Remote Access (SSL/TLS +User Auth) cellular (Verizon) connection issue



  • When connecting via Wi-Fi locally or remotely the iOS OpenVPN Connect app works. As soon as Wi-Fi in unavailable it will not connect. I can see it try and connect from pfsense and instead of the username under "Common Name" it says UNDEF. From my research this seems to mean the TLS is failing to authenticate but why would it work from Wi-Fi and not over LTE or 3G? I'm going to find an AT&T device and Android devices to try and I'll report back. This is with the latest update.



  • Just an offhand thought, but are you giving the OpenVPN tunnel time to "collapse" between trying under WiFi and then switching to cell?

    OpenVPN does a good job of maintaining connections under spotty inet conditions and I'm wondering if the previous good WiFi conx is conflicting with a new Cell conx using the same certificates?

    You might try:

    1. Power off the phone.
    2. Fully stop (disable check box in the setup page) the OpenVPN server and then restart.
    3. Power up the phone.
    4. Attempt to connect via Cell on phone.

    This is just to eliminate a possibility.
    Normally I have few issues (usually self-induced ones) with cell connections via OpenVPN.



  • @divsys:

    Just an offhand thought, but are you giving the OpenVPN tunnel time to "collapse" between trying under WiFi and then switching to cell?

    OpenVPN does a good job of maintaining connections under spotty inet conditions and I'm wondering if the previous good WiFi conx is conflicting with a new Cell conx using the same certificates?

    You might try:

    1. Power off the phone.
    2. Fully stop (disable check box in the setup page) the OpenVPN server and then restart.
    3. Power up the phone.
    4. Attempt to connect via Cell on phone.

    This is just to eliminate a possibility.
    Normally I have few issues (usually self-induced ones) with cell connections via OpenVPN.

    No such luck. I am pasting the log:

    2016-02-25 13:27:15 LZO-ASYM init swap=0 asym=1
    2016-02-25 13:27:15 Comp-stub init swap=0
    2016-02-25 13:27:15 EVENT: RESOLVE
    2016-02-25 13:27:15 Contacting xxxxxxxxxxxxxxx via UDP
    2016-02-25 13:27:15 EVENT: WAIT
    2016-02-25 13:27:15 SetTunnelSocket returned 1
    2016-02-25 13:27:15 Connecting to xxxxxxxxxxxxxxxxx (xxxxxxxxxxxxxx) via UDPv4
    2016-02-25 13:27:16 EVENT: CONNECTING
    2016-02-25 13:27:16 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
    2016-02-25 13:27:16 Creds: Username/Password
    2016-02-25 13:27:16 Peer Info:
    IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
    IV_VER=3.0
    IV_PLAT=ios
    IV_NCP=1
    IV_SNAPPY=1
    IV_LZO=1
    IV_LZO_SWAP=1
    IV_LZ4=1
    IV_COMP_STUB=1

    2016-02-25 13:27:16 VERIFY OK: depth=1
    cert. version    : 3
    serial number    : 00
    issuer name      : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    subject name      : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    issued  on        : 2016-02-24 17:13:35
    expires on        : 2026-02-21 17:13:35
    signed using      : RSA with SHA-256
    RSA key size      : 2048 bits
    basic constraints : CA=true
    key usage        : Key Cert Sign, CRL Sign

    2016-02-25 13:27:16 VERIFY OK: depth=0
    cert. version    : 3
    serial number    : 01
    issuer name      : xxxxxxxxxxxxxxxxxxxxxxxxxx
    subject name      : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    issued  on        : 2016-02-24 17:13:35
    expires on        : 2026-02-21 17:13:35
    signed using      : RSA with SHA-256
    RSA key size      : 2048 bits
    basic constraints : CA=false
    cert. type        : SSL Server
    key usage        : Digital Signature, Key Encipherment
    ext key usage    : TLS Web Server Authentication, ???

    2016-02-25 13:28:01 Session invalidated: KEEPALIVE_TIMEOUT
    2016-02-25 13:28:01 Client terminated, restarting in 2…
    2016-02-25 13:28:03 EVENT: RECONNECTING
    2016-02-25 13:28:03 LZO-ASYM init swap=0 asym=1
    2016-02-25 13:28:03 Comp-stub init swap=0
    2016-02-25 13:28:03 EVENT: RESOLVE
    2016-02-25 13:28:03 Contacting xxxxxxxxxxxxxxx via UDP
    2016-02-25 13:28:03 EVENT: WAIT
    2016-02-25 13:28:03 SetTunnelSocket returned 1
    2016-02-25 13:28:03 Connecting to xxxxxxxxxxxxxxxxxx (xxxxxxxxxxxxxxxxxxxxxx) via UDPv4
    2016-02-25 13:28:03 EVENT: CONNECTING
    2016-02-25 13:28:03 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
    2016-02-25 13:28:03 Creds: Username/Password
    2016-02-25 13:28:03 Peer Info:
    IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
    IV_VER=3.0
    IV_PLAT=ios
    IV_NCP=1
    IV_SNAPPY=1
    IV_LZO=1
    IV_LZO_SWAP=1
    IV_LZ4=1
    IV_COMP_STUB=1

