Как настроить openvpn для ios?

Question

geebv @geebv

iOS
OpenVPN

Как настроить openvpn для ios?

на mac os через tunnelblick коннект успешный
на ios через openvpn connect (1.0.5 build 177) не коннектится
поделитесь, пожалуйста, своим опытом

настройки сервера для udp и tcp (разница только в значении proto)

port 1194
server 192.168.50.0 255.255.255.0
proto udp
dev tun

key /etc/openvpn/pki/private/server.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/server.crt
dh /etc/openvpn/pki/dh.pem

tls-server

tls-auth /etc/openvpn/pki/ta.key 0

cipher AES-128-CBC

#push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.8.4"
push "route 192.168.50.0 255.255.255.0"

keepalive 10 120

comp-lzo
max-clients 100
user nobody
group nogroup
persist-key
persist-tun

verb 4

status server1194-status.log

настройки клиента

client
nobind
tls-client

dev tun
remote vpn.server.com 1194 udp
remote vpn.server.com 943 tcp
remote vpn.server.com 1194 udp
remote vpn.server.com 1194 udp
remote vpn.server.com 1194 udp

resolv-retry infinite
redirect-gateway
pull
cipher AES-128-CBC

persist-tun
persist-key

comp-lzo
verb 3

#link-mtu 1560

# remote-cert-tls server
# ns-cert-type server

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

</ca>

<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

</key>

<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1

iptables

iptables -A INPUT  -p udp  --dport 1194 -j ACCEPT
iptables -A INPUT -p tcp --dport 943 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

запускался только udp и далее лог подключения iphone и macos

лог не успешного коннекта на iphone

Sat Mar  5 08:43:26 2016 us=694901 MULTI: multi_create_instance called
Sat Mar  5 08:43:26 2016 us=695054 94.137.32.144:62760 Re-using SSL/TLS context
Sat Mar  5 08:43:26 2016 us=695161 94.137.32.144:62760 LZO compression initialized
Sat Mar  5 08:43:26 2016 us=695441 94.137.32.144:62760 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:3 ]
Sat Mar  5 08:43:26 2016 us=695483 94.137.32.144:62760 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:143 ET:0 EL:3 AF:3/1 ]
Sat Mar  5 08:43:26 2016 us=695626 94.137.32.144:62760 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Sat Mar  5 08:43:26 2016 us=695657 94.137.32.144:62760 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Sat Mar  5 08:43:26 2016 us=695713 94.137.32.144:62760 Local Options hash (VER=V4): 'a2e63101'
Sat Mar  5 08:43:26 2016 us=695737 94.137.32.144:62760 Expected Remote Options hash (VER=V4): '272f1b58'
Sat Mar  5 08:43:26 2016 us=695814 94.137.32.144:62760 TLS: Initial packet from [AF_INET]94.137.32.144:62760, sid=56adea7c 889b872f
Sat Mar  5 08:44:13 2016 us=22480 MULTI: multi_create_instance called
Sat Mar  5 08:44:13 2016 us=22711 94.137.32.144:54499 Re-using SSL/TLS context
Sat Mar  5 08:44:13 2016 us=22788 94.137.32.144:54499 LZO compression initialized
Sat Mar  5 08:44:13 2016 us=22968 94.137.32.144:54499 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:3 ]
Sat Mar  5 08:44:13 2016 us=23002 94.137.32.144:54499 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:143 ET:0 EL:3 AF:3/1 ]
Sat Mar  5 08:44:13 2016 us=23096 94.137.32.144:54499 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Sat Mar  5 08:44:13 2016 us=23111 94.137.32.144:54499 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Sat Mar  5 08:44:13 2016 us=23151 94.137.32.144:54499 Local Options hash (VER=V4): 'a2e63101'
Sat Mar  5 08:44:13 2016 us=23170 94.137.32.144:54499 Expected Remote Options hash (VER=V4): '272f1b58'
Sat Mar  5 08:44:13 2016 us=23216 94.137.32.144:54499 TLS: Initial packet from [AF_INET]94.137.32.144:54499, sid=b4177981 41c9c98d
Sat Mar  5 08:44:26 2016 us=601875 94.137.32.144:62760 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Mar  5 08:44:26 2016 us=601931 94.137.32.144:62760 TLS Error: TLS handshake failed
Sat Mar  5 08:44:26 2016 us=602214 94.137.32.144:62760 SIGUSR1[soft,tls-error] received, client-instance restarting
Sat Mar  5 08:45:13 2016 us=315001 94.137.32.144:54499 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Mar  5 08:45:13 2016 us=315134 94.137.32.144:54499 TLS Error: TLS handshake failed
Sat Mar  5 08:45:13 2016 us=315333 94.137.32.144:54499 SIGUSR1[soft,tls-error] received, client-instance restarting

