OpenVPN for iOS - Finally Available!
-
Boo… No tap...
-
The android client also doesn't have tap.
It's mostly due to the OS in both cases, not much the client can do about it.
Unrelated to that, but I added a howto for the iOS client here today:
http://doc.pfsense.org/index.php/OpenVPN_on_iOS -
I had to slightly modify the exported configuration file. Replaced "option tcp-client", with "option tcp", and OpenVPN imported the configuration file. It is working flawlessly.
Thank you!
-
The android client also doesn't have tap.
It's mostly due to the OS in both cases, not much the client can do about it.
Unrelated to that, but I added a howto for the iOS client here today:
http://doc.pfsense.org/index.php/OpenVPN_on_iOSFigures… All I want is to be able to watch my TiVo while away from home... I know it's possible with a jailbreak.
Anyway, can you provide directions on what server options to use with an iOS device? I setup OVPN on one of my boxes and it connects but I can't see any devices on the other side or get any Internet access (I enabled the option to force all traffic through the tunnel).
-
Hi, great news!
It was easy to set-up and the connections are stable. Tried with two iOS devices with Netflix and internet radio for a couple of hours 8)
I just had to check the logs and I see the following error every time a user connect (it works, but I'm curious why and if this is a real error in my config):
Jan 19 14:11:22 openvpn[17791]: username/xx.xx.217.243:60904 send_push_reply(): safe_cap=960
Jan 19 14:11:21 openvpn[17791]: username/xx.xx.217.243:60904 MULTI_sva: pool returned IPv4=xx.xx.xx.6, IPv6=::x
Jan 19 14:11:21 openvpn[17791]: xx.xx.217.243:60904 [username] Peer Connection Initiated with [AF_INET]xx.xx.217.243:60904
Jan 19 14:11:20 openvpn: user username authenticated
Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #43 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #43 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #43 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #43 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #42 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
Jan 19 14:11:05 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
Jan 19 14:11:05 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
Jan 19 14:11:05 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
Jan 19 14:11:05 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
Jan 19 14:11:05 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
Jan 19 14:11:05 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
Jan 19 14:10:59 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
Jan 19 14:10:59 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
Jan 19 14:10:58 openvpn[17791]: xx.xx.217.243:60904 LZO compression initialized
Jan 19 14:10:58 openvpn[17791]: xx.xx.217.243:60904 Re-using SSL/TLS contextI have put the 'mute-replay-warnings' in my config's but those messages stays…
-
It works flawlessly for me. I also succeded in importing the cert and key into the iOS keychain without issues. You have to use the command line to create a .p12 password protected file containing both the certificate and the private key, then import it onto iOS via the Mail app. Then you have to edit the inline config that pfSense exported and remove the "cert" and "key" sections, but leave the "ca" section. When you import this "certless" .ovpn file, the client will ask for an installed certificate and voila!!
It's all explained on the "help" option within the app ;)
It would be great to add these 2 items to the OpenVPN Client Export package:
- Ability to export the "certless" and "keyless" OpenVPN inline config
- Ability to export the password protected .p12 file
Cheers!!
EDIT: in fact, the help says that you should be able to embed the CA cert onto the .p12 file as well using the "-certfile" option, but it didn't work for me. The app complained about the CA cert being in the incorrect format. So I left it on the .ovpn file. Perhaps anyone got it right?
-
Works great for me. But is there any way to send all data through OpenVPN on iPhone?
-
Works great for me. But is there any way to send all data through OpenVPN on iPhone?
Yup! Just add the following to the config file before importing:
redirect-gateway -
Works great for me. But is there any way to send all data through OpenVPN on iPhone?
Yup! Just add the following to the config file before importing:
redirect-gatewaythanks a lot!
-
I have put the 'mute-replay-warnings' in my config's but those messages stays…
Lyserge, have you tried "verb 1" in your config?
-
The number one suspect for repeated replay warnings is a mismatched clock between the two nodes.
-
The number one suspect for repeated replay warnings is a mismatched clock between the two nodes.
Should I also check the time/date in the BIOS of my Soekris net5501 (with crypto card) ? :-\
pfSense and my laptop is configured with time.euro.apple.com and is in sync with my iPhone 4 (tried to manually set the time, reboot etc).
Every connection has very similar logs, the connection time is always 21 seconds and bad packet ID #3 and #43 is shown every time in the serverlogs.
Running OpenVPN server on UDP/443. CA and server/user certs is 2048 bits (RSA+SHA1)
pfSense WebConfigurator running on custom port…
-
This freaking ROCKS!!!! I have been waiting for this for a while.. Works great - bing bang zoom. I just used dropbox to get my inline config to my ipad.
Seem its does not support tcp though? I tried my tcp config and it gave error about proto tcp. But works like a champ using udp.
Thanks!!!! And great doc as well, I would add the dropbox option as way to get your .opvn file to your device – oh I can edit docs, might have to add that. Again thanks this is SWEET!
Now just have to see if can get the ipv6 over openvpn working.
-
It does support TCP but read back a few posts for the edit to make so it works.
I will have to make separate inline export options for iOS and "everything else" since this client seems to have a lot of quirks with what it accepts, and there's no need to nerf the other platforms because this one hasn't (yet) caught up.
-
I tried the
with "option tcp"
In the config - it now loads it, since I removed proto tcp, but its not connecting - looks like its trying to connect with udp on my tcp port. Could you post an example client config you got for using tcp?
