Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire.

Please join in and help us improving it!

Differences in Revisions: Configure iPad and iPhone for OpenVPN v2

added more info...
#Configure iPad and iPhone for OpenVPN v2
Work-in-progress...
 
The iPhone and iPad iOS require a `.ovpn` unified file to load into the OpenVPN app. The article below descriptor how to create that file.
 
## Preparations
* Install the iOS app [OpenVPN Connect](https://apps.apple.com/app/openvpn-connect/id590379981)
* [Configure](https://wiki.ipfire.org/configuration/services/openvpn/config) and create an OpenVPN client for your iPhone or iPad device.
* Make sure you document the **PKCS12 File Password:**. It will be needed in the next few steps.
 
There are a few different ways to create a unified file for use on an iOS device (iPhone or iPad device). It can be done manually by cutting and pasting information from various files. Or it can be done with one if the bash scripts below.
 
### Download Client Package
To get started go to the menu **Service** > **OpenVPN**, scroll to the **Connection Status and Control** section and click on the **Download Client Package (zip)** icon.
 
![](./connection_status_control_v2.png "Download Client Package (zip)")
 
 
##Single unified file (manual method)
Manual method: maybe for a separate web page.
 
There are 5 sections to a unified ovpn file:
 
1. The OpenVPN client conf section
* The file is obtained from the [**Download Client Package (zip)**](/configuration/services/openvpn/ios_v2#download-client-package) above.
* Download and copy the `.ovpn` file to a new file. Let's call it `myPhone.ovpn`.
* and then add the two lines below to the end `myPhone.ovpn`:
* scroll to the end of the `myPhone.ovpn` file add the two lines below:
 
```
key-direction bidirectional
<ca>
```
2. The Root Certificate (ca directive)
* Open the OpenVPN webpage (**Service** > **OpenVPN**), scroll down to the **Certificate Authorities and -Keys**
* Download the **Root Certificate** by clicking on the floppy disk. Locate the `cacert.pem` file in the Downloads folder.
* Copy the contents of `cacert.pem` to end of the `myPhone.ovpn`
* and then add the two lines below to the end `myPhone.ovpn`:
* scroll to the end of the `myPhone.ovpn` file add the two lines below:
```
</ca>
<cert>
```
3. The Host Certificate (cert directive)
* Open the OpenVPN webpage (**Service** > **OpenVPN**), scroll down to **Certificate Authorities and -Keys**
* locate the **Host Certificate** and click on the *Show host certificate* icon (the blue circle i)
* scroll to the bottom of the **OpenVPN - Host Certificate** webpage
* copy all of the lines from `-----BEGIN CERTIFICATE-----` to the end
* paste those lines at the end of the `myPhone.ovpn` file
* and then add the two lines below to the end `myPhone.ovpn`:
* scroll to the end of the `myPhone.ovpn` file add the two lines below:
```
</cert>
<key>
```
 
4. The Encrypted Private Key (key)
* The `myPhone.p12` file is obtained from the [**Download Client Package (zip)**](/configuration/services/openvpn/ios_v2#download-client-package) above.
* In the terminal, go to the directory where the `myPhone.p12` file is located and enter:
 
```
PKCS12_PW=<PKCS12 File Password> # mentioned above in Preparations.
openssl pkcs12 -nocerts -in iPhone.p12 -passin pass:$PKCS12_PW -passout pass:$PKCS12_PW
```
4. (continued)
* copy all of the lines from `-----BEGIN CERTIFICATE-----` to the end
* paste those lines at the end of the `myPhone.ovpn` file
* scroll to the end of the `myPhone.ovpn` file add the two lines below:
* and then add the two lines below to the end `myPhone.ovpn`:
 
```
</key>
<tls-auth>
```
5. The TA key (tls-auth)
* The `ta.key` file is obtained from the [**Download Client Package (zip)**](/configuration/services/openvpn/ios_v2#download-client-package) above.
* Copy the contents of `ta.key` to end of the `myPhone.ovpn`
* and then add the two lines below to the end `myPhone.ovpn`:
* scroll to the end of the `myPhone.ovpn` file add the two lines below:
```
</tls-auth>
```
 
Done creating the unified ovpn file! The `myPhone.ovpn` file should look similar to the file below.
 
![](./iphone_example.ovpn_v3.png "Example iphone.ovpn")
 
##Single unified file (scripted method)
Includes the 5 sections above in an easy to run script.
Includes the 5 sections above.
 
 
### Installation on IPFire
There is **no web interface** for this script. To run the script open the client console or terminal and access the IPFire box via [SSH](/configuration/system/ssh).
 
