Select Page

This news article is no longer relevant - the issues mentioned here have been resolved. See here:

With software development, it is inevitable that some problems can occur. So it is with our OpenVPN Connect for iOS app. We regret this, and we offer you our sincerest apologies. We do feel we have done sufficient development and (beta) testing before release, as it took us many months of testing and beta testing. But there will always be combinations of factors that our customers use that may have fallen outside of what we expected. The issues encountered are of such a nature that they can, in most cases, be reasonably easily remedied, or if not, a solution provided by us with future updates of the app. We are collecting information from you, our users, to fix the problems as soon as possible. We aim to provide information here that will help users experiencing problems to reach a solution on their own, or to at least know what the current problems are and how we intend to resolve them.

As people may have noticed it's been a long time since we made a new release. Mostly because what we had worked well. Over the past months however we have been working on creating a new app, and this is not just an 'update'. This is pretty much a complete rebuild of the underlying code. And we did that because the old VPN API in the iOS operating system is going to disappear soon. We originally were crucial into making it possible for VPN solutions to be added on the iOS platform. In the past, there simply was no support for any other VPN solution but the ones already built into iOS. That meant OpenVPN simply wasn't possible in the past. We made it possible, together with Apple. While this platform has functioned well enough, recent developments aim for a more universal VPN API in iOS and a more secure model for apps to store and access sensitive data like private keys and certificates. In other words, the old model was getting outdated and didn't meet current security standards. We have to move on to new developments.

The latest version of OpenVPN Connect for iOS, version 1.2.5, works with the new API in iOS called Network Extensions. It's a completely different way of communicating between OpenVPN Connect app and iOS, and managing VPN connections. We now also use the new privilege model for handling certificates and keys - to stick to only the portion of the keychain that OpenVPN Connect needs access to. In fact we have no choice in this, this is how it must be to meet current security standard set by Apple. This has however lead to an interesting problem when mobileconfig is used in combination with PKCS#12 bundled profiles that we are working hard with Apple to try and resolve where iOS takes ownership in a way, and denies access to the OpenVPN Connect for iOS app. this will require the app to have access to areas of the keychain it now does not have access to. We hope to have this resolved shortly by getting access to this from Apple.

In other cases PKCS#12 keys that were imported to the keychain on the old app, may need to simply be reimported in the OpenVPN Connect for iOS app and then reselected in the app. Make sure to name the file .ovpn12 so it is picked up correctly by the app. This way the contents will now be saved in the correct section of the keychain in iOS that the OpenVPN Connect for iOS app is now restricted to.

If you experience connectivity problems we highly recommend looking at the log file information as this will contain vital clues about what the issue may be. We refer you to this page that will help in troubleshooting client connectivity problems;

If you are a user of our OpenVPN Access Server commercial VPN server product, we recommend you send any problems you experience to our support ticket system.

If you are using the open source version of OpenVPN or OpenVPN on a third-party device (also open source then), we recommend you post any problems you experience on the community forums.

Our apologies for any problems experienced. We are working on the issues as fast and as diligently as possible. Please note that it is not possible for us for technical reasons to revert back to the old codebase. It will not be accepted for release anyways because it would be using the old VPN API which we may not use anymore. We must move forward and we are working to fix the issues as soon as is humanly possible.

Some known issues and solutions

certificates no longer found or recognized
People have mentioned that their certificate bundles are not being recognized anymore by OpenVPN Connect for iOS. If that is so then that is likely because there is now a new privilege separation in effect that we must adhere to that makes it so that the app can only access its own portion of the keychain. If you import the keys using the OpenVPN Connect for iOS app directly, they will become visible, and you can then select them and use them. The most important step is that the PKCS#12 certificate bundle file needs to be named .ovpn12 for it to be picked up.

mobileconfig not working anymore
There are 2 main reasons for this problem. One is that certificates loaded outside of the OpenVPN Connect for iOS app are not accessible anymore by the app. This is something that we're trying to get Apple to give us permission to again so we can fix this. This is a consequence of having to use the new privilege separation model and the new Network Extensions protocol. The other reason is that the application has changed identifier name and the mobileconfig needs to be updated for it to work on the new app. You can find this in the OpenVPN Connect for iOS FAQ page.

This community forum post and the posts directly below it also explain in more detail a workaround to get mobileconfig working again:

TLS Error: incoming packet authentication failed from [....]
Authenticate/Decrypt packet error: packet HMAC authentication failed
An issue was reported with tls-auth not working. If you see the above two lines together like that in the server logs after you have upgraded your client to 1.2.5 of OpenVPN Connect for iOS you may be affected by this problem. We do not see this problem for users of the Access Server because we specifically mention the key-direction parameter but for open source users this issue can show up when the key direction directive is missing. This is a problem that we will resolve in our next releases to make some sort of sane assumption about what the key direction should be. For now you can work around it by adding the key direction manually. For example if you have an embedded tls-auth key, you can add a line in your config files on both the server and the clients that states simply:

key-direction 1

Or in the case you use key-direction 0, use a 0. See documentation here to find out more information: OpenVPN 2.4 manpage

If you do not use an inline key but reference an external file, then simply add the number after the tls-auth directive:

tls-auth file.key 1

Be sure that the number you put is inverted. By that we mean to say that if on the server you put 0, you must put 1 on the client. Don't put the same value on both server and clients.

Impossible to resolve hostnames using the DNS set in the VPN configuration
Another reported issue is about the DNS set set in the VPN profile (or pushed by the server) not being used. A common symptoms of this problem is that local hostnames, those normally resolved by your own DNS, won't be resolved.
This problem is caused by a longstanding bug in the Apple API which will be addressed in our next release (v1.2.6). For the time being, there is a known workaround which consists in routing all the traffic through the VPN. It is possible to achieve that by adding the following statement to the client configuration:

gateway-redirect def1

or, alternatively, the following statement to the server configuration:

push "redirect-gateway def1"