Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Connect iOs client randomly disconnecting multiple times

    Scheduled Pinned Locked Moved
    OpenVPN
    ios open vpn radius openvpn client
    2
    2
    608
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      markedo
      last edited by

      Hello everyone!
      I'm facing the problem with clients on iOs: they're randomly disconnected or\and may need multiple tries to connect to the server. Problem exists both on old and new iOs devices (on 8 and 12). Server reboot and creating new server doesn't help.

      Please help me to understand the reason of that.

      My setup is: 2.6.0-RELEASE (amd64) + OpenVPN Server + FreeRadius Auth.

      On Android on the same time, same server and same config the connection may stay alive literally for days (tested).

      OpenVPN Connect iOs logs on client side are useless.

      Server Logs shows nothing suspicious. As I understand, disconnect initiated by the client without any command from the server. Here is the example of one typical session:

      Aug 18 16:28:18	openvpn	26800	MANAGEMENT: Client connected from /var/etc/openvpn/server2/sock
Aug 18 16:28:18	openvpn	26800	MANAGEMENT: CMD 'status 2'
Aug 18 16:28:18	openvpn	26800	MANAGEMENT: Client disconnected
Aug 18 16:28:19	openvpn	26800	MULTI: multi_create_instance called
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 Re-using SSL/TLS context
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 TLS: Initial packet from [AF_INET]%client IP%:52893, sid=42283274 2f2be9b3
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 peer info: IV_VER=3.git::58b92569
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 peer info: IV_PLAT=ios
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 peer info: IV_NCP=2
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 peer info: IV_TCPNL=1
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 peer info: IV_PROTO=2
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 peer info: IV_SSO=openurl
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 TLS: Username/Password authentication deferred for username 'Voice3833' [CN SET]
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 [Voice3833] Peer Connection Initiated with [AF_INET]%client IP%:52893
Aug 18 16:28:19	openvpn	26800	%client IP%:52893 PUSH: Received control message: 'PUSH_REQUEST'
Aug 18 16:28:20	openvpn	16148	user 'Voice3833' authenticated
Aug 18 16:28:20	openvpn	26800	Voice3833/%client IP%:52893 MULTI_sva: pool returned IPv4=10.170.0.5, IPv6=fe60::1003
Aug 18 16:28:20	openvpn	23038	openvpn server 'ovpns2' user 'Voice3833' address '%client IP%' - connected
Aug 18 16:28:20	openvpn	26800	Voice3833/%client IP%:52893 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_430ef178f510f6f529b8bbb9d1427d4e.tmp
Aug 18 16:28:20	openvpn	26800	Voice3833/%client IP%:52893 MULTI: Learn: 10.170.0.5 -> Voice3833/%client IP%:52893
Aug 18 16:28:20	openvpn	26800	Voice3833/%client IP%:52893 MULTI: primary virtual IP for Voice3833/%client IP%:52893: 10.170.0.5
Aug 18 16:28:20	openvpn	26800	Voice3833/%client IP%:52893 MULTI: Learn: fe60::1003 -> Voice3833/%client IP%:52893
Aug 18 16:28:20	openvpn	26800	Voice3833/%client IP%:52893 MULTI: primary virtual IPv6 for Voice3833/%client IP%:52893: fe60::1003
Aug 18 16:28:20	openvpn	26800	Voice3833/%client IP%:52893 Data Channel: using negotiated cipher 'AES-256-GCM'
Aug 18 16:28:20	openvpn	26800	Voice3833/%client IP%:52893 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
Aug 18 16:28:20	openvpn	26800	Voice3833/%client IP%:52893 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug 18 16:28:20	openvpn	26800	Voice3833/%client IP%:52893 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug 18 16:28:20	openvpn	26800	Voice3833/%client IP%:52893 SENT CONTROL [Voice3833]: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 1.1.1.1,redirect-gateway def1,redirect-gateway ipv6,tun-ipv6,route-gateway 10.170.0.1,topology subnet,ping 20,ping-restart 120,ifconfig-ipv6 fe60::1003/64 fe60::1,ifconfig 10.170.0.5 255.255.192.0,peer-id 3,cipher AES-256-GCM' (status=1)
Aug 18 16:28:26	openvpn	26800	Voice3833/%client IP%:52893 PID_ERR replay-window backtrack occurred [1] [SSL-0] [0_00000000111111111111111111111111111111111111111111111111111111] 0:579 0:578 t=1660829306[0] r=[-1,64,15,1,1] sl=[61,64,64,528]
Aug 18 16:34:36	openvpn	26800	Voice3833/%client IP%:52893 PID_ERR replay [2] [SSL-0] [0000000000000000000000000000000000000000000000000000000000000011] 0:7542 0:7540 t=1660829676[0] r=[-2,64,15,10,1] sl=[10,64,64,528]
Aug 18 16:34:36	openvpn	26800	Voice3833/%client IP%:52893 AEAD Decrypt error: bad packet ID (may be a replay): [ #7540 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Aug 18 16:34:37	openvpn	26800	Voice3833/%client IP%:52893 PID_ERR replay [1] [SSL-0] [1111111111111111111111111111111111111111111111111111111111111122] 0:7542 0:7541 t=1660829677[0] r=[-3,64,15,10,1] sl=[10,64,64,528]
Aug 18 16:34:37	openvpn	26800	Voice3833/%client IP%:52893 AEAD Decrypt error: bad packet ID (may be a replay): [ #7541 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Aug 18 16:34:37	openvpn	26800	Voice3833/%client IP%:52893 PID_ERR replay [0] [SSL-0] [1111111111111111111111111111111111111111111111111111111111111122] 0:7542 0:7542 t=1660829677[0] r=[-3,64,15,10,1] sl=[10,64,64,528]
Aug 18 16:34:37	openvpn	26800	Voice3833/%client IP%:52893 AEAD Decrypt error: bad packet ID (may be a replay): [ #7542 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Aug 18 16:35:43	openvpn	26800	Voice3833/%client IP%:52893 SIGTERM[soft,remote-exit] received, client-instance exiting
Aug 18 16:35:43	openvpn	30130	openvpn server 'ovpns2' user 'Voice3833' address '%client IP%' - disconnected

