Jump to content


Photo
- - - - -

Why no how-to guide for using AirVPN with OpenVPN on iOS?

IOSiphone authentication errors

  • Please log in to reply
18 replies to this topic

#1 Sharrow

Sharrow

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 09 May 2016 - 03:33 PM

I really could have used such a how-to guide for iOS as with the default UDP443 I was getting constant authentication errors and the AirVPN service was frustratingly unreliable. Only with a bit of digging did I find this thread on the forums which suggested using TCP443 instead of UDP443. This very simple change together with some suggested settings for OpenVPN on iOS has resulted in a VERY stable connection, exactly what I wanted and expected in the first place.

 

Please note that I am based in the UK and am connecting primarily to the Netherlands servers. Users in other locations may well experience less/more issues than I did.

 

For more very helpful information about using AirVPN please see this excellent thread by LZ1.

 

-------

 

So, to get AirVPN up and running reliably on iOS:

 

1. Install the free OpenVPN app from the App Store.

 

2. Use TCP, port 443 when generating config file(s) for iOS from your AirVPN client area (and not UDP, port 443 which is the default).

 

3. I used the via iTunes method for getting the .ovpn config files from my desktop onto my iPhone where OpenVPN picks them up automatically. There are various other options available.

 

4. Adjust the OpenVPN settings below as suggested by users SlyFox & Keksjdjdke:

 

(Note that these settings are only available via the main iOS Settings app as the OpenVPN app has no settings of its own)

 

- Seamless tunnel (ON) - for those on iOS8 or newer.

- Connect via: any network

- Reconnect on wakeup (ON)

- Protocol: Adaptive

- Compression: Full (the default I think?)

- Connection timeout: None

- Network state detection: Active

- Force AES-CBC ciphersuites: OFF (OFF = better encryption method - AES-256-CBC with HMAC-SHA1 (when ON) vs AES-256-GCM with HMAC-SHA384 (when OFF).

- Google DNS fallback: ON (the default I think but up to the individual user of course)

- Layer 2 reachability: ON

 

5. Launch the OpenVPN app and connect.

 

 

EDIT 03July: updated guide with some extra details.



#2 Br0wnb3ar15

Br0wnb3ar15

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 09 May 2016 - 08:32 PM

UDP443, TCP or UDP 53 or 80 work just fine too, latter are ports used by DNS. If you're having issues with UDP443, chances are its your ISP blocking the port or you have packet loss causing performance issues.

#3 zhang888

zhang888

    Donald Trump of IT/Security

  • Moderators
  • 2219 posts

Posted 09 May 2016 - 08:40 PM

There is a guide located here:

https://airvpn.org/ios/


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.


#4 mehāniskākaravīrs935

mehāniskākaravīrs935

    Advanced Member

  • Members
  • PipPipPip
  • 146 posts
  • LocationUranus

Posted 10 May 2016 - 02:32 PM

There is a guide located here:
https://airvpn.org/ios/


I think the point he is trying to make is that settings for the app are not specified. I had to do trial and error to figure out what worked best. Even then I cannot use anything other than North American servers because if I use anything else it will timeout upon waking the device ( something I have never had a problem with any other provider). Which is strange because on the android devices I have used in the past there has never been a problem. AirVPN on iOS is quite problematic and we pretty much have to deal with it which is even more annoying because an AirVPN app on iOS could probably fix these issues.

#5 zhang888

zhang888

    Donald Trump of IT/Security

  • Moderators
  • 2219 posts

Posted 10 May 2016 - 02:46 PM

A native VPN app is not possible on iOS due to platform restrictions.

OpenVPN is supported only via the native app, to which Apple explicitly allowed to use the

system wide VPN route. Other apps just seem to be delivering config files for the official app.

But the guide is for iOS 6.x, the screenshots might need a small refresh to match iOS 9.x.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.


#6 mehāniskākaravīrs935

mehāniskākaravīrs935

    Advanced Member

  • Members
  • PipPipPip
  • 146 posts
  • LocationUranus

Posted 10 May 2016 - 03:32 PM

A native VPN app is not possible on iOS due to platform restrictions.
OpenVPN is supported only via the native app, to which Apple explicitly allowed to use the
system wide VPN route. Other apps just seem to be delivering config files for the official app.
But the guide is for iOS 6.x, the screenshots might need a small refresh to match iOS 9.x.


Although that explains why there isn't a app for AirVPN that still does not describe why I have problems reconnecting from wake up with them but no other provider. My point is AirVPN's config files have compatibility issues with iOS. Surely I can't be the only one experiencing issues

#7 Sharrow

Sharrow

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 10 May 2016 - 04:25 PM

55+ hours now connected to GB servers on my iphone without a single issue. Nice. Previously I would go maybe 20min tops before encountering an authentication error and a disconnect. I only use GB or Dutch servers.

 

 

UDP443, TCP or UDP 53 or 80 work just fine too, latter are ports used by DNS. If you're having issues with UDP443, chances are its your ISP blocking the port or you have packet loss causing performance issues.

 

I use UDP443 on the desktop without a single issue so doubtful my serious problems with UDP443 on the iphone on the same network could be ISP related. Or could they?

