Remote Access (SSL/TLS +User Auth) cellular (Verizon) connection issue
-
When connecting via Wi-Fi locally or remotely the iOS OpenVPN Connect app works. As soon as Wi-Fi in unavailable it will not connect. I can see it try and connect from pfsense and instead of the username under "Common Name" it says UNDEF. From my research this seems to mean the TLS is failing to authenticate but why would it work from Wi-Fi and not over LTE or 3G? I'm going to find an AT&T device and Android devices to try and I'll report back. This is with the latest update.
-
Just an offhand thought, but are you giving the OpenVPN tunnel time to "collapse" between trying under WiFi and then switching to cell?
OpenVPN does a good job of maintaining connections under spotty inet conditions and I'm wondering if the previous good WiFi conx is conflicting with a new Cell conx using the same certificates?
You might try:
- Power off the phone.
- Fully stop (disable check box in the setup page) the OpenVPN server and then restart.
- Power up the phone.
- Attempt to connect via Cell on phone.
This is just to eliminate a possibility.
Normally I have few issues (usually self-induced ones) with cell connections via OpenVPN.
-
Just an offhand thought, but are you giving the OpenVPN tunnel time to "collapse" between trying under WiFi and then switching to cell?
OpenVPN does a good job of maintaining connections under spotty inet conditions and I'm wondering if the previous good WiFi conx is conflicting with a new Cell conx using the same certificates?
You might try:
- Power off the phone.
- Fully stop (disable check box in the setup page) the OpenVPN server and then restart.
- Power up the phone.
- Attempt to connect via Cell on phone.
This is just to eliminate a possibility.
Normally I have few issues (usually self-induced ones) with cell connections via OpenVPN.No such luck. I am pasting the log:
2016-02-25 13:27:15 LZO-ASYM init swap=0 asym=1
2016-02-25 13:27:15 Comp-stub init swap=0
2016-02-25 13:27:15 EVENT: RESOLVE
2016-02-25 13:27:15 Contacting xxxxxxxxxxxxxxx via UDP
2016-02-25 13:27:15 EVENT: WAIT
2016-02-25 13:27:15 SetTunnelSocket returned 1
2016-02-25 13:27:15 Connecting to xxxxxxxxxxxxxxxxx (xxxxxxxxxxxxxx) via UDPv4
2016-02-25 13:27:16 EVENT: CONNECTING
2016-02-25 13:27:16 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
2016-02-25 13:27:16 Creds: Username/Password
2016-02-25 13:27:16 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
IV_VER=3.0
IV_PLAT=ios
IV_NCP=1
IV_SNAPPY=1
IV_LZO=1
IV_LZO_SWAP=1
IV_LZ4=1
IV_COMP_STUB=12016-02-25 13:27:16 VERIFY OK: depth=1
cert. version : 3
serial number : 00
issuer name : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
subject name : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
issued on : 2016-02-24 17:13:35
expires on : 2026-02-21 17:13:35
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true
key usage : Key Cert Sign, CRL Sign2016-02-25 13:27:16 VERIFY OK: depth=0
cert. version : 3
serial number : 01
issuer name : xxxxxxxxxxxxxxxxxxxxxxxxxx
subject name : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
issued on : 2016-02-24 17:13:35
expires on : 2026-02-21 17:13:35
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
cert. type : SSL Server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication, ???2016-02-25 13:28:01 Session invalidated: KEEPALIVE_TIMEOUT
2016-02-25 13:28:01 Client terminated, restarting in 2…
2016-02-25 13:28:03 EVENT: RECONNECTING
2016-02-25 13:28:03 LZO-ASYM init swap=0 asym=1
2016-02-25 13:28:03 Comp-stub init swap=0
2016-02-25 13:28:03 EVENT: RESOLVE
2016-02-25 13:28:03 Contacting xxxxxxxxxxxxxxx via UDP
2016-02-25 13:28:03 EVENT: WAIT
2016-02-25 13:28:03 SetTunnelSocket returned 1
2016-02-25 13:28:03 Connecting to xxxxxxxxxxxxxxxxxx (xxxxxxxxxxxxxxxxxxxxxx) via UDPv4
2016-02-25 13:28:03 EVENT: CONNECTING
2016-02-25 13:28:03 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client
