OpenVPN3.0 (very old client) is not able to connect with OpenVPN Server 2.6.12

[ChauhanPriyanka]

Hi team,

I'm new to OpenVPN, I have recently upgraded my openvpn server from 2.5.6. to 2.6.12
Post openvpn server upgrade, Android clients version 2.4 version (old), is able to connect to openvpn server 2.6.12.
However the IOS client (3.0) version is not able to connect to open vpn server anymore.
Sharing the client and server config config files and failure logs.
If i revert the openvpn server, the openvpn connection will start working.
I understand that openvpn client is very old, but it can still connect. I did not find any documentation that points to compatibility issue.
Please help, I'm stuck in this state from last one week.

server.conf

dev tun
dev-node VPNT
topology subnet
port 8114
proto udp
persist-key 
persist-tun 
server  10.1.0.224 255.255.255.224
keepalive 60 300
plugin "C:\\tls-plugin.dll"
log-append "C:\\ProgramData\\VPN\\log4c.conf"
status "C:\\ProgramData\\VPN\\vpn-status.log" 47
ca "C:\\ProgramData\\VPN\\ca.crt"
cert "C:\\ProgramData\\VPN\\server.crt"
key "C:\\ProgramData\\VPN\\server.key"
tls-auth "C:\\ProgramData\\VPN\\TA.key"
auth SHA256
dh "C:\\ProgramData\\VPN\\dh2048.pem"
push "redirect-gateway def1 bypass-dhcp "
push "dhcp-option DNS 8.8.8.8"
comp-lzo 
management 127.0.0.1 56834
tls-timeout 3
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256


#BEGIN_CUSTOM_SETTINGS

verb 7

#END_CUSTOM_SETTINGS

client.conf

client
server-poll-timeout 4
nobind
remote vpn.testserver.com 8114 udp
dev tun
comp-lzo yes
inactive 300 600
verb 9
persist-key
persist-tun
cipher AES-256-CBC
tls-version-min 1.2
auth SHA256
<tls-auth>
-----BEGIN Static key V1-----
-----END Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>

server failure logs
INFO      -  us=126813 Connection Attempt MULTI: multi_create_instance called
INFO      -  us=143839 20.163.82.254:44443 Re-using SSL/TLS context
INFO      -  us=159135 20.163.82.254:44443 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
INFO      -  us=169353 20.163.82.254:44443 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
INFO      -  us=178972 20.163.82.254:44443 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
INFO      -  us=188714 20.163.82.254:44443 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
INFO      -  us=197991 20.163.82.254:44443 UDPv6 READ [414] from [AF_INET6]::ffff:20.163.82.254:44443: P_CONTROL_V1 kid=0 pid=[ #3 ] [ ] pid=2 DATA len=360
ERROR     -  us=207319 20.163.82.254:44443 TLS Error: Unroutable control packet received from [AF_INET6]::ffff:20.163.82.254:44443 (si=3 op=P_CONTROL_V1)
INFO      -  us=216408 20.163.82.254:44443 LINK packet from [248.127.0.0/234] destined for [UNKNOWN]
INFO      -  us=225025 20.163.82.254:44443 UDPv6 READ [62] from [AF_INET6]::ffff:20.163.82.254:44443: P_ACK_V1 kid=0 pid=[ #4 ] [ 0 ] DATA len=0
ERROR     -  us=234432 20.163.82.254:44443 TLS Error: Unroutable control packet received from [AF_INET6]::ffff:20.163.82.254:44443 (si=3 op=P_ACK_V1)
INFO      -  us=243417 20.163.82.254:44443 LINK packet from [248.127.0.0/234] destined for [UNKNOWN]
INFO      -  us=107467 20.163.82.254:44443 UDPv6 READ [66] from [AF_INET6]::ffff:20.163.82.254:44443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ 0 ] pid=1 DATA len=0
INFO      -  us=125086 20.163.82.254:44443 TLS: Initial packet from [AF_INET6]::ffff:20.163.82.254:44443, sid=2575aee9 aa84ea47
ERROR     -  us=136820 20.163.82.254:44443 TLS Error: reading acknowledgement record from packet
INFO      -  us=146739 20.163.82.254:44443 LINK packet from [248.127.0.0/234] destined for [UNKNOWN]
INFO      -  us=156332 20.163.82.254:44443 UDPv6 WRITE [54] to [AF_INET6]::ffff:20.163.82.254:44443: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
INFO      -  us=165324 20.163.82.254:44443 UDPv6 READ [414] from [AF_INET6]::ffff:20.163.82.254:44443: P_CONTROL_V1 kid=0 pid=[ #3 ] [ ] pid=2 DATA len=360
INFO      -  us=174284 20.163.82.254:44443 LINK packet from [248.127.0.0/234] destined for [UNKNOWN]
INFO      -  us=182455 20.163.82.254:44443 UDPv6 WRITE [62] to [AF_INET6]::ffff:20.163.82.254:44443: P_ACK_V1 kid=0 pid=[ #2 ] [ 2 ] DATA len=0
INFO      - us=111245 20.163.82.254:44443 UDPv6 READ [66] from [AF_INET6]::ffff:20.163.82.254:44443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ 0 ] pid=1 DATA len=0
INFO      - us=126077 20.163.82.254:44443 PID_ERR replay-window backtrack occurred [1] [TLS_WRAP-0] [22_] 1729584337:3 1729584337:2 t=1729584342[0] r=[-2,64,15,1,1] sl=[61,3,64,528]
INFO      - us=140830 20.163.82.254:44443 PID_ERR replay [1] [TLS_WRAP-0] [22_] 1729584337:3 1729584337:2 t=1729584342[0] r=[-2,64,15,1,1] sl=[61,3,64,528]
ERROR     - us=151114 20.163.82.254:44443 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2 / time = (1729584337) 03:05:37 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
ERROR     - us=161576 20.163.82.254:44443 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:20.163.82.254:44443
INFO      - us=170483 20.163.82.254:44443 LINK packet from [248.127.0.0/234] destined for [UNKNOWN]
INFO      - us=179701 20.163.82.254:44443 UDPv6 READ [414] from [AF_INET6]::ffff:20.163.82.254:44443: P_CONTROL_V1 kid=0 pid=[ #3 ] [ ] pid=2 DATA len=360
INFO      - us=189622 20.163.82.254:44443 PID_ERR replay [0] [TLS_WRAP-0] [22_] 1729584337:3 1729584337:3 t=1729584342[0] r=[-2,64,15,1,1] sl=[61,3,64,528]
ERROR     -  us=302573 20.163.82.254:44443 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:20.163.82.254:44443
INFO      -  us=319106 20.163.82.254:44443 LINK packet from [248.127.0.0/234] destined for [UNKNOWN]
ERROR     -  us=757727 20.163.82.254:44443 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
ERROR     -  us=778504 20.163.82.254:44443 TLS Error: TLS handshake failed
INFO      - us=796896 20.163.82.254:44443 SIGUSR1[soft,tls-error] received, client-instance restarting

