Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire.

Please join in and help us improving it!

Differences in Revisions: Configure iPad and iPhone for OpenVPN

Older Revision
August 8 at 12:05 am
»
fix code block
# Configure iPad and iPhone for OpenVPN
 
| Note! |
|---|
This method is not secure (no password). Not recommended for business use.</WRAP>
| This method is not secure (no password) and is not recommended for business use |
 
### Problem
* iOS Apple devices have issues [pkcs12](https://en.wikipedia.org/wiki/PKCS_12) files. The following file [.pem](https://en.wikipedia.org/wiki/X.509#Certificate_filename_extensions) is required.
* TLS-Remote is not supported in the app version (1.0.0).
* With app version 1.0.5 TLS works.
 
### Solution
The p12 of the IPFire downloaded certificate must be distributed / converted into three .pem files. For the operation and conversion OpenVPN and OpenSSL should (the latter is already installed on most distributions ) may be present.
 
**Preparations:**
 
- Install the App [OpenVPN Connect](https://itunes.apple.com/us/app/openvpn-connect/id590379981).
- Create IPFire on one or more users for iOS devices with OpenVPN.
- **optional for alternative setup:** ZIP File Download and unzip.
 
 
## Ovpn Certificate and UserProfil generating
 
filename = iosconverter.sh
```text
#!/bin/bash
################################################
# iOS OVPN-Settings and send by email
# 5p9 07.04.2015
# first creating by fpausp
# http://forum.ipfire.org/viewtopic.php?f=16&t=10197&p=66197&hilit=openssl+fpausp#p66197
################################################
# Create your own vpnfolder & ovpnbackup folder first!
# You must added first one User-Ovpn-Profil (roadwarrior) then run this Script!
# Only one run for one newest Userprofil, newer than 1 minutes!!!
################################################
 
# copy newest ovpn-profil newer than 1 minutes - change your own vpnfolder first!
find /var/ipfire/ovpn/certs/ -name *.pem -mmin -1 -exec cp {} /your/own/vpnfolder \;
find /var/ipfire/ovpn/certs/ -name *.p12 -mmin -1 -exec cp {} /your/own/vpnfolder \;
 
 
# Set external IP, Port and TLS Remote IP - remove "<text>" and change the settings!
IP=<external-FQDN or external IP>
PORT=<1234>
TLS=<ipfirename.local>
 
 
# convert p12 to ca.pem
for i in $(ls *.p12)
` do`
do
` openssl pkcs12 -in $i -cacerts -nodes -out $(echo $i | awk -F. '{print$1}')-ca.pem`
openssl pkcs12 -in $i -cacerts -nodes -out $(echo $i | awk -F. '{print$1}')-ca.pem
` #openssl pkcs12 -in $i -clcerts -nokeys -nodes -out $(echo $i | awk -F. '{print$1}')-user.pem`
#openssl pkcs12 -in $i -clcerts -nokeys -nodes -out $(echo $i | awk -F. '{print$1}')-user.pem
` #openssl pkcs12 -in $i -nocerts -nodes -out $(echo $i | awk -F. '{print$1}')-keys.pem`
#openssl pkcs12 -in $i -nocerts -nodes -out $(echo $i | awk -F. '{print$1}')-keys.pem
 
# cat only ca-Key - change the targed destination to your own vpnfolder!
key=`cat /your/own/vpnfolder/*-ca.pem | sed '1,4d'`
 
 
cat <<EOF >$(echo $i | awk -F. '{print$1}').ovpn
#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1400
remote $IP $PORT
cipher AES-256-CBC
auth SHA512
verb 3
ns-cert-type server
verify-x509-name $TLS name
#mssfix ##optional!
<ca>
$key
</ca>
# download first by using HMAC tls-auth your ovpn-ipfire clientprofile the ta.key
# copy and replace the inlinetext on this postion!
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
44444444444444444444444444444444
-----END OpenVPN Static key V1-----
</tls-auth>
EOF
 
done
 
# zip files to tmp-folder
#/usr/local/bin/7z a /tmp/p12.7z /your/own/vpnfolder/*.p12
#/usr/local/bin/7z a /tmp/ovpn.7z /your/own/vpnfolder/*.ovpn
 
 
# sendEmail OVPN Profil - change -f & -t Names! - change xu & xp! - change -a to your own vpnfolder!
/usr/local/bin/sendEmail -f <User1.Name1@smtp.mail.com> -t <User2.Name2@smtp.mail.com> \
` -m "Your OpenVPN Clientconfig $i." \`
-m "Your OpenVPN Clientconfig $i." \
` -u "IPFire OVPN Profil" \`
-u "IPFire OVPN Profil" \
` -s <smtp.mail.com:587> \`
-s <smtp.mail.com:587> \
` -xu <User1.Name1@smtp.mail.com> -xp <YourSecretPassword> \`
-xu <User1.Name1@smtp.mail.com> -xp <YourSecretPassword> \
-a /your/own/vpnfolder/*.ovpn;
 
 
# sendEmail CertCA - change -f & -t Names! - change xu & xp! - change -a to your own vpnfolder!
/usr/local/bin/sendEmail -f <User1.Name1@smtp.mail.com> -t <User2.Name2@smtp.mail.com> \
` -m "Your OpenVPN-Certificate from $i." \`
-m "Your OpenVPN-Certificate from $i." \
` -u "IPFire OVPN Cert" \`
-u "IPFire OVPN Cert" \
` -s <smtp.mail.com:587> \`
-s <smtp.mail.com:587> \
` -xu <User1.Name1@smtp.mail.com> -xp <YourSecretPassword> \`
-xu <User1.Name1@smtp.mail.com> -xp <YourSecretPassword> \
-a /your/own/vpnfolder/*.p12;
 
 
 
# cleanup tmp folder and move ovpn to your new backupfolder
#rm -rf /tmp/*.7z
mv *.pem *.ovpn *.p12 /your/own/vpnfolder/ovpnbackup
 
exit 0
```
 
