Question OpenVPN can't connect my iPhone (iOS 13.4) to RT2600ac

Currently reading
Question OpenVPN can't connect my iPhone (iOS 13.4) to RT2600ac

23
2
Router
  1. RT2600ac
Operating system
  1. Windows
Mobile operating system
  1. Android
  2. iOS
Hi,
I was trying to connect my iPhone to the home router using openVPN protocol and it doesn't connect.
I am using Open VPN Connect app on my iPhone
This is my router settings

1585750886410.png

I followed the instructions on the export configurations readme.txt file to modify the VPNConfig.ovpn file
I am not sure if something missing in my settings
Please help me with your expert suggestions
Thanks!
 
Are you trying to connect from inside your LAN, or from outside?
In the VPNPlus Server settings, did you remember to activate Permission for the user account whose credentials you're using to log in?
Does your iPhone OpenVPN app generate a log that has any helpful info in it?
 
My iPhone is connected to the routers WiFi and tried connecting within the same network.
I tried again from the cellular network without the WiFi and both cases, doesn't connect with message "There was an error attempting to connect to the selected server"

My knowledge in networking is very limited and every help is really appreciated
  • Is it possible to connect to open VPN within same network?
  • Is it possible to connect from Cellular to open VPN?
  • Do I need a different port for open VPN in my router (now 1198)
  • Do I add a user in my router other than admin for VPN setup
I couldn't find much details in my iPhone log.
It shows connecting to [xxx.xxx.x.xxx]1198 via UDPv4
Connection timeout [ERR]

Is there any particular settings needed on my iPhone's open VPN app?
 
The SRM firewall must have a rule that permits the UDP 1198 from wherever you are connecting from.

Provided [xxx.xxx.x.xxx] is the same in the .ovpn configuration file that you installed on the iPhone and [xxx.xxx.x.xxx] ends up at the router then you should be able to connect to the OpenVPN server.

Also as previously mentioned, you have to permit your user to use VPN services ... but I think the connection timeout is saying that the iPhone isn't even getting to the OpenVPN server.

I would use a different user account for VPN services, and any other non-administrative service, than the SRM admin account. You really shouldn't be using the admin account for anything other than SRM admin tasks and I'd also add I wouldn't use it from outside your LAN.
 
1198 UDP port is enabled in port forwarding and allowed in firewall (security settings)
Don't port forward UDP 1198 because this connection has to land on the SRM's VPN service not a VPN service on an internal device/IP.

You create the firewall rule yourself, not as the result of a port forward rule.
 
I'm assuming that you exported, from VPNPlus Server, the .ovpn file which you then imported into the OpenVPN app on your iPhone. In my experience, some of the iPhone OpenVPN apps are not able to utilize some of the encryption options offered by VPNPlus Server. You might want to try setting encryption to BF-CBC, and authentication to SHA-1 in VPNPlus Server, re-export the .ovpn file, edit it once again to include the right IP address, and then re-import it into the iPhone App and try again.

As fredbert points out, you don't want to forward the port anywhere in the router. And when you enabled OpenVPN in VPNPlus, it should have automatically enabled a hole in the firewall from outside to SRM.
 
@fredbert ,
Just to confirm, are you able to connect from the same network (WiFi) and from cellular network?
Yes and yes, and also yes for Internet from WiFi hotspots.

You might want to check that that the SRM auto-block hasn't added your IPs while you've been trying to login in.

My OpenVPN server setup doesn't have compression enabled, does have a manual DNS (my router's LAN IP), and uses UDP 1194. Otherwise it's the same as your screenshot. Likewise, I have a SRM firewall rule for allowing accessing to 'SRM' and UDP 1194. And I don't have any associated port forward rule.

iOS OpenVPN client settings:
  • Battery saver: no
  • Seamless tunnel: no
  • VPN protocol: adaptive
  • IPv6: no preference
  • Connection timeout: 30s
  • Allow compression: no
  • AES-CBC Cipher algorithm: no
  • Min TLS version: profile default
  • DNS fallback: no
  • Connect via: any network
  • Layer 2 reachability: yes
  • Theme ... ha! if this is the problem then we're in trouble.

Missed the other question (I'm failing at multi-tasking): You add users to SRM using Control Panel's User tab. Then you have to assign the user the privilege of using the VPN services, and other things your router provides.