client failure logs
[MVPNProviderManagerModel init][30654]|57<Info>: Register notification when app will enter foreground 
|[MVPNProviderManagerModel loadManagers][30654]|106<Info>: Start load all provider managers
[MVPNProviderManagerModel loadManagers]_block_invoke[30654]|112<Info>: Load 1 provider managers successfully
[MVPNProviderManagerModel selectedManager][30654]|391<Info>: Get enabled provider manager index(0), total profiles count(1)
[MVPNProviderManagerModel start:][30654]|473<Info>: Start vpn: VPN ios 
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[30654]|631<Info>: No response from extention
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[30654]|543<Info>: VPN updated status: Connecting, UI delegate = <MVPNMainViewController: 0x1007093f0>
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[30654]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[30654]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[30654]|631<Info>: No response from extention
|-[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[30654]|631<Info>: No response from extention
|-[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[30654]|631<Info>: No response from extention
[MVPNProviderManagerModel appDidEnterBackground:][30654]|94<Info>: App did enter background
[MVPNProviderManagerModel appWillEnterForeground:][30654]|85<Info>: App will enter foreground
[MVPNProviderManagerModel loadManagers][30654]|106<Info>: Start load all provider managers
[MVPNProviderManagerModel loadManagers]_block_invoke[30654]|112<Info>: Load 1 provider managers successfully
[MVPNProviderManagerModel appDidEnterBackground:][30654]|94<Info>: App did enter background
[MVPNProviderManagerModel init][34289]|57<Info>: Register notification when app will enter foreground 
[MVPNProviderManagerModel loadManagers][34289]|106<Info>: Start load all provider managers
[MVPNProviderManagerModel loadManagers]_block_invoke[34289]|112<Info>: Load 1 provider managers successfully
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel loadManagers][34289]|106<Info>: Start load all provider managers
[MVPNProviderManagerModel loadManagers]_block_invoke[34289]|112<Info>: Load 1 provider managers successfully
[MVPNProviderManagerModel stopVPN][34289]|497<Info>: Stop vpn: VPN ios 
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|548<Info>: VPN updated status: Disconnecting, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|548<Info>: VPN updated status: Disconnecting, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|553<Info>: VPN updated status: Disconnected, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|553<Info>: VPN updated status: Disconnected, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel start:][34289]|473<Info>: Start vpn: VPN ios 
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|543<Info>: VPN updated status: Connecting, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|543<Info>: VPN updated status: Connecting, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|553<Info>: VPN updated status: Disconnected, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|553<Info>: VPN updated status: Disconnected, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel start:][34289]|473<Info>: Start vpn: VPN ios 
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|543<Info>: VPN updated status: Connecting, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|543<Info>: VPN updated status: Connecting, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|548<Info>: VPN updated status: Disconnecting, UI delegate = <MVPNConInfoViewController: 0x100a48f20>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|548<Info>: VPN updated status: Disconnecting, UI delegate = <MVPNConInfoViewController: 0x100a48f20>
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|553<Info>: VPN updated status: Disconnected, UI delegate = <MVPNConInfoViewController: 0x100a48f20>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|553<Info>: VPN updated status: Disconnected, UI delegate = <MVPNConInfoViewController: 0x100a48f20>
[MVPNProviderManagerModel appDidEnterBackground:][34289]|94<Info>: App did enter background
[MVPNProviderManagerModel appWillEnterForeground:][34289]|85<Info>: App will enter foreground
[MVPNProviderManagerModel loadManagers][34289]|106<Info>: Start load all provider managers
[MVPNProviderManagerModel loadManagers]_block_invoke[34289]|112<Info>: Load 1 provider managers successfully
[MVPNProviderManagerModel selectedManager][34289]|391<Info>: Get enabled provider manager index(0), total profiles count(1)
[MVPNProviderManagerModel loadManagers][34289]|106<Info>: Start load all provider managers
[MVPNProviderManagerModel loadManagers]_block_invoke[34289]|112<Info>: Load 1 provider managers successfully
[MVPNProviderManagerModel start:][34289]|473<Info>: Start vpn: VPN ios 
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|543<Info>: VPN updated status: Connecting, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|543<Info>: VPN updated status: Connecting, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|543<Info>: VPN updated status: Connecting, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|543<Info>: VPN updated status: Connecting, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|553<Info>: VPN updated status: Disconnected, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|553<Info>: VPN updated status: Disconnected, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|553<Info>: VPN updated status: Disconnected, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|553<Info>: VPN updated status: Disconnected, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel start:][34289]|473<Info>: Start vpn: VPN ios 
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|543<Info>: VPN updated status: Connecting, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|543<Info>: VPN updated status: Connecting, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|543<Info>: VPN updated status: Connecting, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|543<Info>: VPN updated status: Connecting, UI delegate = <MVPNMainViewController: 0x100b0ad80>
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|548<Info>: VPN updated status: Disconnecting, UI delegate = <MVPNConInfoViewController: 0x100b27be0>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|548<Info>: VPN updated status: Disconnecting, UI delegate = <MVPNConInfoViewController: 0x100b27be0>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|548<Info>: VPN updated status: Disconnecting, UI delegate = <MVPNConInfoViewController: 0x100b27be0>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|548<Info>: VPN updated status: Disconnecting, UI delegate = <MVPNConInfoViewController: 0x100b27be0>
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[34289]|631<Info>: No response from extention
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|553<Info>: VPN updated status: Disconnected, UI delegate = <MVPNConInfoViewController: 0x100b27be0>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|553<Info>: VPN updated status: Disconnected, UI delegate = <MVPNConInfoViewController: 0x100b27be0>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|553<Info>: VPN updated status: Disconnected, UI delegate = <MVPNConInfoViewController: 0x100b27be0>
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[34289]|553<Info>: VPN updated status: Disconnected, UI delegate = <MVPNConInfoViewController: 0x100b27be0>
[MVPNProviderManagerModel loadManagers][34289]|106<Info>: Start load all provider managers
[MVPNProviderManagerModel loadManagers]_block_invoke[34289]|112<Info>: Load 1 provider managers successfully
[MVPNProviderManagerModel appDidEnterBackground:][34289]|94<Info>: App did enter background
4]|438<Info>: *** socket_protect 11
|static void CVPNMan::outputLog(const char *)[37894]|433<Info>: Connecting to vpn.testserver.com:8114 (169.38.140.131) via UDPv4
|static void CVPNMan::outputLog(const char *)[37894]|434<Verbose>: Connecting to vpn.testserver.com:8114 (169.38.140.131) via UDPv4
|static void CVPNMan::outputLog(const char *)[37894]|433<Info>: CONNECTING
|static void CVPNMan::outputLog(const char *)[37894]|434<Verbose>: CONNECTING
|static void CVPNMan::outputLog(const char *)[37894]|438<Info>: Tunnel Options:V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client
10/21/2024 21:58:30|static void CVPNMan::outputLog(const char *)[37894]|438<Info>: Peer Info:
IV_GUI_VER=VPN Client 1.0
IV_VER=3.0
IV_PLAT=ios
IV_NCP=1
IV_LZO_STUB=1
IV_COMP_STUB=1