I use my current tcp configuration on my windows desktop everyday without any issues. So I know the server is working, etc.
edit: odd, now its working - I put back the proto tcp, along with option tcp and its working via tcp! Sweet!
edit: working great now, did a couple of edits on my files. And works great now have a tcp profile and upd profile. Now this thread mentions android.. So asking too much I am sure but this going to work with kindle fire?? That would be the icing on the cake!
-
The VPN on Demand feature is really nice, and the iPhone Configuration Utility's generated plist file is a nice way to "package" the VPN profile for users. I found this project to convert PHPs data structures into plists (https://github.com/rodneyrehm/CFPropertyList) which could be a way to quickly generate the profile to iOS devices.
If anyone wants to try this route, here are the instructions from the "Help" section of the OpenVPN app (attached).
[openvpn vod for ios.txt](/public/imported_attachments/1/openvpn vod for ios.txt)
-
OK, I put up a new version of the OpenVPN client export package again. Using the feedback from this thread and other sources, I fixed all the issues I'm aware of with the iOS client and options like tcp, etc.
It should be more aware of a wider range of quirks needed for the iOS and Android OpenVPN clients, and configs should import without any complaints on both platforms.
Note that if you're on 2.1 and you intend to use IPv6, you need to be on a snapshot from later today or tomorrow, and check the option to use topology subnet on the OpenVPN server. You can alternately put in "topology subnet" in the server's advanced configuration field if you're on an older snapshot.
-
Getting a lot of these in the logs. Is this normal?
Jan 23 09:19:56 openvpn[19318]: xxx.xxx.xxx.xxx:59847 TLS Error: TLS handshake failed
Jan 23 09:19:56 openvpn[19318]: xxx.xxx.xxx.xxx:59847 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 23 09:19:46 openvpn[19318]: xxx.xxx.xxx.xxx:54073 TLS Error: TLS handshake failed
Jan 23 09:19:46 openvpn[19318]: xxx.xxx.xxx.xxx:54073 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 23 09:19:38 openvpn[19318]: xxx.xxx.xxx.xxx:60430 TLS Error: TLS handshake failed
Jan 23 09:19:38 openvpn[19318]: xxx.xxx.xxx.xxx:60430 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 23 09:19:04 openvpn[19318]: xxx.xxx.xxx.xxx:59847 TLS Error: incoming packet authentication failed from [AF_INET]xxx.xxx.xxx.xxx:59847
Jan 23 09:19:04 openvpn[19318]: xxx.xxx.xxx.xxx:59847 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1358950734) Wed Jan 23 09:18:54 2013 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Jan 23 09:19:02 openvpn[19318]: xxx.xxx.xxx.xxx:59847 TLS Error: incoming packet authentication failed from [AF_INET]xxx.xxx.xxx.xxx:59847
Jan 23 09:19:02 openvpn[19318]: xxx.xxx.xxx.xxx:59847 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1358950734) Wed Jan 23 09:18:54 2013 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Jan 23 09:19:00 openvpn[19318]: xxx.xxx.xxx.xxx:59847 TLS Error: incoming packet authentication failed from [AF_INET]xxx.xxx.xxx.xxx:59847
Jan 23 09:19:00 openvpn[19318]: xxx.xxx.xxx.xxx:59847 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1358950734) Wed Jan 23 09:18:54 2013 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Jan 23 09:18:58 openvpn[19318]: xxx.xxx.xxx.xxx:59847 TLS Error: incoming packet authentication failed from [AF_INET]xxx.xxx.xxx.xxx:59847
Jan 23 09:18:58 openvpn[19318]: xxx.xxx.xxx.xxx:59847 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1358950734) Wed Jan 23 09:18:54 2013 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Jan 23 09:18:56 openvpn[19318]: xxx.xxx.xxx.xxx:59847 LZO compression initialized
Jan 23 09:18:56 openvpn[19318]: xxx.xxx.xxx.xxx:59847 Re-using SSL/TLS context
Jan 23 09:18:54 openvpn[19318]: xxx.xxx.xxx.xxx:54073 TLS Error: incoming packet authentication failed from [AF_INET]xxx.xxx.xxx.xxx:54073
Jan 23 09:18:54 openvpn[19318]: xxx.xxx.xxx.xxx:54073 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1358950724) Wed Jan 23 09:18:44 2013 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings -
Getting a lot of these in the logs. Is this normal?
Jan 23 09:19:38 openvpn[19318]: xxx.xxx.xxx.xxx:60430 TLS Error: TLS handshake failed
Jan 23 09:19:38 openvpn[19318]: xxx.xxx.xxx.xxx:60430 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 23 09:19:04 openvpn[19318]: xxx.xxx.xxx.xxx:59847 TLS Error: incoming packet authentication failed from [AF_INET]xxx.xxx.xxx.xxx:59847
Jan 23 09:19:04 openvpn[19318]: xxx.xxx.xxx.xxx:59847 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1358950734) Wed Jan 23 09:18:54 2013 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Jan 23 09:19:02 openvpn[19318]: xxx.xxx.xxx.xxx:59847 TLS Error: incoming packet authentication failed from [AF_INET]xxx.xxx.xxx.xxx:59847
Jan 23 09:19:02 openvpn[19318]: xxx.xxx.xxx.xxx:59847 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1358950734) Wed Jan 23 09:18:54 2013 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warningsThat was already covered in this thread, at the end of the previous page/top of this one.
-
So adding "verb 1" in the config file will stop the errors?