 

 

There is a guide located here:

https://airvpn.org/ios/

 

Why no link to it then from the How-To section? Because it's so outdated?

 

 

There is a guide located here:
https://airvpn.org/ios/


I think the point he is trying to make is that settings for the app are not specified. I had to do trial and error to figure out what worked best. Even then I cannot use anything other than North American servers because if I use anything else it will timeout upon waking the device ( something I have never had a problem with any other provider). Which is strange because on the android devices I have used in the past there has never been a problem. AirVPN on iOS is quite problematic and we pretty much have to deal with it which is even more annoying because an AirVPN app on iOS could probably fix these issues.

 

Did you try TCP443 instead of UDP443 and the rest of the suggested OpenVPN settings?

 

 

A native VPN app is not possible on iOS due to platform restrictions.

OpenVPN is supported only via the native app, to which Apple explicitly allowed to use the

system wide VPN route. Other apps just seem to be delivering config files for the official app.

But the guide is for iOS 6.x, the screenshots might need a small refresh to match iOS 9.x.

 

No doubt that it needs not only an update but an expansion to include both a note about using TCP/UDP on iOS and suggested OpenVPN settings. And a link to it from the How-To section...



#8 Br0wnb3ar15

Br0wnb3ar15

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 10 May 2016 - 04:30 PM

Although that explains why there isn't a app for AirVPN that still does not describe why I have problems reconnecting from wake up with them but no other provider. My point is AirVPN's config files have compatibility issues with iOS. Surely I can't be the only one experiencing issues


Never had issues with config files. It would be great if the next rev of OpenVPN Connect included VPN over SSH SSL or ability to use pluggable transport like obsf or Meek. I typically buy latest iOS devices who they come out and the A9 core could handle the overhead.

@Staff isn't there a way to disable logging within the openVPN app (iOS, OSX, Win, etc) via config file setup? That would be my request for something that could be done on Airs side.

#9 zhang888

zhang888

    Donald Trump of IT/Security

  • Moderators
  • 2219 posts

Posted 10 May 2016 - 04:33 PM

SSL and SSH will not be possible on stock iOS due to platform restrictions.

You can set a custom "verb 0" directive. But this is not related to iOS or Air, this is simply the OpenVPN basic manual.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.


#10 mehāniskākaravīrs935

mehāniskākaravīrs935

    Advanced Member

  • Members
  • PipPipPip
  • 146 posts
  • LocationUranus

Posted 10 May 2016 - 06:53 PM

55+ hours now connected to GB servers on my iphone without a single issue. Nice. Previously I would go maybe 20min tops before encountering an authentication error and a disconnect. I only use GB or Dutch servers.

 

 

UDP443, TCP or UDP 53 or 80 work just fine too, latter are ports used by DNS. If you're having issues with UDP443, chances are its your ISP blocking the port or you have packet loss causing performance issues.

 

I use UDP443 on the desktop without a single issue so doubtful my serious problems with UDP443 on the iphone on the same network could be ISP related. Or could they?

 

 

>

There is a guide located here:

https://airvpn.org/ios/

 

Why no link to it then from the How-To section? Because it's so outdated?

 

 

There is a guide located here:
https://airvpn.org/ios/


I think the point he is trying to make is that settings for the app are not specified. I had to do trial and error to figure out what worked best. Even then I cannot use anything other than North American servers because if I use anything else it will timeout upon waking the device ( something I have never had a problem with any other provider). Which is strange because on the android devices I have used in the past there has never been a problem. AirVPN on iOS is quite problematic and we pretty much have to deal with it which is even more annoying because an AirVPN app on iOS could probably fix these issues.

 

Did you try TCP443 instead of UDP443 and the rest of the suggested OpenVPN settings?

 

 

A native VPN app is not possible on iOS due to platform restrictions.

OpenVPN is supported only via the native app, to which Apple explicitly allowed to use the

system wide VPN route. Other apps just seem to be delivering config files for the official app.

But the guide is for iOS 6.x, the screenshots might need a small refresh to match iOS 9.x.

 

No doubt that it needs not only an update but an expansion to include both a note about using TCP/UDP on iOS and suggested OpenVPN settings. And a link to it from the How-To section...

 

 

My issue mainly occurs on servers outside North America. I can connect to American and Canadian servers without the endless reconnect on wakeup (which is why i use them so often) its when i use any other server in any other part of the world that this causes a problem. Even GB servers time out when i wake up my phone. I am not sure where you physically are, but if you want to replicate my issue try using a server farthest away from you for most of the day and you should see what i am talking about.



#11 Keksjdjdke

Keksjdjdke

    Advanced Member

  • Members
  • PipPipPip
  • 207 posts

Posted 11 May 2016 - 03:16 PM

Disable "force AES-CBC ciphersuites", disabling this option will 'enable AES-256-GCM with HMAC-SHA384'. When the option "force AES-CBC cipher suites" is enabled the Vpn client will use AES-256-CBC with HMAC-SHA1.

