Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire. Join us and help us improving it!

Looking for something?

Use the search and find answers to everything about IPFire. If you cannot find what you are looking for, join our community and talk to fellow IPFire users, developers and everybody else involved in the project.

IPFire Community

Differences in Revisions: iOS Keychain Method

»
added more info to article
#Separate file for iOS keychain
# iOS Keychain Method
 
**[Back to OpenVPN main page](/configuration/services/openvpn)**
 
[Back to Configure iPhone main page](/configuration/services/openvpn/ios)
 
**Work in Progress... Work in Progress... Work in Progress... Work in Progress... Work in Progress...**
 
The first file, or `.ovpn12` file, includes:
 
1st file includes:
* ovpn info (tls-client, client, nobind, dev tun, proto udp, tun-mtu, etc.)
* Root Certificate (cacert) or <ca>
* TLS Authentification Key or <tls-auth>
 
The second file, or `.ovpn` file, includes:
* ovpn info?
* CA directive
 
* Client Certificate or <cert>
* Private Key or <key>
2nd file includes:
 
* Cert directive
* Key directive
* tls-auth?
 
**Work in Progress... Work in Progress... Work in Progress... Work in Progress... Work in Progress...**
 
Includes the five sections in the [Manual Method](/configuration/services/openvpn/ios/ios_manual) all in an easy to run script.
 
 
## Installation on IPFire
There is **no web interface** for this script. To run the script open the client console or terminal and access the IPFire box via [SSH](/configuration/system/ssh).
 
Once connected via SSH, create a directory for creating .ovpn files with this script. Example:
 
```
mkdir /root/ios
cd /root/ios
```
 
Locate the the `<ovpn_file>.ovpn` file obtained from the [**Download Client Package (zip)**](/configuration/services/openvpn/ios#download-client-package) and copy the file to the `/root/ios` directory on the IPFire box.
 
Copy the code below to a file named `create_ovpn12.sh` into the same directory:
Copy the code below to a file named `create_ovpn.sh` into the same directory:
 
```bash
#!/bin/bash
set -e
 
# OpenVPN keychain script
# started from openvpncmd_v28.sh (version = v28)
#
# Launch via:
# create_ovpn12 ovpn_file password(PKCS12 File Password)
#
# $1 param = YourNewOpenVPNfile.ovpn
# $2 param = PKCS12 File Password
#
# create_ovpn12 version 5a
# create_ovpn version 5a
#
 
if (( $# < 2 )); then
echo "Usage: create_ovpn12 <ovpn_file> <PKCS12 File Password>"
exit 1
fi
 
if grep -q "BEGIN CERTIFICATE" "$1"; then
echo "Error: wrong .ovpn file"
echo "Usage: create_ovpn12 <ovpn_file> <PKCS12 File Password>"
exit 1
fi
 
 
cp "$1" tmp.ovpn
PKCS12_PW="$2" # PKCS12 File Password
 
# Convert windows file to linux file (drop Carriage Returns)
sed -i 's/\r$//g' tmp.ovpn
 
# get key & value from input ovpn file <ovpn_file>
while IFS=" " read -r key value remainder
do
#echo "key=$key" ; echo "value=$value" ; echo "remainder=$remainder" ; echo
case "$key" in
verify-x509-name )
RedIPaddr="$value"
;;
*pkcs12 )
pkcs12File="$value"
;;
esac
done < tmp.ovpn
 
# Comment out the "tls-auth ta.key" line and the "pkcs12 *.p12" line
sed -i -E -e 's/^tls-auth /#tls-auth /' -e 's/^pkcs12 /#pkcs12 /' tmp.ovpn
 
p12File=/var/ipfire/ovpn/certs/"$pkcs12File"
 
ovpnBasename=${pkcs12File%%.*} # remove extension
ovpnFile="$ovpnBasename.ovpn" # add new extension
ovpn12File="Install_first.$ovpnBasename.ovpn12"
 
printf "\nUsing $1 to create $ovpnFile and ${ovpnBasename}.ovpn12\n\n"
 
cp tmp.ovpn "$ovpnFile"
echo "key-direction bidirectional" >> $ovpnFile
 
# get Root Certificate (cacert) <ca>
echo "<ca>" >> $ovpnFile
cat /var/ipfire/ovpn/ca/cacert.pem | sed '/^-----BEGIN CERTIFICATE-----/,$!d' >> $ovpnFile
echo "</ca>" >> $ovpnFile
printf "created Root Certificate\n"
 
 
# get TLS-Authentification-Key <tls-auth>
echo "<tls-auth>" >> $ovpnFile
cat /var/ipfire/ovpn/certs/ta.key | sed '/^-----BEGIN OpenVPN Static key V1-----/,$!d' >> $ovpnFile
echo "</tls-auth>" >> $ovpnFile
printf "created TLS Authentification Key\n"
printf "created $ovpnFile\n\n"
 
 
# Output only client certificates to pem key file format (base64 / ASCII)
openssl pkcs12 -in $p12File -passin pass:$PKCS12_PW -clcerts -nokeys -out tmp.pem
printf "created Client Certificate\n"
 
# Output without certificates to pem key file format (base64 / ASCII)
openssl pkcs12 -nocerts -in $p12File -passin pass:$PKCS12_PW -passout pass:$PKCS12_PW -out key.pem
 
# Output ovpn12 file (binary / gibberish)
openssl pkcs12 -export -in tmp.pem -passin pass:$PKCS12_PW -passout pass:$PKCS12_PW -inkey key.pem -certfile /var/ipfire/ovpn/ca/cacert.pem -name $ovpnBasename -out $ovpn12File
printf "created ${ovpnBasename}.ovpn12\n\n"
 
 
# cleanup
rm tmp.ovpn
rm tmp.pem
rm key.pem
printf "clean-up files\n\n"
 
#echo "ovpn file = "
#cat $ovpnFile; echo
exit
```
 
Once copied and saved, enter:
 
```
chmod +x create_ovpn12.sh
```
 
and to run the command enter:
 
```
./create_ovpn12.sh <ovpn_file>.ovpn <PKCS12 File Password>
```
 
Copy the newly created `ovpn12` and `.ovpn` files from the IPFire to the client computer. And now install the those files on the iDevice via [iTunes](/configuration/services/openvpn/ios/ios_itunes) or via the [Files](/configuration/services/openvpn/ios/ios_ovpn_alt) app
 
 
## Links
* [OpenVPN - How do I use a client certificate and private key from the iOS Keychain?](https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/)
* [OpenVPN - FAQ regarding OpenVPN Connect iOS](https://openvpn.net/vpn-server-resources/faq-regarding-openvpn-connect-ios/)
 
| | |
|---|---:|
| [Back to Configure iPhone main page](/configuration/services/openvpn/ios) | Next to [](/configuration/services/openvpn/ios/ios_itunes) |
| | |
| **[Back to OpenVPN main page](/configuration/services/openvpn)** | Next to [](/configuration/services/openvpn/ios/ios_ovpn_alt) |