2016-02-25 13:28:03 Creds: Username/Password
2016-02-25 13:28:03 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
IV_VER=3.0
IV_PLAT=ios
IV_NCP=1
IV_SNAPPY=1
IV_LZO=1
IV_LZO_SWAP=1
IV_LZ4=1
IV_COMP_STUB=12016-02-25 13:28:03 VERIFY OK: depth=1
cert. version : 3
serial number : 00
issuer name : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
subject name : xxxxxxxxxxxxxxxxxxxxxxxx
issued on : 2016-02-24 17:13:35
expires on : 2026-02-21 17:13:35
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true
key usage : Key Cert Sign, CRL Sign2016-02-25 13:28:03 VERIFY OK: depth=0
cert. version : 3
serial number : 01
issuer name : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
subject name : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
issued on : 2016-02-24 17:13:35
expires on : 2026-02-21 17:13:35
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
cert. type : SSL Server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication, ???2016-02-25 13:28:15 EVENT: CONNECTION_TIMEOUT [ERR]
2016-02-25 13:28:15 EVENT: DISCONNECTED
2016-02-25 13:28:15 Raw stats on disconnect:
BYTES_IN : 10588
BYTES_OUT : 44488
PACKETS_IN : 80
PACKETS_OUT : 108
KEEPALIVE_TIMEOUT : 1
CONNECTION_TIMEOUT : 1
N_RECONNECT : 1
2016-02-25 13:28:15 Performance stats on disconnect:
CPU usage (microseconds): 415746
Network bytes per CPU second: 132475
Tunnel bytes per CPU second: 0
2016-02-25 13:28:15 EVENT: DISCONNECT_PENDING
2016-02-25 13:28:15 –--- OpenVPN Stop -----
-
Nothing obvious there…..
If that exact certificate connects properly via LAN WiFi, then I would say the certificate must be good.
You're sure it can WiFi connect from a remote location?
Certainly odd that a cell data conx would be different.Grasping at straws -
What's the port on the pfSense Server, any chance the Cell provider is blocking it?
Any chance the Cell net is blocking UDP traffic?
What OpenVPN app are you using on the phone, can you update it?
What about the time settings on the phone, any chance it's not getting correct time when on the cell net?Someone else chime in?
-
Just getting back to working on this problem. I am sure remotely this connects (have done it from my house via WiFi and ever from a Verizon MiFi connected to a laptop).
I have verified I can make it connect with a PIA (PrivateInternetAccess.com) account via cellular or WiFi.
I am at a complete loss.
-
To me this is pointing to a Cell phone client/certificate issue.
Perhaps wipe the OpenVPN client app and reinstall (or try a different one?)
You might even want to go so far as to create a new certificate just for the phone to see if it can be made to connect at all via cell.Very perplexing…....
-
To me this is pointing to a Cell phone client/certificate issue.
Perhaps wipe the OpenVPN client app and reinstall (or try a different one?)
You might even want to go so far as to create a new certificate just for the phone to see if it can be made to connect at all via cell.Very perplexing…....
It's happening on more than one user.
-
It's happening on more than one user
Do you mean its happening with more than one certificate on the phone or on more than one phone?
If more than one certificate, then definitely try dropping/changing (upgrading?) the phone app.
Normally I like OpenVPN Connect as well, but perhaps it's being problematic here.If more than one phone, I'd be tempted to try another OpenVPN Server instance using a new port, CA, Cert to get a clean install.
-
It's happening on more than one user
Do you mean its happening with more than one certificate on the phone or on more than one phone?
If more than one certificate, then definitely try dropping/changing (upgrading?) the phone app.
Normally I like OpenVPN Connect as well, but perhaps it's being problematic here.If more than one phone, I'd be tempted to try another OpenVPN Server instance using a new port, CA, Cert to get a clean install.
More than one phone and more than one user.