|static void CVPNMan::outputLog(const char *)[37894]|438<Info>: ERROR: PKTID_UDP_REPLAY
|static void CVPNMan::outputLog(const char *)[37894]|438<Info>: ERROR: REPLAY_ERROR
|static void CVPNMan::outputLog(const char *)[37894]|438<Info>: ERROR: CC_ERROR
|static void CVPNMan::outputLog(const char *)[37894]|438<Info>: ERROR: CC_ERROR
5|static void CVPNMan::outputLog(const char *)[37894]|438<Info>: ERROR: CC_ERROR
|static void CVPNMan::outputLog(const char *)[37894]|438<Info>: ERROR: CC_ERROR
|static void CVPNMan::outputLog(const char *)[37894]|438<Info>: ERROR: CC_ERROR
|static void CVPNMan::outputLog(const char *)[37894]|438<Info>: ERROR: CC_ERROR
|-[PacketTunnelProvider stopTunnelWithReason:completionHandler:][37893]|68<Info>: vpn stopped by provider

[dsommers]

Try starting with making the configs simpler. Like removing the tls-cipher and tls-timeout options, possibly also the tls-min-version. Those are considered advanced expert options which should not be needed on newer OpenVPN version (2.5 and newer), as it will negotiate the best settings between client and server - given that both sides supports the same sets of cipher algorithms. You also don't need more than verb 4 in the server config to debug these issues.

