Greetings,
I am trying to set up an OpenVPN server (on an IPFire mini appliance) with an iPhone client. Everything is updated to the latest level. iPhone is on mobile network, not Wifi. Used the instructions on the wiki, + the script to create an ovpn file for iOS with all certificates and keys.
In /var/syslog/messges I see
Sep 6 16:53:38 ipfire openvpnserver[14150]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Sep 6 16:53:38 ipfire openvpnserver[14150]: TCP connection established with [AF_INET]146.0.216.52:49409
Sep 6 16:53:38 ipfire openvpnserver[14150]: 146.0.216.52:49409 TLS: Initial packet from [AF_INET]146.0.216.52:49409, sid=867e549e 4b0561ac
Sep 6 16:53:38 ipfire openvpnserver[14150]: 146.0.216.52:49409 TLS Error: reading acknowledgement record from packet
Sep 6 16:53:38 ipfire openvpnserver[14150]: 146.0.216.52:49409 Fatal TLS error (check_tls_errors_co), restarting
Sep 6 16:53:38 ipfire openvpnserver[14150]: 146.0.216.52:49409 SIGUSR1[soft,tls-error] received, client-instance restarting
and on the iOS OpenVPN client
EVENT: RECONNECTING
EVENT: RESOLVE
Contacting x.y.z.t:8081/TCP via TCPv4
EVENT: WAIT
Connecting to [servername]:8081 (x.y.z.t) via TCPv4
TCP RECV EOF
Transport Error: Transport error on 'servername: NETWORK_EOF_ERROR
EVENT: Transport Error: Transport error on 'servername: NETWORK_EOF_ERROR
Client terminated, restarting in 5000ms---
EVENT: CONNECTION_TIMEOUT [ERR]
Hi,
this error appears if one side have the tls-auth option active and the other side misses it. May you can check the configuration files on server and client if the directives are active or inactive, in both cases the directive needs to be set equal.
Yes the ââkey-directionâ directive in client.ovpn is a alternative way of specifying the direction parameter for âtls-auth --> https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage whereby the server.conf misses this directive as far as i can see.
tls-auth /var/ipfire/ovpn/certs/ta.key
in server.conf
does the trick. Now I know what sections of the documentation to go through
Since I did this manually - do I risk having IPFire overwrite this directive at any time? Is it possible to add this option in the WUI somehow do that it wonât?