logs you should find the successful connection in the logs and then some message when the connection was dropped. If the reason for the drop is in the IPFire OpenVPN Server there will be some message(s) about what happened. If the problem was on the client then the IPFire OpenVPN Server logs will just show the connection no longer being in place.

Curious is, via the app OpenVPN I get this network error but when I enable the VPN under the normal iOS settings it works.

Oh man.

It was an OpenVPN issue with the app all along which has now been resolved with version 3.3.4 on iOS.

But it has something good, my root & host certificates were renewed once.

Thanks to all involved for the support

1 Like