#12 mehāniskākaravīrs935

mehāniskākaravīrs935

    Advanced Member

  • Members
  • PipPipPip
  • 146 posts
  • LocationUranus

Posted 11 May 2016 - 04:59 PM

Disable "force AES-CBC ciphersuites", disabling this option will 'enable AES-256-GCM with HMAC-SHA384'. When the option "force AES-CBC cipher suites" is enabled the Vpn client will use AES-256-CBC with HMAC-SHA1.


Just curious, what difference does that make ? Does the client have an easier time reconnecting or is it just a better encryption method?

#13 Keksjdjdke

Keksjdjdke

    Advanced Member

  • Members
  • PipPipPip
  • 207 posts

Posted 11 May 2016 - 05:31 PM

Disable "force AES-CBC ciphersuites", disabling this option will 'enable AES-256-GCM with HMAC-SHA384'. When the option "force AES-CBC cipher suites" is enabled the Vpn client will use AES-256-CBC with HMAC-SHA1.

Just curious, what difference does that make ? Does the client have an easier time reconnecting or is it just a better encryption method?

Better encryption method.
AES-256-CBC with HMAC-SHA1 VS AES-256-GCM with HMAC-SHA384.
With AES-256-GCM with HMAC-SHA384 being the stronger cipher.



#14 Sharrow

Sharrow

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 12 May 2016 - 03:54 PM

 

Disable "force AES-CBC ciphersuites", disabling this option will 'enable AES-256-GCM with HMAC-SHA384'. When the option "force AES-CBC cipher suites" is enabled the Vpn client will use AES-256-CBC with HMAC-SHA1.

Just curious, what difference does that make ? Does the client have an easier time reconnecting or is it just a better encryption method?

Better encryption method.
AES-256-CBC with HMAC-SHA1 VS AES-256-GCM with HMAC-SHA384.
With AES-256-GCM with HMAC-SHA384 being the stronger cipher.

 

Thanks for this info!



#15 Keksjdjdke

Keksjdjdke

    Advanced Member

  • Members
  • PipPipPip
  • 207 posts

Posted 12 May 2016 - 07:13 PM




 



Disable "force AES-CBC ciphersuites", disabling this option will 'enable AES-256-GCM with HMAC-SHA384'. When the option "force AES-CBC cipher suites" is enabled the Vpn client will use AES-256-CBC with HMAC-SHA1.

Just curious, what difference does that make ? Does the client have an easier time reconnecting or is it just a better encryption method?
Better encryption method.
AES-256-CBC with HMAC-SHA1 VS AES-256-GCM with HMAC-SHA384.
With AES-256-GCM with HMAC-SHA384 being the stronger cipher.
 
Thanks for this info!
No problem.

#16 Sharrow

Sharrow

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 23 May 2016 - 10:33 AM

To follow up: I was still getting authentication errors once every two days or so on iOS so I have adjusted the following OpenVPN setting:

 

Layer 2 reachability: ON

 

This seems to have reduced the authentication errors still further. I still get them but it's much less frequent.



#17 Keksjdjdke

Keksjdjdke

    Advanced Member

  • Members
  • PipPipPip
  • 207 posts

Posted 23 May 2016 - 02:47 PM

To follow up: I was still getting authentication errors once every two days or so on iOS so I have adjusted the following OpenVPN setting:
 
Layer 2 reachability: ON
 
This seems to have reduced the authentication errors still further. I still get them but it's much less frequent.

Can you post your logs from openvpn connect? Just go into the app then tap on word status after that copy all the text and post it here. Use the spoiler ta spoiler tags when you post the log.

#18 macinmac

macinmac

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 17 March 2017 - 06:20 PM

Bringing this thread back on with a little question:

 

On desktops we have the Network Lock option to avoid network leak; now, is this possible to have it on iOS, since logging into Twitter for example, I see my original IP from time to time, even though I have the VPN Status Bar Icon on, 99% of the time, but, it seems that for a tiny moment till the iPhone wakes up, and it gets connected to AirVPN it leaks something there.

 

It's not something that bothers me, but I would like to have a fix to it, IF would be possible.

 

Thank You.



#19 giganerd

giganerd

    I shall have no title

  • Members2
  • PipPipPip
  • 2687 posts
  • LocationGermany

Posted 20 March 2017 - 10:00 PM

It's not something that bothers me, but I would like to have a fix to it, IF would be possible.

 

There are a few threads in the past talking about this, including this. It's due to how iOS is designed, there's nothing AirVPN or even OpenVPN can do.

And Network Lock is an Eddie feature. There's not even a client on Android, and that's the easier OS to implement a VPN on. :)


Always remember:
There's a guide to AirVPN,

Amazon IPs are not dangerous here,
running TOR exits is discouraged,

using spoilers for your logs helps us read your thread.

~ Furthermore, I propose that your paranoia is to be destroyed. ~

Instead of writing me a personal mail, consider contacting me via XMPP at gigan3rd@xmpp.airvpn.org or join the lounge@conference.xmpp.airvpn.org. I might read the mail too late whereas I'm always available on XMPP ;)






Similar Topics Collapse

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 15655 - BW: 65442 Mbit/sYour IP: 34.226.208.185Guest Access.