успешный лог подключения macos

Sat Mar  5 08:45:22 2016 us=413762 MULTI: multi_create_instance called
Sat Mar  5 08:45:22 2016 us=413985 94.137.32.144:63338 Re-using SSL/TLS context
Sat Mar  5 08:45:22 2016 us=414084 94.137.32.144:63338 LZO compression initialized
Sat Mar  5 08:45:22 2016 us=414249 94.137.32.144:63338 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:3 ]
Sat Mar  5 08:45:22 2016 us=414274 94.137.32.144:63338 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:143 ET:0 EL:3 AF:3/1 ]
Sat Mar  5 08:45:22 2016 us=414453 94.137.32.144:63338 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Sat Mar  5 08:45:22 2016 us=414477 94.137.32.144:63338 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Sat Mar  5 08:45:22 2016 us=414542 94.137.32.144:63338 Local Options hash (VER=V4): 'a2e63101'
Sat Mar  5 08:45:22 2016 us=414566 94.137.32.144:63338 Expected Remote Options hash (VER=V4): '272f1b58'
Sat Mar  5 08:45:22 2016 us=414629 94.137.32.144:63338 TLS: Initial packet from [AF_INET]94.137.32.144:63338, sid=138c0839 82fec55c
Sat Mar  5 08:45:23 2016 us=450942 94.137.32.144:63338 VERIFY OK: depth=1, CN=vpn.server.com
Sat Mar  5 08:45:23 2016 us=451309 94.137.32.144:63338 VERIFY OK: depth=0, CN=egor-imac
Sat Mar  5 08:45:23 2016 us=619095 94.137.32.144:63338 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sat Mar  5 08:45:23 2016 us=619146 94.137.32.144:63338 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar  5 08:45:23 2016 us=619163 94.137.32.144:63338 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sat Mar  5 08:45:23 2016 us=619184 94.137.32.144:63338 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar  5 08:45:23 2016 us=703709 94.137.32.144:63338 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sat Mar  5 08:45:23 2016 us=703772 94.137.32.144:63338 [egor-imac] Peer Connection Initiated with [AF_INET]94.137.32.144:63338
Sat Mar  5 08:45:23 2016 us=703827 egor-imac/94.137.32.144:63338 MULTI_sva: pool returned IPv4=192.168.50.6, IPv6=(Not enabled)
Sat Mar  5 08:45:23 2016 us=703905 egor-imac/94.137.32.144:63338 MULTI: Learn: 192.168.50.6 -> egor-imac/94.137.32.144:63338
Sat Mar  5 08:45:23 2016 us=703937 egor-imac/94.137.32.144:63338 MULTI: primary virtual IP for egor-imac/94.137.32.144:63338: 192.168.50.6
Sat Mar  5 08:45:26 2016 us=89636 egor-imac/94.137.32.144:63338 PUSH: Received control message: 'PUSH_REQUEST'
Sat Mar  5 08:45:26 2016 us=89676 egor-imac/94.137.32.144:63338 send_push_reply(): safe_cap=940
Sat Mar  5 08:45:26 2016 us=89725 egor-imac/94.137.32.144:63338 SENT CONTROL [egor-imac]: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.8.4,route 192.168.50.0 255.255.255.0,route 192.168.50.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.50.6 192.168.50.5' (status=1)