Also, the comp-lzo should be modified to compress migrate

You must also ensure the tls-auth key is identical on server and client side.

[ChauhanPriyanka]

Thank you for the response, i will try these options

[schwabe]

IV_GUI_VER=VPN Client 1.0
IV_VER=3.0
IV_PLAT=ios
IV_NCP=1
IV_LZO_STUB=1
IV_COMP_STUB=1

This must be an ancient client or something that is not OpenVPN Connect. Do you have a screenshot or exact name of that client?

This is so old that from the IV_NCP, it does not even seem to support AES-GCM, ie it is even older than the 2.4 client you tested.

tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

Hardcoding tls-cipher to one is probably a bad idea.

[ChauhanPriyanka]

Thank you for the input, I will come back with the details.

[ChauhanPriyanka]

As suggested, I removed tls-cipher, tls-min-version, tls-timeout, and updated the comp-lzo option to compress migrate. Also verified tls-auth keys are same on server and ios client. I'm still not able to connect ios client to vpn server.

The version of IOS client is openvpn 3.0, it too old :(
This was the last commit picked in June 2014 - 708c19d

I'm not clear, exactly which step is failing in TLS handshake.
In case of success logs, the ios client validates the certificate of server, but in failure such logs are not printed, meaning it is failing before that.

Also I tried to change cipher AES-256-CBC option to data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC, however it failed.
The logs look similar in all the scenarios.

Any pointers will be really helpful here, my knowledge is very limited. The communication is encrypted it cant be analyzed using wireshark. Is there any way, to set any option to understand where it is failing. Can I turn off encryption or additional logging on client side.

