Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire. Join us and help us improving it!

Looking for something?

Use the search and find answers to everything about IPFire. If you cannot find what you are looking for, join our community and talk to fellow IPFire users, developers and everybody else involved in the project.

IPFire Community

Differences in Revisions: Configure iPhone and iPad for OpenVPN - v2

Older Revision
August 8 at 12:05 am
»
fix code block
# Configure iPad and iPhone for OpenVPN
 
| Note! |
|---|
This method is not secure (no password). Not recommended for business use.</WRAP>
| This method is not secure (no password) and is not recommended for business use |
 
### Problem
* iOS Apple devices have issues [pkcs12](https://en.wikipedia.org/wiki/PKCS_12) files. The following file [.pem](https://en.wikipedia.org/wiki/X.509#Certificate_filename_extensions) is required.
* TLS-Remote is not supported in the app version (1.0.0).
* With app version 1.0.5 TLS works.
 
### Solution
The p12 of the IPFire downloaded certificate must be distributed / converted into three .pem files. For the operation and conversion OpenVPN and OpenSSL should (the latter is already installed on most distributions ) may be present.
 
**Preparations:**
 
- Install the App [OpenVPN Connect](https://itunes.apple.com/us/app/openvpn-connect/id590379981).
- Create IPFire on one or more users for iOS devices with OpenVPN.
- **optional for alternative setup:** ZIP File Download and unzip.
 
 
## Ovpn Certificate and UserProfil generating
 
filename = iosconverter.sh
```text
#!/bin/bash
################################################
# iOS OVPN-Settings and send by email
# 5p9 07.04.2015
# first creating by fpausp
# http://forum.ipfire.org/viewtopic.php?f=16&t=10197&p=66197&hilit=openssl+fpausp#p66197
################################################
# Create your own vpnfolder & ovpnbackup folder first!
# You must added first one User-Ovpn-Profil (roadwarrior) then run this Script!
# Only one run for one newest Userprofil, newer than 1 minutes!!!
################################################
 
# copy newest ovpn-profil newer than 1 minutes - change your own vpnfolder first!
find /var/ipfire/ovpn/certs/ -name *.pem -mmin -1 -exec cp {} /your/own/vpnfolder \;
find /var/ipfire/ovpn/certs/ -name *.p12 -mmin -1 -exec cp {} /your/own/vpnfolder \;
 
 
# Set external IP, Port and TLS Remote IP - remove "<text>" and change the settings!
IP=<external-FQDN or external IP>
PORT=<1234>
TLS=<ipfirename.local>
 
 
# convert p12 to ca.pem
for i in $(ls *.p12)
` do`
do
` openssl pkcs12 -in $i -cacerts -nodes -out $(echo $i | awk -F. '{print$1}')-ca.pem`
openssl pkcs12 -in $i -cacerts -nodes -out $(echo $i | awk -F. '{print$1}')-ca.pem
` #openssl pkcs12 -in $i -clcerts -nokeys -nodes -out $(echo $i | awk -F. '{print$1}')-user.pem`
#openssl pkcs12 -in $i -clcerts -nokeys -nodes -out $(echo $i | awk -F. '{print$1}')-user.pem
` #openssl pkcs12 -in $i -nocerts -nodes -out $(echo $i | awk -F. '{print$1}')-keys.pem`
#openssl pkcs12 -in $i -nocerts -nodes -out $(echo $i | awk -F. '{print$1}')-keys.pem
 
# cat only ca-Key - change the targed destination to your own vpnfolder!
key=`cat /your/own/vpnfolder/*-ca.pem | sed '1,4d'`
 
 
cat <<EOF >$(echo $i | awk -F. '{print$1}').ovpn
#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1400
remote $IP $PORT
cipher AES-256-CBC
auth SHA512
verb 3
ns-cert-type server
verify-x509-name $TLS name
#mssfix ##optional!
<ca>
$key
</ca>
# download first by using HMAC tls-auth your ovpn-ipfire clientprofile the ta.key
# copy and replace the inlinetext on this postion!
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
-----END OpenVPN Static key V1-----
</tls-auth>
EOF
 
done
 
# zip files to tmp-folder
#/usr/local/bin/7z a /tmp/p12.7z /your/own/vpnfolder/*.p12
#/usr/local/bin/7z a /tmp/ovpn.7z /your/own/vpnfolder/*.ovpn
 
 
# sendEmail OVPN Profil - change -f & -t Names! - change xu & xp! - change -a to your own vpnfolder!
/usr/local/bin/sendEmail -f <User1.Name1@smtp.mail.com> -t <User2.Name2@smtp.mail.com> \
` -m "Your OpenVPN Clientconfig $i." \`
-m "Your OpenVPN Clientconfig $i." \
` -u "IPFire OVPN Profil" \`
-u "IPFire OVPN Profil" \
` -s <smtp.mail.com:587> \`
-s <smtp.mail.com:587> \
` -xu <User1.Name1@smtp.mail.com> -xp <YourSecretPassword> \`
-xu <User1.Name1@smtp.mail.com> -xp <YourSecretPassword> \
-a /your/own/vpnfolder/*.ovpn;
 
 
# sendEmail CertCA - change -f & -t Names! - change xu & xp! - change -a to your own vpnfolder!
/usr/local/bin/sendEmail -f <User1.Name1@smtp.mail.com> -t <User2.Name2@smtp.mail.com> \
` -m "Your OpenVPN-Certificate from $i." \`
-m "Your OpenVPN-Certificate from $i." \
` -u "IPFire OVPN Cert" \`
-u "IPFire OVPN Cert" \
` -s <smtp.mail.com:587> \`
-s <smtp.mail.com:587> \
` -xu <User1.Name1@smtp.mail.com> -xp <YourSecretPassword> \`
-xu <User1.Name1@smtp.mail.com> -xp <YourSecretPassword> \
-a /your/own/vpnfolder/*.p12;
 
 
 
# cleanup tmp folder and move ovpn to your new backupfolder
#rm -rf /tmp/*.7z
mv *.pem *.ovpn *.p12 /your/own/vpnfolder/ovpnbackup
 
exit 0
```
 