If you've the only one using VPN services you can try to use the included licence to Synology's SSL-VPN service. There's an iOS/Android app for this too and I've found it to be reliable. Come 6th April and Synology say that extra licences will be free until September.
 
@fredbert ,
I modified my iOS settings as mentioned
Auto-block is not enabled on my SRM
Here is the latest situation:
I cannot connect the iPhone VPN while I am on cellular network (WiFi disabled) and while on the routers WiFi connected. (both no no)
If I am connected to a different WiFi hotspot, then I got connected.. finally one step closer.:)
 
Did you edit the openvpn file with your WAN IP? This is a common step people forget to do.

This video here is a great step by step guide.
To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.
 
I am able to connect one way or other (depends on the IP ADDRESS on the 3rd line VPN config file).
I cannot connect from LAN, external WiFI and cellular all the time (something is not right)

I am really confused about the working ip address.
Can someone please tell me how to find the correct IP address to replace the XXX in my config file below

dev tun
tls-client
# replace xxx with your IP_ADDRESS
remote xxx.xxx.x.xx 1198
redirect-gateway def1
#dhcp-option DNS DNS_IP_ADDRESS
pull
proto udp
script-security 2
reneg-sec 0
auth SHA512
cipher AES-256-CBC
auth-user-pass
key-direction 1
explicit-exit-notify
<ca>
-----BEGIN CERTIFICATE-----

[certificate key here]
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
[certificate key here]
-----END CERTIFICATE-----
</ca>
<tls-auth>
#
# 2048 bit OpenVPN static key

-----BEGIN OpenVPN Static key V1-----
[open vpn key]
-----END OpenVPN Static key V1-----
</tls-auth>
setenv CLIENT_CERT 0
 
remote xxx.xxx.x.xx 1198

This needs to have the address or IP address that you are going to connect to. So that could be:
  • SRM's Internet/WAN IP address ... look in Network Center to find the current IP. But this will change if you don't have a static IP from your ISP.
  • A fully qualified domain name that resolves to your router, such as myopenvpn.mydomain.com or even mydomain.com
  • A Synology DDNS that you've registered, e.g. myrouter.synology.me
  • Another DDNS service domain name that points to the router, e.g. myrouter.dyndns.org
You can uncomment the #float config command to float which should enable packets from any address, not just the location specified by the remote command.

This shouldn't be so hard: you may find it easier to use Synology's SSL-VPN service as there is no config file but does need the SRM firewall to have a similar rule to OpenVPN (just select the VPN Plus (OpenVPN) application when creating the rule).
 
If you have a static IP address from your ISP, it would be that address. If not, then the numeric address changes from time to time. You can find out what it is AT THIS MOMENT by going to What Is My IP Address? IP Address Tools and More

If you don't have a static ip address, you might want to consider using a free DDNS service (Synology offers one), and replacing xxx with the domain name you get from the DDNS service.
 
If you have a static IP address from your ISP, it would be that address. If not, then the numeric address changes from time to time. You can find out what it is AT THIS MOMENT by going to What Is My IP Address? IP Address Tools and More

If you don't have a static ip address, you might want to consider using a free DDNS service (Synology offers one), and replacing xxx with the domain name you get from the DDNS service.

I created a DDNS (xxxxx.synology.me) and tried that in my vpn config file and no luck at all
This DDNS shows the same ip address as "What is my IP Address" from the web page.
I tried all possible options and I am almost given away :cry:
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Others here use Internet VPN services and may be able to help. I don't use SRM's VPN tunnel to Internet...
Replies
3
Views
2,468
I've configured the OpenVPN server in SRM (in vpn plus server), and I've checked the 'allow clients to...
Replies
0
Views
1,052
Well, the one thing I didn't try...It didn't like the DS name, but just entering the IP address in the...
Replies
13
Views
5,045
The thread when the RT6600ax was announced. Much talk about the one 2.5 GbE port...
Replies
4
Views
408
  • Question
Many IOT with fixed position in house seem to struggle to connect to the nearest AP. I solved it by...
Replies
3
Views
1,540
That’s what I have guessed as SRM changes the subnet if it detects any conflicts. Nice that it’s working...
Replies
5
Views
1,117
Oh that's a shame because it clearly is stupid in picking the way slower connection a fair amount of the...
Replies
2
Views
1,530

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top