Please see the logs below

server logs

INFO      -  us=166748 Reset packet from client, sending HMAC based reset challenge
INFO      -  us=185152 GET INST BY REAL: 20.163.82.254:1435 [failed]
INFO      -  us=189392 Connection Attempt UDPv6 WRITE [66] to [AF_INET6]::ffff:20.163.82.254:1435:  DATA len=66
INFO      -  us=210306 Connection Attempt Reset packet from client, sending HMAC based reset challenge
INFO      -  us=215602 Connection Attempt GET INST BY REAL: 20.163.82.254:1435 [failed]
INFO      -  us=225978 Connection Attempt UDPv6 WRITE [66] to [AF_INET6]::ffff:20.163.82.254:1435:  DATA len=66
INFO      -  us=235338 Connection Attempt Valid packet (P_CONTROL_V1) with HMAC challenge from peer ([AF_INET6]::ffff:20.163.82.254:1435), accepting new connection.
INFO      -  us=243427 Connection Attempt MULTI: multi_create_instance called
INFO      -  us=253743 20.163.82.254:1435 Re-using SSL/TLS context
INFO      -  us=265306 20.163.82.254:1435 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
INFO      -  us=277040 20.163.82.254:1435 Outgoing Control Channel Authentication: HMAC KEY: 4475640 6a64453d 37745458 2a3a674c 56355a63 4e727070 7746435a 726f4f25
INFO      -  us=290253 20.163.82.254:1435 Outgoing Control Channel Authentication: HMAC size=32 block_size=32
INFO      -  us=304253 20.163.82.254:1435 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
INFO      -  us=315670 20.163.82.254:1435 Incoming Control Channel Authentication: HMAC KEY: 4475640 6a64453d 37745458 2a3a674c 56355a63 4e727070 7746435a 726f4f25
INFO      -  us=322623 20.163.82.254:1435 Incoming Control Channel Authentication: HMAC size=32 block_size=32
INFO      -  us=333098 20.163.82.254:1435 MTU: adding 426 buffer tailroom for compression for 1768 bytes of payload
INFO      -  us=343617 20.163.82.254:1435 PID packet_id_init seq_backtrack=64 time_backtrack=15
INFO      -  us=353523 20.163.82.254:1435 PID packet_id_init seq_backtrack=64 time_backtrack=15
INFO      -  us=366424 20.163.82.254:1435 PID packet_id_init seq_backtrack=64 time_backtrack=15
INFO      -  us=377143 20.163.82.254:1435 PID packet_id_init seq_backtrack=64 time_backtrack=15
INFO      -  us=387263 20.163.82.254:1435 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
INFO      -  us=397082 20.163.82.254:1435 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
INFO      -  us=410097 20.163.82.254:1435 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
INFO      -  us=427752 20.163.82.254:1435 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
INFO      -  us=440699 20.163.82.254:1435 SENT PING
INFO      -  us=454269 20.163.82.254:1435 GET INST BY REAL: 20.163.82.254:1435 [ok]
INFO      -  us=466660 20.163.82.254:1435 UDPv6 READ [414] from [AF_INET6]::ffff:20.163.82.254:1435: P_CONTROL_V1 kid=0 pid=[ #3 ] [ ] pid=2 DATA len=360
ERROR     -  us=477765 20.163.82.254:1435 TLS Error: Unroutable control packet received from [AF_INET6]::ffff:20.163.82.254:1435 (si=3 op=P_CONTROL_V1)
INFO      -  us=488385 20.163.82.254:1435 LINK packet from [f67f:0:585b:349:f67f:0:100:0] destined for [UNKNOWN]
INFO      -  us=499563 GET INST BY REAL: 20.163.82.254:1435 [ok]
INFO      -  us=508809 20.163.82.254:1435 UDPv6 READ [62] from [AF_INET6]::ffff:20.163.82.254:1435: P_ACK_V1 kid=0 pid=[ #4 ] [ 0 ] DATA len=0
ERROR     -  us=517574 20.163.82.254:1435 TLS Error: Unroutable control packet received from [AF_INET6]::ffff:20.163.82.254:1435 (si=3 op=P_ACK_V1)
INFO      -  us=526124 20.163.82.254:1435 LINK packet from [f67f:0:585b:349:f67f:0:100:0] destined for [UNKNOWN]
INFO      -  us=488520 MULTI: REAP range 16 -> 32
INFO      -  us=212488 MULTI: REAP range 32 -> 48
INFO      -  us=222607 GET INST BY REAL: 20.163.82.254:1435 [ok]
INFO      -  us=231077 20.163.82.254:1435 UDPv6 READ [66] from [AF_INET6]::ffff:20.163.82.254:1435: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ 0 ] pid=1 DATA len=0
INFO      -  us=239139 20.163.82.254:1435 PID_TEST [0] [TLS_WRAP-0] [] 0:0 1730187828:2 t=1730187832[0] r=[0,64,15,0,1] sl=[0,0,64,528]
INFO      -  us=248592 20.163.82.254:1435 TLS: Initial packet from [AF_INET6]::ffff:20.163.82.254:1435, sid=16f3e93b c6fd2eef
INFO      -  us=258067 20.163.82.254:1435 ACK read BAD SESSION-ID FROM REMOTE, local=4d212132 42602c17, remote=08e76350 41577df0
ERROR     -  us=265851 20.163.82.254:1435 TLS Error: reading acknowledgement record from packet
INFO      -  us=273490 20.163.82.254:1435 LINK packet from [f67f:0:585b:349:f67f:0:100:0] destined for [UNKNOWN]
INFO      -  us=281385 20.163.82.254:1435 UDPv6 WRITE [54] to [AF_INET6]::ffff:20.163.82.254:1435: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
INFO      -  us=289761 GET INST BY REAL: 20.163.82.254:1435 [ok]
INFO      -  us=297209 20.163.82.254:1435 UDPv6 READ [414] from [AF_INET6]::ffff:20.163.82.254:1435: P_CONTROL_V1 kid=0 pid=[ #3 ] [ ] pid=2 DATA len=360
INFO      -  us=306528 20.163.82.254:1435 PID_TEST [0] [TLS_WRAP-0] [0_] 1730187828:2 1730187828:3 t=1730187832[0] r=[0,64,15,0,1] sl=[62,2,64,528]
INFO      -  us=316211 20.163.82.254:1435 LINK packet from [f67f:0:585b:349:f67f:0:100:0] destined for [UNKNOWN]
INFO      -  us=329911 20.163.82.254:1435 UDPv6 WRITE [62] to [AF_INET6]::ffff:20.163.82.254:1435: P_ACK_V1 kid=0 pid=[ #2 ] [ 2 ] DATA len=0
INFO      -  us=504218 TUN packet from [fe80::c1b6:55bf:11c1:9f8] destined for [ff02::1:2]
INFO      -  us=516859 20.163.82.254:1435 MULTI: C2C/MCAST/BCAST
INFO      -  us=566615 MULTI: REAP range 48 -> 64
INFO      -  us=210898 MULTI: REAP range 64 -> 80
INFO      -  us=228993 GET INST BY REAL: 20.163.82.254:1435 [ok]
INFO      -  us=243737 20.163.82.254:1435 UDPv6 READ [66] from [AF_INET6]::ffff:20.163.82.254:1435: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ 0 ] pid=1 DATA len=0
INFO      -  us=252393 20.163.82.254:1435 PID_TEST [0] [TLS_WRAP-0] [22_] 1730187828:3 1730187828:2 t=1730187834[0] r=[-2,64,15,0,1] sl=[61,3,64,528]
INFO      -  us=264515 20.163.82.254:1435 PID_ERR replay-window backtrack occurred [1] [TLS_WRAP-0] [22_] 1730187828:3 1730187828:2 t=1730187834[0] r=[-2,64,15,1,1] sl=[61,3,64,528]
INFO      -  us=273957 20.163.82.254:1435 PID_ERR replay [1] [TLS_WRAP-0] [22_] 1730187828:3 1730187828:2 t=1730187834[0] r=[-2,64,15,1,1] sl=[61,3,64,528]
ERROR     -  us=283035 20.163.82.254:1435 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #2 / time = (1730187828) 2024-10-29 02:43:48 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
ERROR     -  us=291511 20.163.82.254:1435 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:20.163.82.254:1435
INFO      -  us=298972 20.163.82.254:1435 LINK packet from [f67f:0:585b:349:f67f:0:100:0] destined for [UNKNOWN]
INFO      -  us=310842 20.163.82.254:1435 UDPv6 WRITE [66] to [AF_INET6]::ffff:20.163.82.254:1435: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #3 ] [ 2 ] pid=0 DATA len=0
INFO      -  us=325108 GET INST BY REAL: 20.163.82.254:1435 [ok]
INFO      -  us=337520 20.163.82.254:1435 UDPv6 READ [414] from [AF_INET6]::ffff:20.163.82.254:1435: P_CONTROL_V1 kid=0 pid=[ #3 ] [ ] pid=2 DATA len=360
INFO      -  us=354800 20.163.82.254:1435 PID_TEST [0] [TLS_WRAP-0] [22_] 1730187828:3 1730187828:3 t=1730187834[0] r=[-2,64,15,1,1] sl=[61,3,64,528]
INFO      -  us=369770 20.163.82.254:1435 PID_ERR replay [0] [TLS_WRAP-0] [22_] 1730187828:3 1730187828:3 t=1730187834[0] r=[-2,64,15,1,1] sl=[61,3,64,528]
ERROR     -  us=382469 20.163.82.254:1435 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3 / time = (1730187828) 2024-10-29 02:43:48 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
ERROR     -  us=394443 20.163.82.254:1435 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:20.163.82.254:1435
ERROR     -  us=313755 20.163.82.254:1435 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
ERROR     -  us=328304 20.163.82.254:1435 TLS Error: TLS handshake failed
INFO      -  us=339775 20.163.82.254:1435 PID packet_id_free
INFO      -  us=352949 20.163.82.254:1435 PID packet_id_free
INFO      -  us=366010 20.163.82.254:1435 PID packet_id_free
INFO      -  us=377440 20.163.82.254:1435 PID packet_id_init seq_backtrack=64 time_backtrack=15
INFO      -  us=388493 20.163.82.254:1435 PID packet_id_init seq_backtrack=64 time_backtrack=15
INFO      -  us=398818 20.163.82.254:1435 SIGUSR1[soft,tls-error] received, client-instance restarting

