Menu
What's new
By:
Filters Better Search

Compatibility with IOS (OpenVPN Connect / PolarSSL)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

J

jochenthomas

Occasional Visitor
Hi,
it's not about Aususwrt-Merlin, but hope to get some valuable answers here ;-)

Currently OpenVPN is properly set up on Router, Win10 and Android, but not on IOS 11.2.
As you know "OpenVPN Connect" was not updated on the Apple store since roughly one year - for what ever reason maybe forced to stop development or cooperation with some agencies, mising money, who knows...

My current OVPN configuration is something like this:

Code: 
proto udp
dev tun
ca / cert / key /tls-auth / dh4096.pem
comp-lz4
auth SHA512
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

Esp. the following aspects are in question as newer OpenVPN Connect/PolarSSL/TLS-Vers. version is needed:
LZ4, AES-256-GCM or AES-256-CBC, SHA512 / tls-crypt

My question:
What is your proposal to be able to have a secure OpenVPN configuration without having a newer/updated version on IOS11.x working.
 
For your info, the current stable version of openvpn connect iOS do not support tls-crypt. They have already come out with beta test ver 1.2.5 that updated with tls-crypt. You may connect the developer to join the beta test.

As for the firmware, all the cipher u mentioned is supported. It is just that the iOS openvpn connect is not supporting it. However do not that most ASUS router do not come with hardware acceleration for encryption so setting the cipher too high may affect your overall performance.

You may also need to check the openvpn connect iOS setting in Setting, Openvpn, under Advance setting that u off “Force AES-CBC ciphersuites” as it is for legacy openvpn compatibility. You may also set min tls version to 1.2 in the server setting.
 
Last edited:
DonnyJohnny said:
They have already come out with beta test ver 1.2.5 that updated with tls-crypt. You may connect the developer to join the beta test.
Click to expand...
Hi,
many thanks for the information about the beta version which I wasn't aware of.
This should fix all problems (esp. tls-crypt, but also LZ4 and AES-256-GCM), as it was only the need itself to get an updated version ;-)
Hope they continiously work on newer version in the future (and do not wait roughly a year)!
Thanks again, will try to join the beta program.
 
Looks like they just released the new version with tls-crypt support

https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8

Changes between 1.1.1 and 1.2.5:

* improved log verbosity
* added preference switch to disable MD5 in TLS
* converted VPN backend to new Apple Network Extensions
framework
* implemented private keychain for storing certificates and
passwords. PKCS#12 bundles imported via Safari or Mail
must now end with '.ovpn12'
* implemented support for "tls-crypt" config option.
If the OpenVPN server you are connecting to has enabled
this option, it will provider a safer method to exchange
certificates during the initial TLS handshake
* updated mbedTLS to 2.6.0 (MD5 support will be
dropped on Apr, 31st 2018)
* updated ovpn3 backend
Click to expand...
 
Hi, yes, thanks - checked already ;-)
But did not get a step forward, tried to import the above mentioned ovpn-config file in the new version 1.2.5 build1. But as a result I get an import error: crypto_alg: RSA-SHA512: not found.
Thought maybe the strong one is not included, so changed to RSA-SHA256 or later to SHA1, but same message (RSA-SHAxxxx not found).
I am a little bit helpless as I do not have an idea what causes this.
As far as I see there is as well no real documentation existing describing the error messages and it's background.

Regarding the new version there are a lot of complaints about keychain, not working import, ...etc.
I don't believe this issue here is related to the new version, guess it's a general issue...

Then I deleted "auth RSA-SHA512", so I was at least able to import the ovpn file.
But thanI get this:

OpenVPN core 3.1.2 ios arm64 64-bit built on Jan 5 2018 23:09:59
2018-01-13 00:00:18 Frame=512/2048/512 mssfix-ctrl=1250
2018-01-13 00:00:18 EVENT: CORE_ERROR mbed TLS: error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]

Maybe you have any idea? Please let me know!!
 
Last edited:
Working fine here with: AES-128-CBC:AES-256-CBC

TLS control channel security is set to bi-directional auth as encrypt channel does not work on iOS. I have not tested the version that just came out 3 days ago though.
 
jochenthomas said:
Hi, yes, thanks - checked already ;-)
But did not get a step forward, tried to import the above mentioned ovpn-config file in the new version 1.2.5 build1. But as a result I get an import error: crypto_alg: RSA-SHA512: not found.
Thought maybe the strong one is not included, so changed to RSA-SHA256 or later to SHA1, but same message (RSA-SHAxxxx not found).
I am a little bit helpless as I do not have an idea what causes this.
As far as I see there is as well no real documentation existing describing the error messages and it's background.

Regarding the new version there are a lot of complaints about keychain, not working import, ...etc.
I don't believe this issue here is related to the new version, guess it's a general issue...

Then I deleted "auth RSA-SHA512", so I was at least able to import the ovpn file.
But thanI get this:

OpenVPN core 3.1.2 ios arm64 64-bit built on Jan 5 2018 23:09:59
2018-01-13 00:00:18 Frame=512/2048/512 mssfix-ctrl=1250
2018-01-13 00:00:18 EVENT: CORE_ERROR mbed TLS: error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]

Maybe you have any idea? Please let me know!!
Click to expand...

Just use
auth SHA512

https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage#lbAJ
 
Last edited:
Hi, -yes, RSA is not recoginzed in the correct way (string is passed to the crypto library), switched to SHA512 now, but than the next error with PKCS5 - but (according to an advise from ovpn.org support forum) for IOS the key needs to be decrypted using openssl - so still not at the end of the way ;-)
But hopefully this will work, thanks for your help.
 
BTW: fully working now, created a complete new set of cert/keys and using SHA512 and dectypted key - so luckily this issue is solved!
 
You must log in or register to reply here.

Similar threads

J
RT-AC86U DNS leaks while using mullvad
Replies
1
Views
386
jsn2233
J
N
Solved Unable to connect to VPN server with self-signed certificate
Replies
0
Views
393
nino_070
N
T
OpenVPN Bandwidth tweaking
Replies
8
Views
803
L&LD
L&LD
A
Devices connect to my openvpn server correctly but no traffic from server to client
Replies
6
Views
870
ragtap
R
S
OpenVPN on Mullvad: No Access from outside
Replies
4
Views
1K
martook
M
Similar threads
Thread starter Title Forum Replies Date
E Compatibility with ZenWiFi AX6600 Asuswrt-Merlin 2
F Hardware compatibility...? Asuswrt-Merlin 1
M ASUS iOS app not finding router in bridge mode Asuswrt-Merlin 3
M OpenVPN / site to site with special security/routing constraints Asuswrt-Merlin 7
R OpenVPN keeps on turning itself off Asuswrt-Merlin 37
M Best router for wireguard or openVPN Asuswrt-Merlin 1
W OpenVPN Server set to LAN only allows browsing Asuswrt-Merlin 14
A Upgraded my ASUS, issues with NordVPN via OpenVPN Asuswrt-Merlin 4
G openvpn server: can not change/select data cipher Asuswrt-Merlin 1
Blankedy AC86U OpenVPN server whilst in AP mode Asuswrt-Merlin 3

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 705 (members: 16, guests: 689)
Top