OVPN export to iOS fails
-
Hello, I am at wits end trying to get my openvpn client to connect to my PFSense firewall.
I have completed the guide here: https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/openvpn-remote-access-server.html
when i attempt to import the vpn profile on my iphone, i get what is shown in the screen shot.
I have tried several different crypto algorithms but nothing seems to work. i have verified that the openvpn service is running on PF Sense seen here:
and here is a snip of the crypto config server side.
Can someone please help!
-
probably iOS openssl library doesn't support that cipher,
try to use AES-128-CBC in the Encryption Algorithm field -
ok, got that working, now it the connection is timing out.... any ideas?
I can see the inbound firewall rule for open vpn accepting the traffic. it just does not connect.
-
@havockk This is different connection issue
check your Firewall rules and OpenVPN settings,
post more details - config, log, etc. -
packet capture from WAN interface:
18:13:24.100702 10:e8:78:e0:21:d8 > 40:62:31:0a:71:c8, ethertype IPv4 (0x0800), length 128: (tos 0x0, ttl 53, id 28697, offset 0, flags [none], proto UDP (17), length 114)
[client wan address].1464 > [server wan address].1195: [udp sum ok] UDP, length 8618:13:24.100942 40:62:31:0a:71:c8 > 00:12:1e:22:a3:f0, ethertype IPv4 (0x0800), length 140: (tos 0x0, ttl 64, id 51957, offset 0, flags [none], proto UDP (17), length 126)
[server wan address].1195 > [client wan address].1464: [udp sum ok] UDP, length 98When I attempt to capture packets on the openvpn interface, no information is in the output.
Is this enough information?
-
Client profile export
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-128-GCM
auth SHA512
tls-client
client
remote [Server WAN address] 1195 udp4
verify-x509-name "Home vpn" name
auth-user-pass
remote-cert-tls server
compress -
Bump
-
The difference to my working iOS config (running the latest iOS and OpenVPN app) is this:
dev tun
cipher AES-256-GCM
ncp-disable
auth SHA256
resolv-retry infinite
remote [Server WAN address] 1195 udp
-Rico
-
This works also just fine with all kind of "I" stuff :
dev tun
tun-ipv6
persist-tun
persist-key
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote work.work-domain.tld 1194 udp4
..... -
Maybe there is a problem with
auth SHA512
and iOS?-Rico
-
@Rico said in OVPN export to iOS fails:
Maybe there is a problem with auth SHA512 and iOS?
No since I just set it and worked just fine..
iphone XR running 13.5.1 with openvpn connect 3.1.2 (3096)
persist-tun persist-key cipher AES-128-CBC ncp-ciphers AES-128-GCM:AES-192-GCM:AES-256-GCM:AES-128-CBC:AES-192-CBC:AES-256-CBC auth SHA512 tls-client client remote 64.53.x.x 1194 udp4 verify-x509-name "pfsenseopenvpn" name remote-cert-tls server
-
udp4
VSudp
? :-)-Rico
-
Well not running it on IPv6.. So yeah its set to UDP v4 only...
-
Yeah NM, I see Gertjan is also using udp4 in the config like TO.
-Rico
-
Why would I set it for both if I only want it on v4 ;)
The export wizard auto does that, since that is how the server instance is set.
The wan interface doesn't have v6, so if I wanted to do vpn over ipv6 I would have to setup a different instance via the he tunnel interface. No point in that even though my phone only gets an IPv6 address, it can connect to the IPv4 address just fine.. Many a mobile carrier going that route.. T-mobile only hands out IPv6 for phones atleast here in chicagoland.
The one real use of IPv6 currently - supply IPs to the BILLIONS of mobile phones ;)
-
@Rico said in OVPN export to iOS fails:
Yeah NM, I see Gertjan is also using udp4 in the config like TO.
You bet it is !
I'm actually VPN-into-work just to get my iPhone 'multistacked' ^^
All this over an UDP IPV4 link of course.