Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Remote Access (SSL/TLS +User Auth) cellular (Verizon) connection issue

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JFord
      last edited by

      When connecting via Wi-Fi locally or remotely the iOS OpenVPN Connect app works. As soon as Wi-Fi in unavailable it will not connect. I can see it try and connect from pfsense and instead of the username under "Common Name" it says UNDEF. From my research this seems to mean the TLS is failing to authenticate but why would it work from Wi-Fi and not over LTE or 3G? I'm going to find an AT&T device and Android devices to try and I'll report back. This is with the latest update.

      1 Reply Last reply Reply Quote 0
      • D
        divsys
        last edited by

        Just an offhand thought, but are you giving the OpenVPN tunnel time to "collapse" between trying under WiFi and then switching to cell?

        OpenVPN does a good job of maintaining connections under spotty inet conditions and I'm wondering if the previous good WiFi conx is conflicting with a new Cell conx using the same certificates?

        You might try:

        1. Power off the phone.
        2. Fully stop (disable check box in the setup page) the OpenVPN server and then restart.
        3. Power up the phone.
        4. Attempt to connect via Cell on phone.

        This is just to eliminate a possibility.
        Normally I have few issues (usually self-induced ones) with cell connections via OpenVPN.

        -jfp

        1 Reply Last reply Reply Quote 0
        • J
          JFord
          last edited by

          @divsys:

          Just an offhand thought, but are you giving the OpenVPN tunnel time to "collapse" between trying under WiFi and then switching to cell?

          OpenVPN does a good job of maintaining connections under spotty inet conditions and I'm wondering if the previous good WiFi conx is conflicting with a new Cell conx using the same certificates?

          You might try:

          1. Power off the phone.
          2. Fully stop (disable check box in the setup page) the OpenVPN server and then restart.
          3. Power up the phone.
          4. Attempt to connect via Cell on phone.

          This is just to eliminate a possibility.
          Normally I have few issues (usually self-induced ones) with cell connections via OpenVPN.

          No such luck. I am pasting the log:

          2016-02-25 13:27:15 LZO-ASYM init swap=0 asym=1
          2016-02-25 13:27:15 Comp-stub init swap=0
          2016-02-25 13:27:15 EVENT: RESOLVE
          2016-02-25 13:27:15 Contacting xxxxxxxxxxxxxxx via UDP
          2016-02-25 13:27:15 EVENT: WAIT
          2016-02-25 13:27:15 SetTunnelSocket returned 1
          2016-02-25 13:27:15 Connecting to xxxxxxxxxxxxxxxxx (xxxxxxxxxxxxxx) via UDPv4
          2016-02-25 13:27:16 EVENT: CONNECTING
          2016-02-25 13:27:16 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
          2016-02-25 13:27:16 Creds: Username/Password
          2016-02-25 13:27:16 Peer Info:
          IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
          IV_VER=3.0
          IV_PLAT=ios
          IV_NCP=1
          IV_SNAPPY=1
          IV_LZO=1
          IV_LZO_SWAP=1
          IV_LZ4=1
          IV_COMP_STUB=1

          2016-02-25 13:27:16 VERIFY OK: depth=1
          cert. version    : 3
          serial number    : 00
          issuer name      : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
          subject name      : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
          issued  on        : 2016-02-24 17:13:35
          expires on        : 2026-02-21 17:13:35
          signed using      : RSA with SHA-256
          RSA key size      : 2048 bits
          basic constraints : CA=true
          key usage        : Key Cert Sign, CRL Sign

          2016-02-25 13:27:16 VERIFY OK: depth=0
          cert. version    : 3
          serial number    : 01
          issuer name      : xxxxxxxxxxxxxxxxxxxxxxxxxx
          subject name      : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
          issued  on        : 2016-02-24 17:13:35
          expires on        : 2026-02-21 17:13:35
          signed using      : RSA with SHA-256
          RSA key size      : 2048 bits
          basic constraints : CA=false
          cert. type        : SSL Server
          key usage        : Digital Signature, Key Encipherment
          ext key usage    : TLS Web Server Authentication, ???

          2016-02-25 13:28:01 Session invalidated: KEEPALIVE_TIMEOUT
          2016-02-25 13:28:01 Client terminated, restarting in 2…
          2016-02-25 13:28:03 EVENT: RECONNECTING
          2016-02-25 13:28:03 LZO-ASYM init swap=0 asym=1
          2016-02-25 13:28:03 Comp-stub init swap=0
          2016-02-25 13:28:03 EVENT: RESOLVE
          2016-02-25 13:28:03 Contacting xxxxxxxxxxxxxxx via UDP
          2016-02-25 13:28:03 EVENT: WAIT
          2016-02-25 13:28:03 SetTunnelSocket returned 1
          2016-02-25 13:28:03 Connecting to xxxxxxxxxxxxxxxxxx (xxxxxxxxxxxxxxxxxxxxxx) via UDPv4
          2016-02-25 13:28:03 EVENT: CONNECTING
          2016-02-25 13:28:03 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
          2016-02-25 13:28:03 Creds: Username/Password
          2016-02-25 13:28:03 Peer Info:
          IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
          IV_VER=3.0
          IV_PLAT=ios
          IV_NCP=1
          IV_SNAPPY=1
          IV_LZO=1
          IV_LZO_SWAP=1
          IV_LZ4=1
          IV_COMP_STUB=1

