Good find. Perhaps it is Data only as it works for you LAN side. I hope so because we are going on holiday soon and I need OpenVPN for the kids to stream from the BBC!

Nick Howitt wrote:

That suggests it is an OpenVPN Connect issue in iOS. I have not tried it for a year or so so I would not have seen it and my kids devices are WiFi only. How do you see the connection is lost? Is that with WiFi disabled?

On an unrelated issue, I notice you are using the 192.168.1.0/24 LAN subnet. If you're expecting to VPN in using WiFi from homes, your connection may not pass any traffic to your LAN. The subnets 192.168.1.0/24 and 192.168.0.0/24 are best avoided as they are used by too many domestic routers.

Hi Nick,


I've found the issue.
bug_issue_with_openvpn_on_ios_12

I've tested on an other iphone with IOS11 and then it is working

That suggests it is an OpenVPN Connect issue in iOS. I have not tried it for a year or so so I would not have seen it and my kids devices are WiFi only. How do you see the connection is lost? Is that with WiFi disabled?

On an unrelated issue, I notice you are using the 192.168.1.0/24 LAN subnet. If you're expecting to VPN in using WiFi from homes, your connection may not pass any traffic to your LAN. The subnets 192.168.1.0/24 and 192.168.0.0/24 are best avoided as they are used by too many domestic routers.

Nick Howitt wrote:

You have not used the keychain for your certificates so the message should be irrelevant. If the phone can connect to openVPN from your LAN and not your WAN then it is not a phone issue.

Do you see any connection attempts in your messages log?

It is very strange.
I can connect with the OpenVPN app with 4G and it connects.
WHen i go to the browser or other app, but VPN connects is lost.

This is what i see in my log. (Same for 4G as for Wifi)

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 188.206.76.111:38546 TLS: Initial packet from [AF_INET]188.206.76.111:38546 (via [AF_INET]31.151.192.18%enp1s0f0), sid=ec534775 20fce12b

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 188.206.76.111:38546 VERIFY OK: depth=1, C=NL, XXXXXXXXXXXXXXXXXXXXXXX

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 188.206.76.111:38546 VERIFY OK: depth=0, C=NL, XXXXXXXXXXXXXXXXXXXXXXX

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 188.206.76.111:38546 peer info: IV_GUI_VER=net.openvpn.connect.ios_1.2.9-0

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 188.206.76.111:38546 peer info: IV_VER=3.2

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 188.206.76.111:38546 peer info: IV_PLAT=ios

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 188.206.76.111:38546 peer info: IV_NCP=2

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 188.206.76.111:38546 peer info: IV_TCPNL=1

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 188.206.76.111:38546 peer info: IV_PROTO=2

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 188.206.76.111:38546 peer info: IV_LZO=1

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 188.206.76.111:38546 peer info: IV_BS64DL=1

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 188.206.76.111:38546 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 188.206.76.111:38546 TLS: Username/Password authentication succeeded for username 'patrick'

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 188.206.76.111:38546 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 188.206.76.111:38546 [patrick] Peer Connection Initiated with [AF_INET]188.206.76.111:38546 (via [AF_INET]31.151.192.18%enp1s0f0)

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 patrick/188.206.76.111:38546 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 patrick/188.206.76.111:38546 MULTI: Learn: 10.8.0.6 -> patrick/188.206.76.111:38546

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 patrick/188.206.76.111:38546 MULTI: primary virtual IP for patrick/188.206.76.111:38546: 10.8.0.6

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 patrick/188.206.76.111:38546 PUSH: Received control message: 'PUSH_REQUEST'

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 patrick/188.206.76.111:38546 SENT CONTROL [patrick]: 'PUSH_REPLY,dhcp-option DNS 192.168.1.1,dhcp-option DOMAIN pdebrabander.nl,route 192.168.1.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 patrick/188.206.76.111:38546 Data Channel: using negotiated cipher 'AES-256-GCM'

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 patrick/188.206.76.111:38546 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Jul 14 09:06:12 pdebrabander openvpn: Sat Jul 14 09:06:12 2018 patrick/188.206.76.111:38546 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

You have not used the keychain for your certificates so the message should be irrelevant. If the phone can connect to openVPN from your LAN and not your WAN then it is not a phone issue.

Do you see any connection attempts in your messages log?

Nick Howitt wrote:

Can you check the "remote" line in the ovpn file points to an FQDN which resolves to your WAN IP when you are not connected to your LAN? You can use your own domain (iirc you have one) or your poweredbyclear.com subdomain.

Also have you opened the firewall to the OpenVPN service or to usp:1194?

Hi Nick,

This is the content of the OVPN files

client

remote pdebrabander.nl 1194

dev tun

proto udp

resolv-retry infinite

nobind

user nobody

group nobody

persist-key

persist-tun

ca ca-cert.pem

cert client-patrick-cert.pem

key client-patrick-key.pem

ns-cert-type server

comp-lzo

verb 3

auth-user-pass

The firewall is open for port 1194.


In the openvpn app on my iphone i see in the CERTS menu the following text

No certificates are present in the Keychain

Note PKCS#12 files need to end ith '.OVPN12', instead of '.p12' or '.pfx' for proper importing (check FAQ)

Can you check the "remote" line in the ovpn file points to an FQDN which resolves to your WAN IP when you are not connected to your LAN? You can use your own domain (iirc you have one) or your poweredbyclear.com subdomain.

Also have you opened the firewall to the OpenVPN service or to usp:1194?

Marcel van Leeuwen wrote:

I've setup again openVPN on my iPhone successfully, and it was very easy again.

One thing, where can I see who's connected to the ClearOS server via OpenVPN?

Hi Marcel,

Can you help with the setup.
I've added the certificates to my iphone with itunes

ca-cert.pem

client-patrick-cert.pem

client-patrick-key.pem

pdebrabander.nl.ovpn

I've can connect when i'm at home with wifi, but with 4G i can not connect.

OpenVPN Monitor interesting! Going to check your other options.

I use OpenVPN Monitor - or at least I have it running and can get the info from there. Otherwise have a look at /var/lib/openvpn/openvpn-status.log and cross-reference it to /var/lib/openvpn/ipp.txt. I think there is something else, but I can't remember what.

I've setup again openVPN on my iPhone successfully, and it was very easy again.

One thing, where can I see who's connected to the ClearOS server via OpenVPN?

That's nice Nick! I will check your links.

I've tested openVPN today, and it's working very well. So easy to setup, and if we can mail the certificates to our selfs then it's easier as easy.

There is an feature/enhancement request which will make it even easier and you can do it manually. See issue #17381. The method is in the tracker and is the same as this forum post. I think I've seen a better document to it as well. There is also a reference here on the wiki.

The advantage of this method for iOS is that you don't need iTunes. You can install the configuration file directly from an e-mail and it should work on all platforms.

I can confirm that it's very easy to setup openVPN on a iPhone. Some steps:

Install openVPN on ClearOS --> Enable openVPN for user --> Generate user profiles --> Copy user certificates with iTunes to your iPhone --> Install certificates with OpenVPN client on your iPhone --> Done

Try to read this manual: https://boxpn.com/setup_o.nvpn_ios.aspx maybe u can find something helpful.

You don't need much documentation. If you download the official OpenVPN app from the App Store, I believe it has instructions. Use iTunes to drop your profile and certificates onto the app. From memory you don't need the pkcs12 cert, just the basic ones. I am assuming the instructions are the same as for the iPad Mini.