I am trying to set up an OpenVPN server (on an IPFire mini appliance) with an iPhone client. Everything is updated to the latest level. iPhone is on mobile network, not Wifi. Used the instructions on the wiki, + the script to create an ovpn file for iOS with all certificates and keys.
In /var/syslog/messges I see
Sep 6 16:53:38 ipfire openvpnserver: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Sep 6 16:53:38 ipfire openvpnserver: TCP connection established with [AF_INET]184.108.40.206:49409
Sep 6 16:53:38 ipfire openvpnserver: 220.127.116.11:49409 TLS: Initial packet from [AF_INET]18.104.22.168:49409, sid=867e549e 4b0561ac
Sep 6 16:53:38 ipfire openvpnserver: 22.214.171.124:49409 TLS Error: reading acknowledgement record from packet
Sep 6 16:53:38 ipfire openvpnserver: 126.96.36.199:49409 Fatal TLS error (check_tls_errors_co), restarting
Sep 6 16:53:38 ipfire openvpnserver: 188.8.131.52:49409 SIGUSR1[soft,tls-error] received, client-instance restarting
and on the iOS OpenVPN client
Contacting x.y.z.t:8081/TCP via TCPv4
Connecting to [servername]:8081 (x.y.z.t) via TCPv4
TCP RECV EOF
Transport Error: Transport error on 'servername: NETWORK_EOF_ERROR
EVENT: Transport Error: Transport error on 'servername: NETWORK_EOF_ERROR
Client terminated, restarting in 5000ms---
EVENT: CONNECTION_TIMEOUT [ERR]
this error appears if one side have the tls-auth option active and the other side misses it. May you can check the configuration files on server and client if the directives are active or inactive, in both cases the directive needs to be set equal.
The client conf says
#OpenVPN Client conf
remote v.domain.eu 8081
verify-x509-name v.domain.eu name
and the server (from
#OpenVPN Server conf
#DAN prepare OpenVPN for listening on blue and orange
ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600
server 10.2.95.0 255.255.255.0
keepalive 10 60
status /var/run/ovpnserver.log 30
# Log clients connecting/disconnecting
client-connect "/usr/sbin/openvpn-metrics client-connect"
client-disconnect "/usr/sbin/openvpn-metrics client-disconnect"
Does this look contradictory?
Yes the ‘–key-direction’ directive in client.ovpn is a alternative way of specifying the direction parameter for –tls-auth --> https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage whereby the server.conf misses this directive as far as i can see.
Erik, you are perfectly right, adding
does the trick. Now I know what sections of the documentation to go through
Since I did this manually - do I risk having IPFire overwrite this directive at any time? Is it possible to add this option in the WUI somehow do that it won’t?
Yes this is possible you can activate this option in the global section which is named “TLS Channel Protection” --> https://wiki.ipfire.org/configuration/services/openvpn/config/glob_set .
Yes excellent, that works like a charm.
Thank you so much!