Copy this script and paste on your own Ipfire-Server folder.
 
After depositing or creation the script must be still made executable:
 
```text
chmod +x iosconverter.sh
```
 
## Import Ovpn-Configurationfiles
 
| ToDo | Screenshot |
| --- | --- |
| Now, after sending the ovpn-configfiles you find this messages in your Mailer. | ![](/configuration/services/openvpn/ios12.jpg) |
| Open first messages with the Certificate. | ![](/configuration/services/openvpn/ios13.jpg) |
| Go to Install. | ![](/configuration/services/openvpn/ios14.jpg) |
| You need your Phone-PIN for import Cert in your System-Keychain - [OpenVPN Connect iOS FAQ](https://docs.openvpn.net/connecting/connecting-to-access-server-with-apple-ios/faq-regarding-openvpn-connect-ios/)| ![](/configuration/services/openvpn/ios15.jpg) |
| Go to Install. | ![](/configuration/services/openvpn/ios16.jpg) |
| Install | ![](/configuration/services/openvpn/ios17.jpg) |
| The Userprofil OpenVPN Password needed. | ![](/configuration/services/openvpn/ios18.jpg) |
| Finish. | ![](/configuration/services/openvpn/ios19.jpg) |
| Open the Mail with your OpenVPN Userprofil *.ovpn. | ![](/configuration/services/openvpn/ios20.jpg) |
| Open it with OpenVPN Connect. | ![](/configuration/services/openvpn/ios21.jpg) |
| Push the green Button. | ![](/configuration/services/openvpn/ios22.jpg) |
| Select Certifikate for this VPN-Connection. | ![](/configuration/services/openvpn/ios23.jpg) |
| Use the Userprofilename-Certificate. | ![](/configuration/services/openvpn/ios24.jpg) |
| For activating the Cert you must see this Flag. | ![](/configuration/services/openvpn/ios25.jpg) |
| Now, it is done. You can use your own iOS-VPN | ![](/configuration/services/openvpn/ios26.jpg) |
 
 
## Alternative Setup
 
The .ovpn file now as follows Edit:
 
```text
#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1400
remote DEINE_IP 1194
ca ca.pem
cert user.pem
key keys.pem
cipher BF-CBC
verb 3
ns-cert-type server
#tls-remote DEINE_IP
```
 
.p12 Disassemble certificate using OpenSSL:
 
```text
openssl pkcs12 -in ZERTIFIKAT.p12 -clcerts -nokeys -nodes -out user.pem
openssl pkcs12 -in ZERTIFIKAT.p12 -nocerts -nodes -out keys.pem
openssl pkcs12 -in ZERTIFIKAT.p12 -cacerts -nodes -out ca.pem
```
 
And finally copy the .ovpn file and the ​​generated 3 certificates files by iTunes in the app directory of OpenVPN Connect.
 
 
## TLS authentication
 
To use tls-auth with iOS App 1.0.5 you must add the TLS key in you ovpn file.
To use tls-auth with iOS App 1.0.5 you must add the TLS key in you ovpn file:
 
* Login to your IPFire an goes to OpenVPN Tab.
* under "CAs and Keys" you need to click an the blue Info button next to "TLS authentication key"
* copy all from "-----BEGIN OpenVPN Static key V1-----" to "-----END OpenVPN Static key V1-----" and put it to your ovpn file like this:
 
 
```text
-----BEGIN OpenVPN Static key V1-----
....
-----END OpenVPN Static key V1-----
</tls-auth>
```
 
 
## Additional informations
 
* OpenSSL for Windows [](https://www.openssl.org)
* OpenSSL User Guide [](https://www.openssl.org/docs/fips/UserGuide-2.0.pdf)
* OpenVPN Connect iOS [FAQ](https://docs.openvpn.net/connecting/connecting-to-access-server-with-apple-ios/faq-regarding-openvpn-connect-ios/)
 
**[Back to OpenVPN mainpage](/configuration/services/openvpn)**