    2016-02-25 13:28:03 VERIFY OK: depth=1
    cert. version    : 3
    serial number    : 00
    issuer name      : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    subject name      : xxxxxxxxxxxxxxxxxxxxxxxx
    issued  on        : 2016-02-24 17:13:35
    expires on        : 2026-02-21 17:13:35
    signed using      : RSA with SHA-256
    RSA key size      : 2048 bits
    basic constraints : CA=true
    key usage        : Key Cert Sign, CRL Sign

    2016-02-25 13:28:03 VERIFY OK: depth=0
    cert. version    : 3
    serial number    : 01
    issuer name      : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    subject name      : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    issued  on        : 2016-02-24 17:13:35
    expires on        : 2026-02-21 17:13:35
    signed using      : RSA with SHA-256
    RSA key size      : 2048 bits
    basic constraints : CA=false
    cert. type        : SSL Server
    key usage        : Digital Signature, Key Encipherment
    ext key usage    : TLS Web Server Authentication, ???

    2016-02-25 13:28:15 EVENT: CONNECTION_TIMEOUT [ERR]
    2016-02-25 13:28:15 EVENT: DISCONNECTED
    2016-02-25 13:28:15 Raw stats on disconnect:
      BYTES_IN : 10588
      BYTES_OUT : 44488
      PACKETS_IN : 80
      PACKETS_OUT : 108
      KEEPALIVE_TIMEOUT : 1
      CONNECTION_TIMEOUT : 1
      N_RECONNECT : 1
    2016-02-25 13:28:15 Performance stats on disconnect:
      CPU usage (microseconds): 415746
      Network bytes per CPU second: 132475
      Tunnel bytes per CPU second: 0
    2016-02-25 13:28:15 EVENT: DISCONNECT_PENDING
    2016-02-25 13:28:15 –--- OpenVPN Stop -----



  • Nothing obvious there…..

    If that exact certificate connects properly via LAN WiFi, then I would say the certificate must be good.
    You're sure it can WiFi connect from a remote location?
    Certainly odd that a cell data conx would be different.

    Grasping at straws -
    What's the port on the pfSense Server, any chance the Cell provider is blocking it?
    Any chance the Cell net is blocking UDP traffic?
    What OpenVPN app are you using on the phone, can you update it?
    What about the time settings on the phone, any chance it's not getting correct time when on the cell net?

    Someone else chime in?



  • Just getting back to working on this problem. I am sure remotely this connects (have done it from my house via WiFi and ever from a Verizon MiFi connected to a laptop).

    I have verified I can make it connect with a PIA (PrivateInternetAccess.com) account via cellular or WiFi.

    I am at a complete loss.



  • To me this is pointing to a Cell phone client/certificate issue.

    Perhaps wipe the OpenVPN client app and reinstall (or try a different one?)
    You might even want to go so far as to create a new certificate just for the phone to see if it can be made to connect at all via cell.

    Very perplexing…....



  • @divsys:

    To me this is pointing to a Cell phone client/certificate issue.

    Perhaps wipe the OpenVPN client app and reinstall (or try a different one?)
    You might even want to go so far as to create a new certificate just for the phone to see if it can be made to connect at all via cell.

    Very perplexing…....

    It's happening on more than one user.



  • It's happening on more than one user

    Do you mean its happening with more than one certificate on the phone or on more than one phone?

    If more than one certificate, then definitely try dropping/changing (upgrading?) the phone app.
    Normally I like OpenVPN Connect as well, but perhaps it's being problematic here.

    If more than one phone, I'd be tempted to try another OpenVPN Server instance using a new port, CA, Cert to get a clean install.



  • @divsys:

    It's happening on more than one user

    Do you mean its happening with more than one certificate on the phone or on more than one phone?

    If more than one certificate, then definitely try dropping/changing (upgrading?) the phone app.
    Normally I like OpenVPN Connect as well, but perhaps it's being problematic here.

    If more than one phone, I'd be tempted to try another OpenVPN Server instance using a new port, CA, Cert to get a clean install.

    More than one phone and more than one user.