          2016-02-25 13:28:03 VERIFY OK: depth=1
          cert. version    : 3
          serial number    : 00
          issuer name      : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
          subject name      : xxxxxxxxxxxxxxxxxxxxxxxx
          issued  on        : 2016-02-24 17:13:35
          expires on        : 2026-02-21 17:13:35
          signed using      : RSA with SHA-256
          RSA key size      : 2048 bits
          basic constraints : CA=true
          key usage        : Key Cert Sign, CRL Sign

          2016-02-25 13:28:03 VERIFY OK: depth=0
          cert. version    : 3
          serial number    : 01
          issuer name      : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
          subject name      : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
          issued  on        : 2016-02-24 17:13:35
          expires on        : 2026-02-21 17:13:35
          signed using      : RSA with SHA-256
          RSA key size      : 2048 bits
          basic constraints : CA=false
          cert. type        : SSL Server
          key usage        : Digital Signature, Key Encipherment
          ext key usage    : TLS Web Server Authentication, ???

          2016-02-25 13:28:15 EVENT: CONNECTION_TIMEOUT [ERR]
          2016-02-25 13:28:15 EVENT: DISCONNECTED
          2016-02-25 13:28:15 Raw stats on disconnect:
            BYTES_IN : 10588
            BYTES_OUT : 44488
            PACKETS_IN : 80
            PACKETS_OUT : 108
            KEEPALIVE_TIMEOUT : 1
            CONNECTION_TIMEOUT : 1
            N_RECONNECT : 1
          2016-02-25 13:28:15 Performance stats on disconnect:
            CPU usage (microseconds): 415746
            Network bytes per CPU second: 132475
            Tunnel bytes per CPU second: 0
          2016-02-25 13:28:15 EVENT: DISCONNECT_PENDING
          2016-02-25 13:28:15 –--- OpenVPN Stop -----

          1 Reply Last reply Reply Quote 0
          • D
            divsys
            last edited by

            Nothing obvious there…..

            If that exact certificate connects properly via LAN WiFi, then I would say the certificate must be good.
            You're sure it can WiFi connect from a remote location?
            Certainly odd that a cell data conx would be different.

            Grasping at straws -
            What's the port on the pfSense Server, any chance the Cell provider is blocking it?
            Any chance the Cell net is blocking UDP traffic?
            What OpenVPN app are you using on the phone, can you update it?
            What about the time settings on the phone, any chance it's not getting correct time when on the cell net?

            Someone else chime in?

            -jfp

            1 Reply Last reply Reply Quote 0
            • J
              JFord
              last edited by

              Just getting back to working on this problem. I am sure remotely this connects (have done it from my house via WiFi and ever from a Verizon MiFi connected to a laptop).

              I have verified I can make it connect with a PIA (PrivateInternetAccess.com) account via cellular or WiFi.

              I am at a complete loss.

              1 Reply Last reply Reply Quote 0
              • D
                divsys
                last edited by

                To me this is pointing to a Cell phone client/certificate issue.

                Perhaps wipe the OpenVPN client app and reinstall (or try a different one?)
                You might even want to go so far as to create a new certificate just for the phone to see if it can be made to connect at all via cell.

                Very perplexing…....

                -jfp

                1 Reply Last reply Reply Quote 0
                • J
                  JFord
                  last edited by

                  @divsys:

                  To me this is pointing to a Cell phone client/certificate issue.

                  Perhaps wipe the OpenVPN client app and reinstall (or try a different one?)
                  You might even want to go so far as to create a new certificate just for the phone to see if it can be made to connect at all via cell.

                  Very perplexing…....

                  It's happening on more than one user.

                  1 Reply Last reply Reply Quote 0
                  • D
                    divsys
                    last edited by

                    It's happening on more than one user

                    Do you mean its happening with more than one certificate on the phone or on more than one phone?

                    If more than one certificate, then definitely try dropping/changing (upgrading?) the phone app.
                    Normally I like OpenVPN Connect as well, but perhaps it's being problematic here.

                    If more than one phone, I'd be tempted to try another OpenVPN Server instance using a new port, CA, Cert to get a clean install.

                    -jfp

                    1 Reply Last reply Reply Quote 0
                    • J
                      JFord
                      last edited by

                      @divsys:

                      It's happening on more than one user

                      Do you mean its happening with more than one certificate on the phone or on more than one phone?

                      If more than one certificate, then definitely try dropping/changing (upgrading?) the phone app.
                      Normally I like OpenVPN Connect as well, but perhaps it's being problematic here.

                      If more than one phone, I'd be tempted to try another OpenVPN Server instance using a new port, CA, Cert to get a clean install.

                      More than one phone and more than one user.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.