Openvpn does not work on the iphone.

Alexandr1047 · June 25, 2017, 8:25pm

Good afternoon. At me the following problem - openvpn does not work on devices with operating system IOS. In doing so, everything works on other operating systems including (MacOS). In this case, this situation is observed only if the certificates were generated in Mikrotik. If you import keys created into linux into it, everything works fine. First he gave such a mistake.

2017-06-25 01:43:04 EVENT: CORE_ERROR PolarSSL: error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]

How I figured this out was because the microphone encrypts the private key with a format that does not support iOS.

[root@ip-172-31-14-92 centos]# openssl asn1parse -in 1_cert_export_test-client-ovpn-12.key
0:d=0 hl=4 l=1311 cons: SEQUENCE
4:d=1 hl=2 l= 73 cons: SEQUENCE
6:d=2 hl=2 l= 9 prim: OBJECT BES2
17:d=2 hl=2 l= 60 cons: SEQUENCE
19:d=3 hl=2 l= 27 cons: SEQUENCE
21:d=4 hl=2 l= 9 prim: OBJECT BKDF2
32:d=4 hl=2 l= 14 cons: SEQUENCE
34:d=5 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:249CA7FCEC409541
44:d=5 hl=2 l= 2 prim: INTEGER :0800
48:d=3 hl=2 l= 29 cons: SEQUENCE
50:d=4 hl=2 l= 9 prim: OBJECT :aes-256-cbc
61:d=4 hl=2 l= 16 prim: OCTET STRING [HEX DUMP]:0A3C812B3F915210ADB830EC58C43845

On Linux such a conclusion.

[root@ip-172-31-14-92 centos]# openssl asn1parse -in client_07.key
0:d=0 hl=4 l=1294 cons: SEQUENCE
4:d=1 hl=2 l= 64 cons: SEQUENCE
6:d=2 hl=2 l= 9 prim: OBJECT BES2
17:d=2 hl=2 l= 51 cons: SEQUENCE
19:d=3 hl=2 l= 27 cons: SEQUENCE
21:d=4 hl=2 l= 9 prim: OBJECT BKDF2
32:d=4 hl=2 l= 14 cons: SEQUENCE
34:d=5 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:12700371E88C41C2
44:d=5 hl=2 l= 2 prim: INTEGER :0800
48:d=3 hl=2 l= 20 cons: SEQUENCE
50:d=4 hl=2 l= 8 prim: OBJECT :des-ede3-cbc

After my manipulations, the algorithms coincided. But there was another mistake.
2017-06-25 23:01:56 Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Processing of the Certificate handshake message failed

I ask to help with the decision of the given problem.

Steveocee · June 26, 2017, 12:38pm

I was under the impression iOS only used L2TP&IPSEC ?

Alexandr1047 · June 26, 2017, 6:45pm

Openvpn on ios can work too. But only with the certificates that were generated using the utility easyrsa. Staff means mikrotik do not get it. But if you import third-party certificates then certificate revocation does not work. Can anyone tell me with which keys to generate a certificate on the router that it would be compatible with the IPhone.

MikroTikFan · April 4, 2018, 9:18pm

Hi,

I tried to find solution for the same problem Mikrotik OpenVPN with iPhone.

I can’t find out how to fix problem - PKCS5 - Requested encryption or digest alg not available [ERR]

I found only one post on MikroTik forum.
I’m trying to connect to the vpn from my iPhone, but I still can’t get working solution for this.
Same time I’m using same OpenVpn from my MacOS without any problems.

From OpenVpn iPhone app I’m getting following messages :

2018-04-04 22:04:33 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit built on Feb 22 2018 12:39:28
2018-04-04 22:04:33 Frame=512/2048/512 mssfix-ctrl=1250
2018-04-04 22:04:33 EVENT: CORE_ERROR mbed TLS: error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]
2018-04-04 22:04:33 Raw stats on disconnect:
2018-04-04 22:04:33 Performance stats on disconnect:
 CPU usage (microseconds): 24407
 Network bytes per CPU second: 0
 Tunnel bytes per CPU second: 0

Maybe somebody is using Mikrotik OpenVpn with iPhone sucessfully or can help me to find solution ?

MikroTikFan · April 15, 2018, 7:26pm

Hi,
I’m raising @Alexandr1047 post to @MikroTik_Team.
I hope that somebody from @MikroTik_Team is also using iPhone and can explain or fix that for us

Thanks in advance !

merlinogio · September 17, 2018, 7:31am

hi all
same problem
have anyone solved?

thanks
f

HJV · September 28, 2018, 12:12pm

I see the same on my Android device.
Connecting to my Mikrotik hAP ac2 does not work any more (firmware 6.43.2) from my Samsung Galaxy S6 phone (Android 7.0, using the official ‘OpenVPN Connect - Fast & Safe SSL VPN Client’ from the Google Store). Connecting from a Windows10 computer works fine.

No error messages, just a lot of ‘TCP connection established’ messages in the Mikrotik logfile.
It did work in the past (about a month ago, so before the update to 6.43.x)
Modification 2018-10-22:

I found another Android OpenVPN app, which gave me much more, and much more detailed, errorlogging (“OpenVPN Client Free”). Using this app I could pinpoint a certificate error. Now I can connect using both Windows 10 and Android 7.0.

So looking back it was not a MikroTik software problem, although the absence of detailed error logging on the MikroTik hAP ac2 made solving this problem rather complex.

sigmasquared · December 30, 2018, 2:07pm

Been trying to get this working most of the afternoon, have made some progress but getting a different error.

How I made progress:

Export the client certificate from the Mikrotik as a PKCS12 cert instead of PEM. In your .ovpn file, instead of the

cert cert_export_client1.crt
key cert_export_client1.key

directives, you replace them with:

pkcs12 cert_export_client1.p12

I have left the block in my ovpn with the cert in there.

The problem I’m having now is I have a connection on the Mikrotik from the iOS device, but in the OVPN client on the phone it states

TCP recv EOF
Transport Error: Transport error on ‘[my host]’ NETWORK_EOF_ERROR

If a fresh pair of eyes can help here it’d be great.

sigmasquared · December 30, 2018, 2:24pm

So a bit more food for thought, here’s an article re iOS. I’m currently seeing how I can get everything going in keychain for the certs.

https://openvpn.net/vpn-server-resources/faq-regarding-openvpn-connect-ios/

sigmasquared · December 30, 2018, 2:53pm

And after a whole afternoon of battling it would appear that I accidentally disabled the secret on the Mikrotik which was the cause of my connection resets.

OpenVPN now working. Steps taken:

Export client certificate as PKCS on Mikrotik, CA certificate as PEM.
Create .ovpn file with CA cert embedded inline - example of mine below

dev tun
proto tcp-client
remote my.domain.com
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server

verb 4
mute 10
cipher AES-256-CBC
auth SHA1

ping 15
ping-restart 45
ping-timer-rem

auth-user-pass auth.cfg
auth-nocache

<ca>
-----BEGIN CERTIFICATE-----
[your CA cert here]
-----END CERTIFICATE-----
</ca>
pkcs12 cert_export_client1.ovpn12

Import .p12 certificate via Mail app into iPhone Keychain (as per iOS article posted above - though I don’t feel this is necessary as even without this step the VPN works)
Copy the .p12 to a .ovpn12 file as per the article again.
Import certs (.ovpn12), auth.cfg and ovpn file in iTunes for OpenVPN
Import certificate in OpenVPN app
Import profile in OpenVPN app and assign certificate (ovpn12)
Connect