Applies to Platform: iOS 9.0 and up
Background
This lesson illustrates how to configure iOS OpenVPN client to use certificate authentication.
Prerequisites
- Device with iOS 9.0 and up
- Internet connectivity and Apple ID to access App Store and download OpenVPN application.
Warning
On iOS is possible to create TUN tunnels only, as TAP tunnels are not supported by the operating system itself. For more information, please refer to OpenVPN iOS client FAQs. The OpenVPN server instance has to be configured to use TUN device.
Client Installation
Download OpenVPN application from App Store, at link https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8 and install it by clicking on Install button.
Creation of .ovpn configuration file
Before starting with the steps to configure iOS OpenVPN client, we need to create a .ovpn file where to put all our configuration parameters, as OpenVPN app for iOS allows only to import .ovpn files in order to create a VPN profile.
In order to create an .ovpn file, just open an empty file, and paste the followings:
client dev tun proto udp #only if you use udp protocol remote REDIP 1194 #1194 only if your vpn server's port is the default port resolv-retry infinite nobind persist-key persist-tun
verb 3 comp-lzo ns-cert-type server
<ca>
#paste content of Endian CA certificate here
</ca>
where you will have to replace REDIP above with the public RED IP of the Endian Appliance, and between <ca> and </ca> you need to put the content of the CA certificate of the Endian UTM Appliance. In order to retrieve it, click on Menubar > VPN > Certicates > Certificate Authority, then click on button.
Scroll down the page until you see the following:
The content to be pasted into .ovpn file is the one similar to the following:
-----BEGIN CERTIFICATE-----
MIIEEjCCAvqgAwIBAgIQabYWy0MLMLVk74ZBpiTSNzANBgkqhkiG9w0BAQsFADAs
MQswCQYDVQQGEwJJVDEM[...]iqc6eG+zGY39UjD40lQahFm
Gng0GqYDIVemRo2XqSBQCYJbCZSjQj+YOQ+8HAHJRVvoSXwsm6Q=
-----END CERTIFICATE-----
For more information, please refer to OpenVPN iOS client FAQs.
Replace <REDIP> above with the public RED IP of the Endian Appliance and save the file with .ovpn extension.
Also remember to download the PCKS12 client certificate (you can manage all the CA and certificates of your Endian UTM Appliance directly from the GUI, under Menubar > VPN > Certificates.) from Endian UTM Appliance, which will be used later to create OpenVPN profile into iOS client. Before proceeding, change the file extension of the PCKS12 from .p12 to .ovpn12 in order for the file to be picked up by the OpenVPN Connect App (and not by iOS).
iOS OpenVPN client configuration
To successfully configure OpenVPN profile, follows these steps:
1. Import .ovpn and .ovpn12 files into your iOS device. In order to import them you have two methods, whose explanation is shown when you open OpenVPN app with no VPN profiles set, and they are the followings:
In this guide, e-mail method will be shown.
2. Send both .ovpn12 and .ovpn files to an e-mail which is accessible from the iOS device in use, then open the e-mail from the same device. Look for the attachments and tap on Tap to Download to download both files.
3. Tap on .ovpn12 file.
4. Tap on Copy to OpenVPN.
5. Tap on ADD under .ovpn12 file name.
6. Type the .ovpn12 certificate password, as configured on Endian UTM Appliance during client certificate creation, then tap on OK.
7. Go back to the e-mail with the VPN files into the attachments and select the .ovpn file.
8. Tap on Copy to OpenVPN.
9. Tap on ADD under .ovpn proposed profile name. Such name can be changed into the next step.
10. Type the profile name you prefer, then tap on None to expand the certificate list. From here, select your previously added .ovpn12 certificate and tap on ADD.
11. The following dialog window will appear, so tap on Allow.
12. Confirm VPN Configuration apply by using Touch ID or another security method set on your iOS device.
13. The OpenVPN profile now has been successfully imported. Tap on the gray slider to start the connection.
14. If the connection has been established, the state will change to Connected, the slider will become green, therefore the OpenVPN profile configuration is completed.
Comments