OpenVPN on iPhone iOS 16.7.8 / IPFire core 186 / no connection

ewald · 27 June 2024 14:32

For many years I was using OpenVPN to connect remotely from my iPhone to my IPFire’s DMZ. Since with the latest App update of OpenVPN connect app to version 3.4.2 (5723) this didn’t work anymore, I tried to set up OpenVPN from scratch again … and failed.

I used the iOS keychain method for creating the .ovpn12 and .ovpn files and uploaded them to my iPhone.

I had to add the option ‘-legacy’ as export option in ‘create_ovpn12.bsh’ in order to be able to read in the ovpn12 certificate.

I also had to comment out the options from the ovpn file

#auth-nocache
#auth-token-user USER
#auth-token TOTP
#auth-retry interact

since they created error messages of the OpenVPN app.

When I am trying to connect, I cannot establish a connection. The ‘messages’ file of IPFire shows

openvpnserver[6231]: xxx.xxx.xxx.xxx:19293 TLS Error: reading acknowledgement record from packet

The head of my ovpn file looks like (x = anonymized):

#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1400
remote xxxxxxxx 1194
#comment the above line and uncomment the next line, if you want to connect on the Orange interface
;remote xxx.xxx.xxx.xxx 1194
#pkcs12 xxxxxx.p12
cipher AES-256-CBC
auth SHA512
verb 3
remote-cert-tls server
verify-x509-name XXX.YYY name
mssfix 0
#auth-nocache
#auth-token-user USER
#auth-token TOTP
#auth-retry interact
key-direction bidirectional

Any help is welcome. Thanks in advance.

Addendum: I tried finally the insecure method and it worked
OpenVPN is connected again!

There seems to be an issue with the iOS keychain method.

Addendum 2: Surprisingly I can tick in the openVPN page of IPFire the option ‘TLS Channel Protection’.when the OpenVPN server is stopped. However when I then start the openVPN server, this option is not marked anymore as activated. Therefore, TLS seems to be deactivated at the openvpn server side of IPFire. It is not possible in core 186 to select ‘TLS Channel Protection’.

On the other hand, the generated ‘.ovpn’ file contains a tls-auth section:

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
xxxx
-----END OpenVPN Static key V1-----
</tls-auth>

Therefore the iPhone client is assuming to use TLS. There seems to be mismatch between the TLS setting of the server and the client. This is also underlined by above error message in ‘error messages’. Please read also the concerning comments in VPN clients won’t connect - Virtual Private Networks - IPFire Community.;

Can you check this, please?

bonnietwin · 27 June 2024 18:57

After you have checked the TLS, you need to press the Save Button. Then you can start the OpenVPN Server.

ewald · 27 June 2024 19:03

Thanks a lot Adolf. What a shame, I’ve overlooked the ‘Save’ button. After saving, the selected option is kept. I will now try the secure setup again and report tomorrow.

bonnietwin · 27 June 2024 19:08

Don’t worry.

I have done it myself now and then.

The following time I tend to remember that I need to Save after making any changes.

ewald · 27 June 2024 19:32

Dear Adolf, good news: After ticking ‘TLS Channel Protection’ and (!) saving this option, the connection with the secure approach ’ iOS keychain method’ is working like a charm

Two small items to improve remain:

Add ‘-legacy’ as an option in the conversion script create_ovpn12.sh.
Remove the options

auth-nocache
auth-token-user USER
auth-token TOTP
auth-retry interact

from the generated ‘.ovpn’ file, at least optionally.

Thanks for your great support.