Once connected via SSH, create a directory for creating .ovpn files with this script. Example:
```
mkdir /root/ios
cd /root/ios
```
Copy the following code to that directory on the IPFire.
 
filename = `openvpncmd.sh`
The `<ovpn_file>.ovpn` file is obtained from the [**Download Client Package (zip)**](/configuration/services/openvpn/ios_v2#download-client-package) above.
 
Copy the `<ovpn_file>.ovpn`, from the **Download Client Package (zip)**, to the `/root/ios` directory on the IPFire box.
 
Copy the code below to a file named `openvpncmd.sh` into the same directory.
 
```bash
#!/bin/bash
set -e
#set -x
# OpenVPN script for IPCop/iOS, www.magnuswedberg.com
#
# Launch via:
# openvpncmd ovpn_file password(PKCS12 File Password)
#
# $1 param = YourNewOpenVPNfile.ovpn
# $2 param = PKCS12 Password
#
 
if (( $# < 2 )); then
# TODO: print usage
echo "Usage: openvpncmd ovpn_file password(PKCS12 File Password)"
exit 1
fi
 
cp "$1" tmp.ovpn
PKCS12_PW="$2" # PKCS12 File Password
 
# Convert windows file to linux file (drop Carriage Returns)
sed -i 's/\r$//g' tmp.ovpn
 
# get key & value from input ovpn file
while IFS=" " read -r key value remainder
do
#echo "key=$key" ; echo "value=$value" ; echo "remainder=$remainder" ; echo
case "$key" in
verify-x509-name )
RedIPaddr="$value"
;;
*pkcs12 )
pkcs12File="$value"
;;
esac
done < tmp.ovpn
 
# Comment out the "tls-auth ta.key" line and the "pkcs12 *.p12" line
sed -i -E -e 's/^tls-auth /#tls-auth /' -e 's/^pkcs12 /#pkcs12 /' tmp.ovpn
 
p12File=/var/ipfire/ovpn/certs/"$pkcs12File"
FILE="$p12File"
 
fn=$(basename "$FILE")
 
#bn="${fn%%.*}"
ovpnFile="${fn%%.*}".ovpn
 
cp tmp.ovpn $ovpnFile
rm tmp.ovpn
echo "key-direction bidirectional" >> $ovpnFile
 
 
echo "<ca>" >> $ovpnFile
cat /var/ipfire/ovpn/ca/cacert.pem | sed '/^-----BEGIN CERTIFICATE-----/,$!d' >> $ovpnFile
echo "</ca>" >> $ovpnFile
 
echo "<cert>" >> $ovpnFile
openssl pkcs12 -in $p12File -clcerts -nokeys -password pass:$PKCS12_PW | sed '/^-----BEGIN CERTIFICATE-----/,$!d' >> $ovpnFile
echo "</cert>" >> $ovpnFile
 
echo "<key>" >> $ovpnFile
openssl pkcs12 -nocerts -in $p12File -passin pass:$PKCS12_PW -passout pass:$PKCS12_PW | sed '/^-----BEGIN ENCRYPTED PRIVATE KEY-----/,$!d' >> $ovpnFile
echo "</key>" >> $ovpnFile
 
echo "<tls-auth>" >> $ovpnFile
cat /var/ipfire/ovpn/certs/ta.key | sed '/^-----BEGIN OpenVPN Static key V1-----/,$!d' >> $ovpnFile
echo "</tls-auth>" >> $ovpnFile
 
#echo "ovpn file = "
#cat $ovpnFile; echo
exit
```
 
Once copied and saved, enter:
```
chmod +x openvpncmd.sh
```
 
to run the command enter:
```
openvpncmd.sh <ovpn_file>.ovpn <PKCS12 File Password>
```
 
 
 
###Client side code
installed on your desktop or laptop
 
 
 
##Separate file for iOS keychain
maybe for a separate web page...
 
[OpenVPN - How do I use a client certificate and private key from the iOS Keychain?](https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/)
 
1st file includes:
 
* ovpn info?
* CA directive
 
2nd file includes:
 
* Cert directive
* Key directive
* tls-auth?
 
 
##Links
* [OpenVPN - What Is A VPN?](https://openvpn.net/what-is-a-vpn/)
* [OpenVPN - FAQ regarding OpenVPN Connect iOS](https://openvpn.net/vpn-server-resources/faq-regarding-openvpn-connect-ios/)
* [Forensic Analysis of OpenVPN on iOS](https://www.farleyforensics.com/2019/06/07/forensic-analysis-of-openvpn-on-ios/)
* Inspiration from [Magnus Wedberg - How to use iDevices and OpenVPN with your IPCop](http://www.magnuswedberg.com/index.php?doc=IpCop_OpenVPN_and_iOS)