client logs

[MVPNProviderManagerModel init][479912]|57<Info>: Register notification when app will enter foreground 
[MVPNProviderManagerModel loadManagers][479912]|106<Info>: Start load all provider managers
[MVPNProviderManagerModel loadManagers]_block_invoke[479912]|112<Info>: Load 1 provider managers successfully
[MVPNProviderManagerModel selectedManager][479912]|391<Info>: Get enabled provider manager index(0), total profiles count(1)
[MVPNProviderManagerModel start:][479912]|473<Info>: Start vpn: VPN ios 
[MVPNProviderManagerModel observerVPNStatus]_block_invoke_2[479912]|543<Info>: VPN updated status: Connecting, UI delegate = <MVPNMainViewController: 0x1035a9140>
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[479912]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[479912]|631<Info>: No response from extention
[MVPNProviderManagerModel sendProviderMsg:data:]_block_invoke[479912]|618<Info>: resonse cmd: 4, response body: 
bind
remote vpn.testserver.com 8114 udp
dev tun
inactive 300 600
verb 9
persist-key
persist-tun
auth SHA256
<tls-auth>
-----BEGIN Static key V1-----
-----END Static key V1-----
</tls-auth>
bool VPNMan::StartVPN(void *)_block_invoke[480765]|75<Info>: FormProfile data, client
server-poll-timeout 4
nobind
remote vpn.testserver.com 8114 udp
dev tun
inactive 300 600
verb 9
persist-key
persist-tun
auth SHA256
<tls-auth>
-----BEGIN Static key V1-----
-----END Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
static void VPNMan::outputLog(const char *)[480788]|443<Info>: 1111 >>>>> Thread starting
static void VPNMan::outputLog(const char *)[480788]|443<Info>: Thread starting...
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  2 >>>>>>UNUSED OPTIONS
2 [nobind] 
7 [verb] [9] 
8 [persist-key] 
9 [persist-tun] 
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  6 >>>>>> Event
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  7 >>>>>> Event
static void VPNMan::outputLog(const char *)[480788]|438<Info>: RESOLVE
static void VPNMan::outputLog(const char *)[480788]|439<Verbose>: RESOLVE
static void VPNMan::outputLog(const char *)[480788]|443<Info>: 12 >>>>> start_connect_
static void VPNMan::outputLog(const char *)[480788]|438<Info>: Contacting 169.38.140.131:8114 via UDP
static void VPNMan::outputLog(const char *)[480788]|439<Verbose>: Contacting 169.38.140.131:8114 via UDP
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  6 >>>>>> Event
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  7 >>>>>> Event
static void VPNMan::outputLog(const char *)[480788]|438<Info>: WAIT
static void VPNMan::outputLog(const char *)[480788]|439<Verbose>: WAIT
static void VPNMan::outputLog(const char *)[480788]|443<Info>: *** socket_protect 9
static void VPNMan::outputLog(const char *)[480788]|438<Info>: Connecting to vpn.testserver.com:8114 (169.38.140.131) via UDPv4
static void VPNMan::outputLog(const char *)[480788]|439<Verbose>: Connecting to vpn.testserver.com:8114 (169.38.140.131) via UDPv4
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  9 >>>>> [CONN_HIS_INFO]Connecting to 
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  6 >>>>>> Event
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  7 >>>>>> Event
static void VPNMan::outputLog(const char *)[480788]|438<Info>: CONNECTING
static void VPNMan::outputLog(const char *)[480788]|439<Verbose>: CONNECTING
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  >>>>> C_WAIT_RESET_ACK
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  >>>>> C_WAIT_RESET_ACK
static void VPNMan::outputLog(const char *)[480788]|443<Info>: >>>> Tunnel Options:V4,dev-type tun,link-mtu 1554,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client
static void VPNMan::outputLog(const char *)[480788]|443<Info>: >>>> Tunnel Options:V4,dev-type tun,link-mtu 1554,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client
static void VPNMan::outputLog(const char *)[480788]|443<Info>: Peer Info:
IV_GUI_VER=VPN Client 1.0
IV_VER=3.0
IV_PLAT=ios
IV_NCP=1
IV_LZO_STUB=1
IV_COMP_STUB=1

