Configure OpenVPN on iOS
Quietly and quietly the OpenVPN client release for iOS passed. For many, including me, this may be the last reason to abandon the Jailbreak. For those who wish to learn in more detail about the capabilities of the client at the moment, as well as about the pitfalls of customization, welcome to habrakat.
You can download the OpenVPN Connect client from iTunes . Currently, according to information from the developer forum , it is available in stores in all countries except France. The delays are related to the need to obtain Encryption Import License and are temporary.
Limitations in the application:
Let's move on to setting up our OpenVPN. First, the server side (an example is given for Linux). We use easy-rsa to generate certificates and private keys of the certification authority (CA), server (server.crt and server.key) and client (ios.crt and ios.key). We also generate the parameters of the Diffie-Hellman algorithm.
For greater security, we will also generate a TLS authentication key.
A general view of the server configuration is presented below:
Now let's move on to the client configuration. The most important point to configure is that the client’s private key must be in RSA format. If you did everything according to the instructions on the OpenVPN website, or you already had the keys ready, then you must first convert them. You can use openssl for this:
Now we will collect all the necessary keys and certificates in one PKCS # 12 container:
Be sure to specify a password for export. Installing a container without an export password into the iOS keychain will fail. The resulting container is transferred to the device via e-mail or Safari.
To organize the client configuration file, we will use the unified ovpn format. A general view of the configuration is presented below.
The resulting file can be imported to your iOS device via iTunes (recommended) or via email.
OpenVPN HOWTO
OpenVPN Connect
OpenVPN Connect (iOS) forum
You can download the OpenVPN Connect client from iTunes . Currently, according to information from the developer forum , it is available in stores in all countries except France. The delays are related to the need to obtain Encryption Import License and are temporary.
Limitations in the application:
- The size of the settings file cannot exceed 256KB. Nevertheless, this should be enough even to store the configuration file in a unified ovpn format, which will be discussed later.
- Only tun connections are supported due to iOS VPN API restrictions.
- A number of directives in the configuration file are not supported: dev tap, tls-remote, fragment, mssfix.
- The work of clients without certificates is not supported. This feature will appear in a future release.
- It is possible to use only AES or Blowfish encryption. This is due to the fact that these algorithms are more adapted to the ARM architecture. Thus, greater energy efficiency is achieved.
- Using an HTTP proxy is configured at the application settings level, and not in the configuration file.
- Using PKCS # 12 containers is only possible if they are imported into the iOS keychain. This behavior is an urgent recommendation of the developers, because unlike storing the private key directly in the ovpn file, it provides a higher level of security of secret data. Especially when using the device with a jailbreak.
Let's move on to setting up our OpenVPN. First, the server side (an example is given for Linux). We use easy-rsa to generate certificates and private keys of the certification authority (CA), server (server.crt and server.key) and client (ios.crt and ios.key). We also generate the parameters of the Diffie-Hellman algorithm.
./vars
./build-ca
./build-key-server server
./build-key ios
./build-dh
For greater security, we will also generate a TLS authentication key.
openvpn --genkey --secret ta.key
A general view of the server configuration is presented below:
proto udp
dev tun0
topology subnet
option server "10.19.2.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "route 10.19.1.0 255.255.255.0"
keepalive "10 120"
cipher AES-128-CBC
comp_lzo 1
persist_key 1
persist_tun 1
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth "ta.key 0"
Now let's move on to the client configuration. The most important point to configure is that the client’s private key must be in RSA format. If you did everything according to the instructions on the OpenVPN website, or you already had the keys ready, then you must first convert them. You can use openssl for this:
openssl rsa -in ios.key -out ios_rsa.key
Now we will collect all the necessary keys and certificates in one PKCS # 12 container:
openssl pkcs12 -export -in ios.crt -inkey ios_rsa.key -certfile ca.crt -name ios -out ios.p12
Be sure to specify a password for export. Installing a container without an export password into the iOS keychain will fail. The resulting container is transferred to the device via e-mail or Safari.
To organize the client configuration file, we will use the unified ovpn format. A general view of the configuration is presented below.
client
tls-client
dev tun
proto udp
remote адрес_сервера
resolv-retry infinite
key-direction 1
cipher AES-128-CBC
persist-tun
persist-key
comp-lzo
verb 3
redirect-gateway
-----BEGIN OpenVPN Static key V1-----
#содержимое ta.key
-----END OpenVPN Static key V1-----
-----BEGIN CERTIFICATE-----
#содержимое ca.crt
-----END CERTIFICATE-----
The resulting file can be imported to your iOS device via iTunes (recommended) or via email.
useful links
OpenVPN HOWTO
OpenVPN Connect
OpenVPN Connect (iOS) forum