Option_error: sorry unsupported options present in configuration: Option allowed only to be pushed be the server

pablo78 · 18 October 2023 19:42

Hello

I have set up openVPN on my router as follows.
OpenVPN - Config

.-----------------------------------------------------
.
But on my iPhone (iOS 17.0.3) with OpenVPN (3.4.0 5457) I now get the following error when dialing in recently.

iOS OpenVPN

.

[Oct 18, 2023, 21:07:08] START CONNECTION
[Oct 18, 2023, 21:07:08] ----- OpenVPN Start -----
OpenVPN core 3.8.2connect1 ios arm64 64-bit
[Oct 18, 2023, 21:07:08] OpenVPN core 3.8.2connect1 ios arm64 64-bit
[Oct 18, 2023, 21:07:08] Frame=512/2112/512 mssfix-ctrl=1250
[Oct 18, 2023, 21:07:08] NOTE: This configuration contains options that were not used:
[Oct 18, 2023, 21:07:08] Option allowed only to be pushed by the server
[Oct 18, 2023, 21:07:08] 14 [auth-token-user] [USER]
[Oct 18, 2023, 21:07:08] 15 [auth-token] [TOTP]
[Oct 18, 2023, 21:07:08] EVENT: CORE_THREAD_ERROR option_error: sorry, unsupported options present in configuration: Option allowed only to be pushed by the server [ERR]
[Oct 18, 2023, 21:07:08] EVENT: CORE_THREAD_DONE
[Oct 18, 2023, 21:07:08] EVENT: DISCONNECT_PENDING
[Oct 18, 2023, 21:07:08] Raw stats on disconnect:

.
Router - OpenVPN Log

.

I may not have tested this since the release of iOS 17 but maybe someone knows the problem.

cfusco · 19 October 2023 10:45

Pablo78:

EVENT: CORE_THREAD_ERROR option_error: sorry, unsupported options present in configuration: Option allowed only to be pushed by the server [ERR]
[Oct 18, 2023, 21:07:08] EVENT: CORE_THREAD_DONE

The log message “TLS error, cannot locate HMAC in incoming packet” indicates that the OpenVPN server expected to find a HMAC (Hash-Based Message Authentication Code) signature in the incoming packet for additional verification, but didn’t find it. This could be due to a configuration mismatch between the client and server, particularly related to the TLS-AUTH setting. Both sides should be configured to use the same pre-shared key for HMAC verification.

Another potential problematic setting concerns a second factor authentication. Last time I checked, in iOS OpenVPN connect was not capable to establish an OTP connection with IPFire OpenVPN server.

dammarin · 21 October 2023 12:00

I just got this myself.

The error message isn’t very helpful as it doesn’t list the offending options. But the log does, so commenting out auth-token-user and auth-token makes the connection work.

I’m not on iOS 17, btw, still on 16.

pablo78 · 25 October 2023 15:59

My ovpn file for the iPhone looks like this and is it safe in terms of security to exclude the following options here?

auth-token-user USER
auth-token TOTP
.

grafik666×509 9.91 KB

I have the following in my settings
.
/var/ipfire/ovpn/server.conf

#OpenVPN Server conf

daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange
;local blabla.selfhost.de
dev tun
proto udp
port 1194
script-security 3
ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600
client-config-dir /var/ipfire/ovpn/ccd
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /etc/ssl/ffdhe4096.pem
server 10.10.5.0 255.255.255.0
tun-mtu 1400
mssfix 0
keepalive 10 60
status-version 1
status /var/run/ovpnserver.log 30
ncp-disable
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-auth /var/ipfire/ovpn/certs/ta.key
push "redirect-gateway def1"
push "dhcp-option DOMAIN blabla.dom"
push "dhcp-option DNS 10.10.5.1"
max-clients 2
tls-verify /usr/lib/openvpn/verify
crl-verify /var/ipfire/ovpn/crls/cacrl.pem
auth-user-pass-optional
reneg-sec 86400
user nobody
group nobody
persist-key
persist-tun
verb 3
# Log clients connecting/disconnecting
client-connect "/usr/sbin/openvpn-metrics client-connect"
client-disconnect "/usr/sbin/openvpn-metrics client-disconnect"

# Enable Management Socket
management /var/run/openvpn.sock unix
management-client-auth

Paul

cfusco · 25 October 2023 16:59

These are for two-factor authentication. OpenVPN Connect lacks the capability to handle the second-factor exchange with an OpenVPN server on IPFire. Only the OpenVPN Windows community edition client is compatible with IPFire for this key exchange. Without it, you can establish a tunnel but without the two-factor exchange. See for documentation my bug report.

pablo78 · 25 October 2023 20:08

Thanks now the VPN setup via OpenVPN works again for the time being.

anon80712004 · 3 November 2023 16:13

Paul, may I ask what you did to get the config file to work?

pablo78 · 3 November 2023 16:31

I have commented out the following two lines in my OVPN file. I then deleted the profile in the OpenVPN app and uploaded the new OVPN file to the iPhone and stored it in OpenVPN App as new profile.