Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire.

Please join in and help us improving it!

Configure iPad and iPhone for OpenVPN

Note!
This method is not secure (no password) and is not recommended for business use

Problem

  • iOS Apple devices have issues pkcs12 files. The following file .pem is required.
  • TLS-Remote is not supported in the app version (1.0.0).
  • With app version 1.0.5 TLS works.

Solution

The p12 of the IPFire downloaded certificate must be distributed / converted into three .pem files. For the operation and conversion OpenVPN and OpenSSL should (the latter is already installed on most distributions ) may be present.

Preparations:

  • Install the App OpenVPN Connect.
  • Create IPFire on one or more users for iOS devices with OpenVPN.
    • optional for alternative setup: ZIP File Download and unzip.

Ovpn Certificate and UserProfil generating

filename = iosconverter.sh

#!/bin/bash
################################################
# iOS OVPN-Settings and send by email
# 5p9 07.04.2015
# first creating by fpausp
# http://forum.ipfire.org/viewtopic.php?f=16&t=10197&p=66197&hilit=openssl+fpausp#p66197
################################################
# Create your own vpnfolder & ovpnbackup folder first!
# You must added first one User-Ovpn-Profil (roadwarrior) then run this Script!
# Only one run for one newest Userprofil, newer than 1 minutes!!!
################################################

# copy newest ovpn-profil newer than 1 minutes - change your own vpnfolder first!
find /var/ipfire/ovpn/certs/ -name *.pem -mmin -1 -exec cp {} /your/own/vpnfolder \;
find /var/ipfire/ovpn/certs/ -name *.p12 -mmin -1 -exec cp {} /your/own/vpnfolder \;


# Set external IP, Port and TLS Remote IP - remove "<text>" and change the settings!
IP=<external-FQDN or external IP>
PORT=<1234>
TLS=<ipfirename.local>


# convert p12 to ca.pem
for i in $(ls *.p12)
      do
      openssl pkcs12 -in $i -cacerts -nodes -out $(echo $i | awk -F. '{print$1}')-ca.pem
      #openssl pkcs12 -in $i -clcerts -nokeys -nodes -out $(echo $i | awk -F. '{print$1}')-user.pem
      #openssl pkcs12 -in $i -nocerts -nodes -out $(echo $i | awk -F. '{print$1}')-keys.pem

# cat only ca-Key - change the targed destination to your own vpnfolder!
key=`cat /your/own/vpnfolder/*-ca.pem | sed '1,4d'`


cat <<EOF >$(echo $i | awk -F. '{print$1}').ovpn
#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1400
remote $IP $PORT
cipher AES-256-CBC
auth SHA512
verb 3
ns-cert-type server
verify-x509-name $TLS name
#mssfix ##optional!
<ca>
$key
</ca>
# download first by using HMAC tls-auth your ovpn-ipfire clientprofile the ta.key
# copy and replace the inlinetext on this postion!
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
-----END OpenVPN Static key V1-----
</tls-auth>
EOF

done

# zip files to tmp-folder
#/usr/local/bin/7z a /tmp/p12.7z /your/own/vpnfolder/*.p12
#/usr/local/bin/7z a /tmp/ovpn.7z /your/own/vpnfolder/*.ovpn


# sendEmail OVPN Profil - change -f & -t Names! - change xu & xp! - change -a to your own vpnfolder!
/usr/local/bin/sendEmail -f <User1.Name1@smtp.mail.com> -t <User2.Name2@smtp.mail.com> \
  -m "Your OpenVPN Clientconfig  $i." \
  -u "IPFire OVPN Profil" \
  -s <smtp.mail.com:587> \
  -xu <User1.Name1@smtp.mail.com> -xp <YourSecretPassword> \
    -a /your/own/vpnfolder/*.ovpn;


# sendEmail CertCA - change -f & -t Names! - change xu & xp! - change -a to your own vpnfolder!
/usr/local/bin/sendEmail -f <User1.Name1@smtp.mail.com> -t <User2.Name2@smtp.mail.com> \
  -m "Your OpenVPN-Certificate from  $i." \
  -u "IPFire OVPN Cert" \
  -s <smtp.mail.com:587> \
  -xu <User1.Name1@smtp.mail.com> -xp <YourSecretPassword> \
    -a /your/own/vpnfolder/*.p12;



# cleanup tmp folder and move ovpn to your new backupfolder
#rm -rf /tmp/*.7z
mv *.pem *.ovpn *.p12 /your/own/vpnfolder/ovpnbackup

exit 0

Copy this script and paste on your own Ipfire-Server folder.

After depositing or creation the script must be still made executable:

chmod +x iosconverter.sh

Import Ovpn-Configurationfiles

ToDo Screenshot
Now, after sending the ovpn-configfiles you find this messages in your Mailer.
Open first messages with the Certificate.
Go to Install.
You need your Phone-PIN for import Cert in your System-Keychain - OpenVPN Connect iOS FAQ
Go to Install.
Install
The Userprofil OpenVPN Password needed.
Finish.
Open the Mail with your OpenVPN Userprofil *.ovpn.
Open it with OpenVPN Connect.
Push the green Button.
Select Certifikate for this VPN-Connection.
Use the Userprofilename-Certificate.
For activating the Cert you must see this Flag.
Now, it is done. You can use your own iOS-VPN

Alternative Setup

The .ovpn file now as follows Edit:

#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1400
remote DEINE_IP 1194
ca ca.pem
cert user.pem
key keys.pem
cipher BF-CBC
verb 3
ns-cert-type server
#tls-remote DEINE_IP

.p12 Disassemble certificate using OpenSSL:

openssl pkcs12 -in ZERTIFIKAT.p12 -clcerts -nokeys -nodes -out user.pem
openssl pkcs12 -in ZERTIFIKAT.p12 -nocerts -nodes -out keys.pem
openssl pkcs12 -in ZERTIFIKAT.p12 -cacerts -nodes -out ca.pem

And finally copy the .ovpn file and the ​​generated 3 certificates files by iTunes in the app directory of OpenVPN Connect.

TLS authentication

To use tls-auth with iOS App 1.0.5 you must add the TLS key in you ovpn file:

  • Login to your IPFire an goes to OpenVPN Tab.
  • under "CAs and Keys" you need to click an the blue Info button next to "TLS authentication key"
  • copy all from "-----BEGIN OpenVPN Static key V1-----" to "-----END OpenVPN Static key V1-----" and put it to your ovpn file like this:
-----BEGIN OpenVPN Static key V1-----
....
-----END OpenVPN Static key V1-----
</tls-auth>

Additional informations

Back to OpenVPN mainpage

Edit Page ‐ Yes, you can edit!

Older Revisions • September 6 at 6:39 pm • Jon