.-----------------------------------------------------
But on my iPhone (iOS 17.0.3) with OpenVPN (3.4.0 5457) I now get the following error when dialing in recently.
iOS OpenVPN
[Oct 18, 2023, 21:07:08] START CONNECTION
[Oct 18, 2023, 21:07:08] ----- OpenVPN Start -----
OpenVPN core 3.8.2connect1 ios arm64 64-bit
[Oct 18, 2023, 21:07:08] OpenVPN core 3.8.2connect1 ios arm64 64-bit
[Oct 18, 2023, 21:07:08] Frame=512/2112/512 mssfix-ctrl=1250
[Oct 18, 2023, 21:07:08] NOTE: This configuration contains options that were not used:
[Oct 18, 2023, 21:07:08] Option allowed only to be pushed by the server
[Oct 18, 2023, 21:07:08] 14 [auth-token-user] [USER]
[Oct 18, 2023, 21:07:08] 15 [auth-token] [TOTP]
[Oct 18, 2023, 21:07:08] EVENT: CORE_THREAD_ERROR option_error: sorry, unsupported options present in configuration: Option allowed only to be pushed by the server [ERR]
[Oct 18, 2023, 21:07:08] EVENT: CORE_THREAD_DONE
[Oct 18, 2023, 21:07:08] EVENT: DISCONNECT_PENDING
[Oct 18, 2023, 21:07:08] Raw stats on disconnect:
Router - OpenVPN Log
I may not have tested this since the release of iOS 17 but maybe someone knows the problem.
Pablo78:
EVENT: CORE_THREAD_ERROR option_error: sorry, unsupported options present in configuration: Option allowed only to be pushed by the server [ERR]
[Oct 18, 2023, 21:07:08] EVENT: CORE_THREAD_DONE
The log message “TLS error, cannot locate HMAC in incoming packet” indicates that the OpenVPN server expected to find a HMAC (Hash-Based Message Authentication Code) signature in the incoming packet for additional verification, but didn’t find it. This could be due to a configuration mismatch between the client and server, particularly related to the TLS-AUTH setting. Both sides should be configured to use the same pre-shared key for HMAC verification.
Another potential problematic setting concerns a second factor authentication. Last time I checked, in iOS OpenVPN connect was not capable to establish an OTP connection with IPFire OpenVPN server.
I just got this myself.
The error message isn’t very helpful as it doesn’t list the offending options. But the log does, so commenting out auth-token-user and auth-token makes the connection work.
I’m not on iOS 17, btw, still on 16.
My ovpn file for the iPhone looks like this and is it safe in terms of security to exclude the following options here?
auth-token-user USER
auth-token TOTP
I have the following in my settings
/var/ipfire/ovpn/server.conf
#OpenVPN Server conf
daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange
;local blabla.selfhost.de
dev tun
proto udp
port 1194
script-security 3
ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600
client-config-dir /var/ipfire/ovpn/ccd
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /etc/ssl/ffdhe4096.pem
server 10.10.5.0 255.255.255.0
tun-mtu 1400
mssfix 0
keepalive 10 60
status-version 1
status /var/run/ovpnserver.log 30
ncp-disable
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-auth /var/ipfire/ovpn/certs/ta.key
push "redirect-gateway def1"
push "dhcp-option DOMAIN blabla.dom"
push "dhcp-option DNS 10.10.5.1"
max-clients 2
tls-verify /usr/lib/openvpn/verify
crl-verify /var/ipfire/ovpn/crls/cacrl.pem
auth-user-pass-optional
reneg-sec 86400
user nobody
group nobody
persist-key
persist-tun
verb 3
# Log clients connecting/disconnecting
client-connect "/usr/sbin/openvpn-metrics client-connect"
client-disconnect "/usr/sbin/openvpn-metrics client-disconnect"
# Enable Management Socket
management /var/run/openvpn.sock unix
management-client-auth
These are for two-factor authentication. OpenVPN Connect lacks the capability to handle the second-factor exchange with an OpenVPN server on IPFire. Only the OpenVPN Windows community edition client is compatible with IPFire for this key exchange. Without it, you can establish a tunnel but without the two-factor exchange. See for documentation my bug report.