static void VPNMan::outputLog(const char *)[480788]|443<Info>: 9 >>>>> Peer Info:
static void VPNMan::outputLog(const char *)[480788]|443<Info>: ERROR: PKTID_UDP_REPLAY
static void VPNMan::outputLog(const char *)[480788]|443<Info>: ERROR: REPLAY_ERROR
static void VPNMan::outputLog(const char *)[480788]|443<Info>: ERROR: CC_ERROR
static void VPNMan::outputLog(const char *)[480788]|443<Info>: ERROR: CC_ERROR
static void VPNMan::outputLog(const char *)[480788]|443<Info>: ERROR: CC_ERROR
static void VPNMan::outputLog(const char *)[480788]|443<Info>: ERROR: CC_ERROR
static void VPNMan::outputLog(const char *)[480788]|443<Info>: ERROR: CC_ERROR
static void VPNMan::outputLog(const char *)[480788]|443<Info>: ERROR: CC_ERROR
static void VPNMan::outputLog(const char *)[480788]|443<Info>: ERROR: HANDSHAKE_TIMEOUT
static void VPNMan::outputLog(const char *)[480788]|438<Info>: Session invalidated: KEV_NEGOTIATE_ERROR
static void VPNMan::outputLog(const char *)[480788]|439<Verbose>: Session invalidated: KEV_NEGOTIATE_ERROR
static void VPNMan::outputLog(const char *)[480788]|443<Info>: Client terminated, restarting in 2...
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  6 >>>>>> Event
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  7 >>>>>> Event
static void VPNMan::outputLog(const char *)[480788]|438<Info>: RECONNECTING
static void VPNMan::outputLog(const char *)[480788]|439<Verbose>: RECONNECTING
static void VPNMan::outputLog(const char *)[480788]|443<Info>: ERROR: N_RECONNECT
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  3 >>>>>> construct_compressor
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  4 >>>>>> OPENVPN_LOG_COMPRESS
static void VPNMan::outputLog(const char *)[480788]|443<Info>: LZO-ASYM init swap=0 asym=1
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  5 >>>>>> CompressStub
static void VPNMan::outputLog(const char *)[480788]|443<Info>: Comp-stub init swap=0
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  6 >>>>>> Event
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  7 >>>>>> Event
static void VPNMan::outputLog(const char *)[480788]|438<Info>: RESOLVE
static void VPNMan::outputLog(const char *)[480788]|439<Verbose>: RESOLVE
static void VPNMan::outputLog(const char *)[480788]|443<Info>: 12 >>>>> start_connect_
static void VPNMan::outputLog(const char *)[480788]|438<Info>: Contacting 169.38.140.131:8114 via UDP
static void VPNMan::outputLog(const char *)[480788]|439<Verbose>: Contacting 169.38.140.131:8114 via UDP
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  6 >>>>>> Event
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  7 >>>>>> Event
static void VPNMan::outputLog(const char *)[480788]|438<Info>: WAIT
static void VPNMan::outputLog(const char *)[480788]|439<Verbose>: WAIT
static void VPNMan::outputLog(const char *)[480788]|443<Info>: *** socket_protect 9
static void VPNMan::outputLog(const char *)[480788]|438<Info>: Connecting to vpn.testserver.com:8114 (169.38.140.131) via UDPv4
static void VPNMan::outputLog(const char *)[480788]|439<Verbose>: Connecting to vpn.testserver.com:8114 (169.38.140.131) via UDPv4
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  9 >>>>> [CONN_HIS_INFO]Connecting to 
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  6 >>>>>> Event
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  7 >>>>>> Event
static void VPNMan::outputLog(const char *)[480788]|438<Info>: CONNECTING
static void VPNMan::outputLog(const char *)[480788]|439<Verbose>: CONNECTING
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  >>>>> C_WAIT_RESET_ACK
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  >>>>> C_WAIT_RESET_ACK
|static void VPNMan::outputLog(const char *)[480788]|443<Info>: >>>> Tunnel Options:V4,dev-type tun,link-mtu 1554,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client
|static void VPNMan::outputLog(const char *)[480788]|443<Info>: >>>> Tunnel Options:V4,dev-type tun,link-mtu 1554,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client
|static void VPNMan::outputLog(const char *)[480788]|443<Info>: Peer Info:
IV_GUI_VER=VPN Client 1.0
IV_VER=3.0
IV_PLAT=ios
IV_NCP=1
IV_LZO_STUB=1
IV_COMP_STUB=1
static void VPNMan::outputLog(const char *)[480788]|443<Info>: 9 >>>>> Peer Info:
static void VPNMan::outputLog(const char *)[480788]|443<Info>: ERROR: PKTID_UDP_REPLAY
static void VPNMan::outputLog(const char *)[480788]|443<Info>: ERROR: REPLAY_ERROR
static void VPNMan::outputLog(const char *)[480788]|443<Info>: ERROR: CC_ERROR
static void VPNMan::outputLog(const char *)[480788]|443<Info>: ERROR: CC_ERROR
static void VPNMan::outputLog(const char *)[480788]|443<Info>: ERROR: CC_ERROR
static void VPNMan::outputLog(const char *)[480788]|443<Info>: ERROR: CC_ERROR
static void VPNMan::outputLog(const char *)[480788]|443<Info>: ERROR: CC_ERROR
static void VPNMan::outputLog(const char *)[480788]|443<Info>: ERROR: CC_ERROR
static void VPNMan::outputLog(const char *)[480788]|443<Info>: ERROR: CONNECTION_TIMEOUT
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  6 >>>>>> Event
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  7 >>>>>> Event
static void VPNMan::outputLog(const char *)[480788]|438<Info>: CONNECTION_TIMEOUT
static void VPNMan::outputLog(const char *)[480788]|439<Verbose>: CONNECTION_TIMEOUT
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  6 >>>>>> Event
static void VPNMan::outputLog(const char *)[480788]|443<Info>:  7 >>>>>> Event
static void VPNMan::outputLog(const char *)[480788]|438<Info>: DISCONNECTED
static void VPNMan::outputLog(const char *)[480788]|439<Verbose>: DISCONNECTED
static void VPNMan::outputLog(const char *)[480788]|443<Info>: Thread finished
static void VPNMan::outputLog(const char *)[480765]|438<Info>: STATS:
 BYTES_IN : 1024
 BYTES_OUT : 28552
 PACKETS_IN : 16
 PACKETS_OUT : 122
 REPLAY_ERROR : 2
 CC_ERROR : 12
 HANDSHAKE_TIMEOUT : 1
 CONNECTION_TIMEOUT : 1
 N_RECONNECT : 1
 PKTID_UDP_REPLAY : 2
static void VPNMan::outputLog(const char *)[480765]|439<Verbose>: STATS:
 BYTES_IN : 1024
 BYTES_OUT : 28552
 PACKETS_IN : 16
 PACKETS_OUT : 122
 REPLAY_ERROR : 2
 CC_ERROR : 12
 HANDSHAKE_TIMEOUT : 1
 CONNECTION_TIMEOUT : 1
 N_RECONNECT : 1
 PKTID_UDP_REPLAY : 2
void VPNMan::OpenVPNLibStopped()[480765]|127<Info>: Stopped from openvpn

