OpenVPN for iOS - Finally Available!

gusdvg

The VPN on Demand feature is really nice, and the iPhone Configuration Utility's generated plist file is a nice way to "package" the VPN profile for users. I found this project to convert PHPs data structures into plists (https://github.com/rodneyrehm/CFPropertyList) which could be a way to quickly generate the profile to iOS devices.

If anyone wants to try this route, here are the instructions from the "Help" section of the OpenVPN app (attached).

[openvpn vod for ios.txt](/public/imported_attachments/1/openvpn vod for ios.txt)

jimp

OK, I put up a new version of the OpenVPN client export package again. Using the feedback from this thread and other sources, I fixed all the issues I'm aware of with the iOS client and options like tcp, etc.

It should be more aware of a wider range of quirks needed for the iOS and Android OpenVPN clients, and configs should import without any complaints on both platforms.

Note that if you're on 2.1 and you intend to use IPv6, you need to be on a snapshot from later today or tomorrow, and check the option to use topology subnet on the OpenVPN server. You can alternately put in "topology subnet" in the server's advanced configuration field if you're on an older snapshot.

asterix

Getting a lot of these in the logs. Is this normal?

Jan 23 09:19:56 openvpn[19318]: xxx.xxx.xxx.xxx:59847 TLS Error: TLS handshake failed
Jan 23 09:19:56 openvpn[19318]: xxx.xxx.xxx.xxx:59847 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 23 09:19:46 openvpn[19318]: xxx.xxx.xxx.xxx:54073 TLS Error: TLS handshake failed
Jan 23 09:19:46 openvpn[19318]: xxx.xxx.xxx.xxx:54073 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 23 09:19:38 openvpn[19318]: xxx.xxx.xxx.xxx:60430 TLS Error: TLS handshake failed
Jan 23 09:19:38 openvpn[19318]: xxx.xxx.xxx.xxx:60430 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 23 09:19:04 openvpn[19318]: xxx.xxx.xxx.xxx:59847 TLS Error: incoming packet authentication failed from [AF_INET]xxx.xxx.xxx.xxx:59847
Jan 23 09:19:04 openvpn[19318]: xxx.xxx.xxx.xxx:59847 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1358950734) Wed Jan 23 09:18:54 2013 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Jan 23 09:19:02 openvpn[19318]: xxx.xxx.xxx.xxx:59847 TLS Error: incoming packet authentication failed from [AF_INET]xxx.xxx.xxx.xxx:59847
Jan 23 09:19:02 openvpn[19318]: xxx.xxx.xxx.xxx:59847 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1358950734) Wed Jan 23 09:18:54 2013 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Jan 23 09:19:00 openvpn[19318]: xxx.xxx.xxx.xxx:59847 TLS Error: incoming packet authentication failed from [AF_INET]xxx.xxx.xxx.xxx:59847
Jan 23 09:19:00 openvpn[19318]: xxx.xxx.xxx.xxx:59847 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1358950734) Wed Jan 23 09:18:54 2013 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Jan 23 09:18:58 openvpn[19318]: xxx.xxx.xxx.xxx:59847 TLS Error: incoming packet authentication failed from [AF_INET]xxx.xxx.xxx.xxx:59847
Jan 23 09:18:58 openvpn[19318]: xxx.xxx.xxx.xxx:59847 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1358950734) Wed Jan 23 09:18:54 2013 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Jan 23 09:18:56 openvpn[19318]: xxx.xxx.xxx.xxx:59847 LZO compression initialized
Jan 23 09:18:56 openvpn[19318]: xxx.xxx.xxx.xxx:59847 Re-using SSL/TLS context
Jan 23 09:18:54 openvpn[19318]: xxx.xxx.xxx.xxx:54073 TLS Error: incoming packet authentication failed from [AF_INET]xxx.xxx.xxx.xxx:54073
Jan 23 09:18:54 openvpn[19318]: xxx.xxx.xxx.xxx:54073 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1358950724) Wed Jan 23 09:18:44 2013 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

jimp

@asterix:

Getting a lot of these in the logs. Is this normal?

