Tag Archives: OpenVPN

OpenVPN is free software for building a virtual private network over an encrypted TLS connection. OpenVPN is available for Windows, macOS iOS and Android.

OpenVPN Connection fails on iOS and Android

Here my experience using OpenVPN connection on iOS and Android mobile device. When you try to start a connection with the OpenVPN Connect App.

When you try to start a connection with OpenVPN Connect on your iOS or Android device, the VPN connection is established but no network resources can be reached, also you may find the error message in the OpenVPN server log;

Bad compression stub (swap) decompression header

Error openvpn_server1 user1/ Bad compression stub (swap) decompression header byte: 250

How to solve this issue, it comes to works perfectly with add options in the OpenVPN server configuration. I use here a Synology NAS and an OPNsense as a VPN server in this experience report.

allow-compression no
push "compress migrate"

This completely deactivates full and asymmetric compression, which is useful for functionality and secure communication with OpenVPN mobile clients. These finding can give valuable hints to make your users happy.

Note. The options are used to provision the OpenVPN clients, existing clients can continue to make VPN connections, the settings do not have to be changed manually.

How do I know that no compression is in use?

You will find the statistics of the OpenVPN connection in the log file. This way you can also see the state of the compression, like in the screenshots below.

OpenVPN Connection to Synology NAS

I have an OpenVPN server package installed on my Synology NAS, and the OpenVPN client on my iPhone 15 (iOS 17.3.1) is able to connect to it over a cellular connection. FileBrowserGO is then able to connect to the Synology using the OpenVPN Server’s LAN IP address.

We have tried this with both a UDP and TCP based OpenVPN connection (forwarding port 1194) to the Synology NAS. I would recommend trying an IP Address in FileBrowserGO’s “Name or URL” field, to avoid the DNS lookup stage of the connection.

To prevent compression on the OpenVPN server on a Synology NAS, you can open the VPN server in DSM under OpenVPN and disable the option Use compression on the VPN connection. If you enable ssh then you can log in with an ssh terminal to open the configuration file.

$ sudo vi /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf

OpenVPN Connect from iOS, Android to OPNsense

I went through it with another environment with deploy a virtual OPNsense using the OpenVPN Server. To do this, go to VPN -> OpenVPN -> open the corresponding server, here under Compression select “No Preference”, next add the two lines in the box under Advanced configuration, then save changes.

OpenVPN Connection fails on iOS and Android
OPNsense GUI: VPN – OpenVPN – Servers

Restart the OpenVPN server again and launch a VPN connection with your iOS or Android mobile device.

OpenVPN Client renegotiation after 60 min

Using OpenVPN + 2FA with Google Authenticator

OpenVPN + 2FA with Google Authenticator

OpenVPN will attempt to have a client renegotiation every 60 minutes (3600 sec) by default, which will prompt the user to enter their 2FA pin to continue the connection.

Renegotiate time

Renegotiate data channel key after n seconds (default=3600). When using a (OTP) one time password, be advised that your connection will automatically drop because your password is not valid anymore. Set to 0 to disable, remember to change on server and client as well.

If you want unlimited connection without these interruptions, update the /etc/openvpn/client-template.txt file and add reneg-sec 0 parameter, this file can look like this:

dev tun
data-ciphers-fallback AES-256-CBC
auth SHA512
resolv-retry infinite
reneg-sec 0
remote 1194 udp
lport 0
verify-x509-name "C=IT, ST=IT, L=example, O=Azienda, emailAddress=hostmaster@example.tld, CN=OPN.example.tld" subject
remote-cert-tls server

Community Edition

The OpenVPN Community Edition is an open source Virtual Private Network (VPN) project. It creates secure connections over the Internet using a custom security protocol that utilizes SSL/TLS. This community-supported OSS (Open Source Software) project, using a GPL license. developers and contributors as well as the extended community. CE is free to deploy, but it does require a strong understanding of Linux and using the command line interface.

OpenVPN Tunneling Protocol

The OpenVPN tunneling protocol uses the Secure Socket Layer (SSL) encryption protocol to ensure data shared via the Internet remains private using AES-256 encryption. Because the code is available for audits, anyone can find — and fix — vulnerabilities. It’s not only considered the most secure VPN tunneling protocol, it also delivers faster connections and can bypass most firewalls.