OpenVPN works on Android, same config does not on iOS?

m00dawg · December 14, 2015, 11:58pm

I managed to setup OpenVPN on my CCR and was able to setup OpenVPN on Android. An almost identical configuration on iOS doesn’t seem to work. I get a rather cryptic message from the OpenVPN client on it:

2015-12-14 16:18:31 Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - A fatal alert message was received from our peer
2015-12-14 16:18:31 Client terminated, restarting in 2...
2015-12-14 16:18:33 EVENT: RECONNECTING
2015-12-14 16:18:33 EVENT: RESOLVE
2015-12-14 16:18:33 Contacting <router-ip>:1194 via TCP
2015-12-14 16:18:33 EVENT: WAIT
2015-12-14 16:18:33 SetTunnelSocket returned 1
2015-12-14 16:18:33 Connecting to <router-ip>:1194 (<router-ip>) via TCPv4
2015-12-14 16:18:33 EVENT: CONNECTING
2015-12-14 16:18:33 Tunnel Options:V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client
2015-12-14 16:18:33 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
IV_VER=3.0
IV_PLAT=ios
IV_NCP=1

I can’t seem to enable enough debugging on the CCR to know what’s going on:

16:52:06 ovpn,info TCP connection established from <client ip>
16:52:06 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=0ff3c66224a6742 pid=0 DATA len=0 
16:52:06 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=8d2c8f58d9b5fd2c pid=0 DATA len=0 
16:52:06 ovpn,debug,packet sent P_ACK kid=0 sid=0ff3c66224a6742 [0 sid=8d2c8f58d9b5fd2c] DATA len=0 
16:52:06 certificate,debug start CRL update 
16:52:06 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=8d2c8f58d9b5fd2c [0 sid=0ff3c66224a6742] pid=1 DATA len=0 
16:52:06 ovpn,debug,packet sent P_ACK kid=0 sid=0ff3c66224a6742 [1 sid=8d2c8f58d9b5fd2c] DATA len=0 
16:52:06 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=8d2c8f58d9b5fd2c pid=2 DATA len=74 
16:52:06 ovpn,debug,packet sent P_ACK kid=0 sid=0ff3c66224a6742 [2 sid=8d2c8f58d9b5fd2c] DATA len=0 
16:52:06 ovpn,debug,packet sent P_CONTROL kid=0 sid=0ff3c66224a6742 pid=1 DATA len=7 
16:52:06 ovpn,debug <<client ip>>: disconnected <TLS failed>

My OpenVPN client config is this:

dev tun
proto tcp-client

remote <public router IP> 1194 # Remote OpenVPN Servername or IP address

tls-client
port 1194 

#user nobody
#group nogroup

#comp-lzo # Do not use compression. It doesn't work with RouterOS (at least up to RouterOS 3.0rc9)

# More reliable detection when a system loses its connection.
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key

# Silence  the output of replay warnings, which are a common false
# alarm on WiFi networks.  This option preserves the  security  of
# the replay protection code without the verbosity associated with
# warnings about duplicate packets.
mute-replay-warnings

# Verbosity level.
# 0 = quiet, 1 = mostly quiet, 3 = medium output, 9 = verbose
verb 9

cipher AES-256-CBC
auth SHA1
pull

route <internal network> 255.255.255.0
push "route <internal network> 255.255.255.0"
push "dhcp-option DNS <internal router IP>"
push "dhcp-option DOMAIN <internal domain>"

<ca>
...
</ca>

<cert>
...
</cert>

<key>
...
</key>

I tried both including the cert/keys in the config file as well as using iOS’s certificate store, but ended up with the same errors.

Is there any way to get even more logging from the CCR and/or anyone have suggestions on what may be going on here?

MTeeker · December 16, 2015, 11:54pm

change:
dev tun (for Android client) to dev tap (in the client script for Windows or iOS connection ).

also change:
Mode: ip (for Android) to Mode: ethernet (under /ppp OpenVPN sever setting)

cpliu903 · April 4, 2016, 3:00pm

I have faced same problem on iOS connection.

iOS OpenVPN client return error message:

PolarSSL: SSL read error: SSL- A fatal alert message was received from our peer

but my config can work on win7 with dev tun.

iOS does not support dev tun ? Which mode (Tun and Tap ) is better performance ?

MTeeker · May 3, 2016, 4:02am

Sorry, I was wrong. And did not expect an old thread to be revived.

As per OpenVPN site, TAP can not be used with Android or iOS devices.

I used a free and open source app called Tunnelblick on Mac to connect to OpenVN server. Since Tunnelblick has both TAP and TUN drivers, hence my confusion.

For Android devices, I used a paid app called OpenVPN client by Colucci to avoid switching b/w TAP and TUN for different client connections. In both cases, some sort of translation to dev TAP was embedded in the apps.

Lasyly, I let my OpenVPN server at TAP permanently and can’t tell you the difference. But the following is extracted from OpenVPN wiki:

**TAP benefits:

behaves like a real network adapter (except it is a virtual network adapter)
can transport any network protocols (IPv4, IPv6, Netalk, IPX, etc, etc)
Works in layer 2, meaning Ethernet frames are passed over the VPN tunnel
Can be used in bridges

TAP drawbacks

causes much more broadcast overhead on the VPN tunnel
adds the overhead of Ethernet headers on all packets transported over the VPN tunnel
scales poorly
can not be used with Android or iOS devices

TUN benefits:

A lower traffic overhead, transports only traffic which is destined for the VPN client
Transports only layer 3 IP packets

TUN drawbacks:

Broadcast traffic is not normally transported
Can only transport IPv4 (OpenVPN 2.3 adds IPv6)
Cannot be used in bridges**

Cheers

olkitu · May 3, 2016, 4:06am

You must disable iOS Settings “Force AES-CBC”. That is reason i think.