Jan 23 09:19:38 openvpn[19318]: xxx.xxx.xxx.xxx:60430 TLS Error: TLS handshake failed
Jan 23 09:19:38 openvpn[19318]: xxx.xxx.xxx.xxx:60430 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 23 09:19:04 openvpn[19318]: xxx.xxx.xxx.xxx:59847 TLS Error: incoming packet authentication failed from [AF_INET]xxx.xxx.xxx.xxx:59847
Jan 23 09:19:04 openvpn[19318]: xxx.xxx.xxx.xxx:59847 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1358950734) Wed Jan 23 09:18:54 2013 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Jan 23 09:19:02 openvpn[19318]: xxx.xxx.xxx.xxx:59847 TLS Error: incoming packet authentication failed from [AF_INET]xxx.xxx.xxx.xxx:59847
Jan 23 09:19:02 openvpn[19318]: xxx.xxx.xxx.xxx:59847 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1358950734) Wed Jan 23 09:18:54 2013 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

That was already covered in this thread, at the end of the previous page/top of this one.

asterix

So adding "verb 1" in the config file will stop the errors?

asterix

With the new client package, import is sucessful on Android. But now I get a new error when trying to connect.

OpenVPN core error: option_error: tls-remote not supported

jimp

@asterix:

With the new client package, import is sucessful on Android. But now I get a new error when trying to connect.

OpenVPN core error: option_error: tls-remote not supported

Is that error from Android or iOS? The Android client supports tls-remote, but the iOS client does not.

Note that in the latest client export package there are separate links for the Android and iOS configs - they don't all go to the same file.

asterix

This error is coming from my Android device. I updated with Android config.. also tried "All Other Platforms" .. same error.

This wasn't an issue earlier when I used the basic inline config.

asterix

Just tested the iOS config on an iPhone and that worked. Though I still saw the below error.

Jan 23 11:07:17 openvpn[19318]: xxx.xxx.xxx.xxx:62546 TLS Error: incoming packet authentication failed from [AF_INET]xxx.xxx.xxx.xxx:62546
Jan 23 11:07:17 openvpn[19318]: xxx.xxx.xxx.xxx:62546 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1358957236) Wed Jan 23 11:07:16 2013 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

asterix

Funny.. I used the iOS config on my Android and it worked. Something definitely is messing up the Android config generation.

jimp

Which Android client are you using?

If it's the "OpenVPN Connect" client it may suffer the same limits as the iOS app.

I use this app on Android:
https://play.google.com/store/apps/details?id=de.blinkt.openvpn

asterix

I am using OpenVPN Connect

jimp

then that explains it :-)

I'll have to find a way to reword the choices to make that clearer… but the client we link to on the doc wiki for Android is the one I linked above. I haven't tried OpenVPN connect on Android but it appears to function the same as the iOS app so the same config should work for both.

The client I linked for Android, IMO, is better. You can adjust many of the config options directly in the GUI rather than re-importing to make any changes.

jimp

Updated the export package again, reworded the links a little. Also added a list of links to recommended and other clients at the bottom of the page.

asterix

meh ::)

LOL !.. well at least that clarifies some confusion. The iOS/Android config download link still has iOS mentioned.. might get a bit confusing for first timers.

jimp

No there are two options for android, "Android" (for OpenVPN for Android) and "OpenVPN Connect (Android/iOS)" (for OpenVPN connect on both platforms).

The "iOS" config was not specific to iOS, it's only specific to the OpenVPN connect app.

At least their quirks are cross-platform. :-)

asterix

Ya well I don't see "OpenVPN for Android" written next to them..

This is what I see

Inline Configurations:
Android OpenVPN Connect (iOS/Android) Others

jimp

Yeah there's not a ton of room there to write it all out. I had to make room to put in what is there. I'm hoping someone is smart enough that if they installed OpenVPN Connect they'll at least consider the option of clicking the name of the client they did install.

Or they'll be smarter and not install OpenVPN Connect on Android :p

asterix

Well I tried OpenVPN for Android.. as you recommended.. now I get this error while importing the android config

Error reading config file
Option tls-remote has 2 parameters, expected between 1 and 1

Moving back to my iOS config on the Android. That works on this new client as well.

jimp

check the box to quote the server cn before exporting.

And in the future, don't put spaces in your certificate common names. :-)