Copy this script and paste on your own Ipfire-Server folder.
 
After depositing or creation the script must be still made executable:
 
```text
chmod +x iosconverter.sh
```
 
## Import Ovpn-Configurationfiles
 
| ToDo | Screenshot |
| --- | --- |
| Now, after sending the ovpn-configfiles you find this messages in your Mailer. | ![](/configuration/services/openvpn/ios12.jpg) |
| Open first messages with the Certificate. | ![](/configuration/services/openvpn/ios13.jpg) |
| Go to Install. | ![](/configuration/services/openvpn/ios14.jpg) |
| You need your Phone-PIN for import Cert in your System-Keychain - [OpenVPN Connect iOS FAQ](https://docs.openvpn.net/connecting/connecting-to-access-server-with-apple-ios/faq-regarding-openvpn-connect-ios/)| ![](/configuration/services/openvpn/ios15.jpg) |
| Go to Install. | ![](/configuration/services/openvpn/ios16.jpg) |
| Install | ![](/configuration/services/openvpn/ios17.jpg) |
| The Userprofil OpenVPN Password needed. | ![](/configuration/services/openvpn/ios18.jpg) |
| Finish. | ![](/configuration/services/openvpn/ios19.jpg) |
| Open the Mail with your OpenVPN Userprofil *.ovpn. | ![](/configuration/services/openvpn/ios20.jpg) |
| Open it with OpenVPN Connect. | ![](/configuration/services/openvpn/ios21.jpg) |
| Push the green Button. | ![](/configuration/services/openvpn/ios22.jpg) |
| Select Certifikate for this VPN-Connection. | ![](/configuration/services/openvpn/ios23.jpg) |
| Use the Userprofilename-Certificate. | ![](/configuration/services/openvpn/ios24.jpg) |
| For activating the Cert you must see this Flag. | ![](/configuration/services/openvpn/ios25.jpg) |
| Now, it is done. You can use your own iOS-VPN | ![](/configuration/services/openvpn/ios26.jpg) |
 
 
## Alternative Setup
 
The .ovpn file now as follows Edit:
 
```text
#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1400
remote DEINE_IP 1194
ca ca.pem
cert user.pem
key keys.pem
cipher BF-CBC
verb 3
ns-cert-type server
#tls-remote DEINE_IP
```
 
.p12 Disassemble certificate using OpenSSL:
 
```text
openssl pkcs12 -in ZERTIFIKAT.p12 -clcerts -nokeys -nodes -out user.pem
openssl pkcs12 -in ZERTIFIKAT.p12 -nocerts -nodes -out keys.pem
openssl pkcs12 -in ZERTIFIKAT.p12 -cacerts -nodes -out ca.pem
```
 
And finally copy the .ovpn file and the ​​generated 3 certificates files by iTunes in the app directory of OpenVPN Connect.
 
 
## TLS authentication
 
To use tls-auth with iOS App 1.0.5 you must add the TLS key in you ovpn file.
To use tls-auth with iOS App 1.0.5 you must add the TLS key in you ovpn file:
 
* Login to your IPFire an goes to OpenVPN Tab.
* under "CAs and Keys" you need to click an the blue Info button next to "TLS authentication key"
* copy all from "-----BEGIN OpenVPN Static key V1-----" to "-----END OpenVPN Static key V1-----" and put it to your ovpn file like this:
 
 
```text
-----BEGIN OpenVPN Static key V1-----
....
-----END OpenVPN Static key V1-----
</tls-auth>
```
 
 
## Additional informations
 
* OpenSSL for Windows [](https://www.openssl.org)
* OpenSSL User Guide [](https://www.openssl.org/docs/fips/UserGuide-2.0.pdf)
* OpenVPN Connect iOS [FAQ](https://docs.openvpn.net/connecting/connecting-to-access-server-with-apple-ios/faq-regarding-openvpn-connect-ios/)
 
**[Back to OpenVPN mainpage](/configuration/services/openvpn)**