Option_error: sorry unsupported options present in configuration: Option allowed only to be pushed be the server


I have set up openVPN on my router as follows.
OpenVPN - Config

But on my iPhone (iOS 17.0.3) with OpenVPN (3.4.0 5457) I now get the following error when dialing in recently.



[Oct 18, 2023, 21:07:08] START CONNECTION
[Oct 18, 2023, 21:07:08] ----- OpenVPN Start -----
OpenVPN core 3.8.2connect1 ios arm64 64-bit
[Oct 18, 2023, 21:07:08] OpenVPN core 3.8.2connect1 ios arm64 64-bit
[Oct 18, 2023, 21:07:08] Frame=512/2112/512 mssfix-ctrl=1250
[Oct 18, 2023, 21:07:08] NOTE: This configuration contains options that were not used:
[Oct 18, 2023, 21:07:08] Option allowed only to be pushed by the server
[Oct 18, 2023, 21:07:08] 14 [auth-token-user] [USER]
[Oct 18, 2023, 21:07:08] 15 [auth-token] [TOTP]
[Oct 18, 2023, 21:07:08] EVENT: CORE_THREAD_ERROR option_error: sorry, unsupported options present in configuration: Option allowed only to be pushed by the server [ERR]
[Oct 18, 2023, 21:07:08] EVENT: CORE_THREAD_DONE
[Oct 18, 2023, 21:07:08] EVENT: DISCONNECT_PENDING
[Oct 18, 2023, 21:07:08] Raw stats on disconnect:

Router - OpenVPN Log


I may not have tested this since the release of iOS 17 but maybe someone knows the problem.

The log message “TLS error, cannot locate HMAC in incoming packet” indicates that the OpenVPN server expected to find a HMAC (Hash-Based Message Authentication Code) signature in the incoming packet for additional verification, but didn’t find it. This could be due to a configuration mismatch between the client and server, particularly related to the TLS-AUTH setting. Both sides should be configured to use the same pre-shared key for HMAC verification.

Another potential problematic setting concerns a second factor authentication. Last time I checked, in iOS OpenVPN connect was not capable to establish an OTP connection with IPFire OpenVPN server.

I just got this myself.

The error message isn’t very helpful as it doesn’t list the offending options. But the log does, so commenting out auth-token-user and auth-token makes the connection work.

I’m not on iOS 17, btw, still on 16.

My ovpn file for the iPhone looks like this and is it safe in terms of security to exclude the following options here?

I have the following in my settings

#OpenVPN Server conf

daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange
;local blabla.selfhost.de
dev tun
proto udp
port 1194
script-security 3
ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600
client-config-dir /var/ipfire/ovpn/ccd
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /etc/ssl/ffdhe4096.pem
tun-mtu 1400
mssfix 0
keepalive 10 60
status-version 1
status /var/run/ovpnserver.log 30
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-auth /var/ipfire/ovpn/certs/ta.key
push "redirect-gateway def1"
push "dhcp-option DOMAIN blabla.dom"
push "dhcp-option DNS"
max-clients 2
tls-verify /usr/lib/openvpn/verify
crl-verify /var/ipfire/ovpn/crls/cacrl.pem
reneg-sec 86400
user nobody
group nobody
verb 3
# Log clients connecting/disconnecting
client-connect "/usr/sbin/openvpn-metrics client-connect"
client-disconnect "/usr/sbin/openvpn-metrics client-disconnect"

# Enable Management Socket
management /var/run/openvpn.sock unix


These are for two-factor authentication. OpenVPN Connect lacks the capability to handle the second-factor exchange with an OpenVPN server on IPFire. Only the OpenVPN Windows community edition client is compatible with IPFire for this key exchange. Without it, you can establish a tunnel but without the two-factor exchange. See for documentation my bug report.

1 Like

Thanks now the VPN setup via OpenVPN works again for the time being.

1 Like

Paul, may I ask what you did to get the config file to work?

I have commented out the following two lines in my OVPN file. I then deleted the profile in the OpenVPN app and uploaded the new OVPN file to the iPhone and stored it in OpenVPN App as new profile.