Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire.

Please join in and help us improving it!

Differences in Revisions: Configure iPad and iPhone for OpenVPN v2

added image and more info
#Configure iPad and iPhone for OpenVPN v2
Work-in-progress...
 
 
## Preparations
* Install the iOS app [OpenVPN Connect](https://apps.apple.com/app/openvpn-connect/id590379981)
* [Configure](https://wiki.ipfire.org/configuration/services/openvpn/config) and create an OpenVPN client for your iPhone or iPad device.
* Make sure you document the **PKCS12 File Password:**. It will be needed in the next few steps.
 
There are a few different ways to create a unified file for use on an iOS device (iPhone or iPad device). It can be done manually by cutting and pasting information from various files. Or it can be done with one if the bash scripts below.
 
To get started go to the menu **Service** > **OpenVPN**, scroll to the **Connection Status and Control** section and click on the **Download Client Package (zip)** icon.
 
![](./connection_status_control_v2.png "Download Client Package (zip)")
 
 
##Single unified file (manual method)
Manual method... for another time and probably a separate web page.
 
There are 5 main section to a unified ovpn file
There are 5 main sections to a unified ovpn file:
 
1. The OpenVPN client conf file is obtained from the **Download Client Package (zip)** above. Open the `.p12` file
2.
3.
4.
5.
```
#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1400
remote your_dynamic_dns_hostname 1194
#pkcs12 iPhone.p12
cipher AES-256-GCM
auth SHA512
#tls-auth ta.key
verb 3
remote-cert-tls server
verify-x509-name your_dynamic_dns_hostname name
key-direction bidirectional
 
<ca>
-----BEGIN CERTIFICATE-----
VfHJtIrVVfqhuJrW3QsEoXNt+yBhBtbNPmGcWIDA02GU2Z2SnpAwfGzPHWUWbA7y
. . .
oLj7ZdKsYbts/Acsu3XcJ7DhJ4QVNNo9kfiwqMSBSWoWMA==
-----END CERTIFICATE-----
</ca>
 
<cert>
-----BEGIN CERTIFICATE-----
vvS76sKnu4/W3sQYn2pmnVcElZUKzZDkLnJEYcN98dFehRKlGdH0gVCkDskjJ6Pt
. . .
Yc+7jomu8rAp6gYRQjAhXPToCfg2A3e3cc+JdGlFBN9jPw==
-----END CERTIFICATE-----
</cert>
 
![](./iphone_example.ovpn.png "Example iphone.ovpn")
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
e5b94R6cobNhrWEXbeWfid9lPZirltz6XfCzGEl/MpxGP3DHcxcXFKOVykxZaQKc
. . .
EiRJY4xkkOR09hRW+jqPkYseCgW/YK3SZw/RhX+IEBsItQ==
-----END ENCRYPTED PRIVATE KEY-----
</key>
 
 
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
W6pHnCDaA/vXCSEaylsG9dFJFYdstTRw
. . .
tbsV1d0PpJPv6gV88HaOmASe+JjEvHrE
Yq6iObr8/qyOf/XWhyOB5ktyd1eMvDxE
-----END OpenVPN Static key V1-----
</tls-auth>
```
 
##Single unified file (scripted method)
Includes:
 
* ovpn info?
* CA directive
* Cert directive
* Key directive
* tls-auth?
 
###IPFire side code
Installed on IPFire box
 
Copy the following to a directory on the IPFire box.
 
filename = `openvpncmd.sh`
 
```bash
#!/bin/bash
set -e
#set -x
# OpenVPN script for IPCop/iOS, www.magnuswedberg.com
#
# Launch via:
# openvpncmd ovpn_file password(PKCS12 File Password)
#
# $1 param = YourNewOpenVPNfile.ovpn
# $2 param = PKCS12 Password
#
 
if (( $# < 2 )); then
# TODO: print usage
echo "Usage: openvpncmd ovpn_file password(PKCS12 File Password)"
exit 1
fi
 
cp "$1" tmp.ovpn
PKCS12_PW="$2" # PKCS12 File Password
 
# Convert windows file to linux file (drop Carriage Returns)
sed -i 's/\r$//g' tmp.ovpn
 
# get key & value from input ovpn file
while IFS=" " read -r key value remainder
do
#echo "key=$key" ; echo "value=$value" ; echo "remainder=$remainder" ; echo
case "$key" in
verify-x509-name )
RedIPaddr="$value"
;;
*pkcs12 )
pkcs12File="$value"
;;
esac
done < tmp.ovpn
 
# Comment out the "tls-auth ta.key" line and the "pkcs12 *.p12" line
sed -i -E -e 's/^tls-auth /#tls-auth /' -e 's/^pkcs12 /#pkcs12 /' tmp.ovpn
 
p12File=/var/ipfire/ovpn/certs/"$pkcs12File"
FILE="$p12File"
 
fn=$(basename "$FILE")
 
#bn="${fn%%.*}"
ovpnFile="${fn%%.*}".ovpn
 
cp tmp.ovpn $ovpnFile
rm tmp.ovpn
echo "key-direction bidirectional" >> $ovpnFile
 
 
echo "<ca>" >> $ovpnFile
cat /var/ipfire/ovpn/ca/cacert.pem | sed '/^-----BEGIN CERTIFICATE-----/,$!d' >> $ovpnFile
echo "</ca>" >> $ovpnFile
 
echo "<cert>" >> $ovpnFile
openssl pkcs12 -in $p12File -clcerts -nokeys -password pass:$PKCS12_PW | sed '/^-----BEGIN CERTIFICATE-----/,$!d' >> $ovpnFile
echo "</cert>" >> $ovpnFile
 
echo "<key>" >> $ovpnFile
openssl pkcs12 -nocerts -in $p12File -passin pass:$PKCS12_PW -passout pass:$PKCS12_PW | sed '/^-----BEGIN ENCRYPTED PRIVATE KEY-----/,$!d' >> $ovpnFile
echo "</key>" >> $ovpnFile
 
echo "<tls-auth>" >> $ovpnFile
cat /var/ipfire/ovpn/certs/ta.key | sed '/^-----BEGIN OpenVPN Static key V1-----/,$!d' >> $ovpnFile
echo "</tls-auth>" >> $ovpnFile
 
#echo "ovpn file = "
#cat $ovpnFile; echo
exit
```
 
 
 
 
###Client side code
installed on your desktop or laptop
 
 
 
##Separate file for iOS keychain
[OpenVPN - How do I use a client certificate and private key from the iOS Keychain?](https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/)
 
1st file includes:
 
* ovpn info?
* CA directive
 
2nd file includes:
 
* Cert directive
* Key directive
* tls-auth?
 
 
##Links
* [OpenVPN - What Is A VPN?](https://openvpn.net/what-is-a-vpn/)
* [OpenVPN - FAQ regarding OpenVPN Connect iOS](https://openvpn.net/vpn-server-resources/faq-regarding-openvpn-connect-ios/)
* [Forensic Analysis of OpenVPN on iOS](https://www.farleyforensics.com/2019/06/07/forensic-analysis-of-openvpn-on-ios/)