      Then it immediately repeats.

      Here is server conf:

      dev ovpns2
verb 4
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 20 120
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local %local IP%
engine rdrand
tls-server
server 10.170.0.0 255.255.192.0
server-ipv6 fe60::/64
client-config-dir /var/etc/openvpn/server2/csc
verify-client-cert none
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user UmFkaXVzQXV0aA== false server2 1195
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'OpenVPN' 1"
lport 1195
management /var/etc/openvpn/server2/sock unix
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.1.1.1"
push "redirect-gateway def1"
push "redirect-gateway ipv6"
duplicate-cn
capath /var/etc/openvpn/server2/ca
cert /var/etc/openvpn/server2/cert 
key /var/etc/openvpn/server2/key 
dh /etc/dh-parameters.2048
tls-crypt /var/etc/openvpn/server2/tls-crypt 
data-ciphers AES-256-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression no
persist-remote-ip
float
topology subnet
explicit-exit-notify 1
inactive 7200
sndbuf 131072
rcvbuf 131072
reneg-sec 7200
status openvpn-status.log

      And client config:

      persist-tun
persist-key
ncp-ciphers AES-256-GCM:AES-256-CBC
cipher AES-256-CBC
auth SHA256
tls-client
client
remote %hostname% 1195 udp
nobind
auth-user-pass
remote-cert-tls server
explicit-exit-notify
reneg-sec 7200
<ca>
%CERT%
</ca>
setenv CLIENT_CERT 0
<tls-crypt>
%KEY%
</tls-crypt>
      K 1 Reply Last reply Reply Quote 0
      • K
        khodorb @markedo
        last edited by

        @markedo hi , did you have luck resolving this ?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post