[schwabe]

To be honest, it is very probably that you an OpenSSL update at the same time as the OpenVPN update and the newer OpenSSL version doesn't like your client. OpenSSL has gotten a lot strict in TLS standards than it used to be. You can also try compat-mode 2.3.0 in your server config and see if that helps.

[dsommers]

Are there any reasons you can't upgrade your Connect client to a newer version? https://apps.apple.com/us/app/openvpn-connect-openvpn-app/id590379981

[ChauhanPriyanka]

hi @schwabe , @dsommers,
I was out last week, apologies for the delay in response.
As suggested we tried - compat-mode 2.3.0, unfortunately it did not help & IOS client v3.0 could not connect to openvpn server 2.6.12.
Regarding the openssl version, its v3.0.14 common for both openvpn server 2.5.6 & 2.6.12
We are also working on upgrading the client, however it will take time as the existing wrapper seems outdated with the latest client.
Is there any other way to troubleshoot further.
Thank you for the help.

[schwabe]

You could do a git bisect to figure out what change broke the old client. That is probably your best way forward to identify what exactly cause the client to be no longer supported.

[ChauhanPriyanka]

Hi @schwabe , @dsommers ,

Sharing further update, I'm able to connect to IOS client 3.0, VPN server 2.6.12 via TCP protocol. The server logs gave me clear information that no common cipher between client and server, so I modified the setting and it is connecting via tcp
Added option in server logs ncp-ciphers AES-256-GCM:AES-256-CBC. As IOS client was expecting AES-256-CBC.

I'm still not able to connect via UDP, even after doing the changes in shared cipher.
Please help if some option I can modify to make the older client work with latest server.

[schwabe]

tls-cert-profile insecure
compat-mode 2.3.6

and NOT setting tls-cipher
will basically allow everything that the tls library can still do. If that also doesn't help you would need to deep dive why the 10 year old mbed TLS/PolarSSL library doesn't talk to a modern OpenSSL one.

[ChauhanPriyanka]

Hi @schwabe , @dsommers, thank you for help so far, sharing further update,
I was able to connect old IOS client using tcp, I updated following option on server.cnf file
ncp-ciphers AES-256-GCM:AES-256-CBC.
With udp, I'm still getting the same error (authentication failed, as mentioned in above shared logs), but since I have modified the ciphers , it is now started giving error on IOC client
NEVirtualInterfaceAdjustReadBufferSize: interface_get_mtu failed (6), defaulting to max mtu
Any input on this error will be really helpful.
I tried to configure mtu as 1500 on both client and server, unfortunately it is still not connecting and error is same.