How to set up a roadwarrior config in OpenVPN, using "OpenVPN connect" for Android and iOS

VPNs OpenVPN
9

Roadwarrior configuration for mobile machines using OpenVPN connect client

Introduction

Premise: you have either an Android or an iPhone mobile device and you have installed from the app store OpenVPN connect. You also have a functioning IPFire OpenVPN installation and your goal is to create a roadwarrior tunnel between the server and the mobile device.

OpenVPN connect needs 5 pieces of information:

  1. the .ovpn configuration file;
  2. the client certificate;
  3. the private key;
  4. the Certificate Authority (CA);
  5. the TA certificate, HMAC authentication key (tls-auth).

First, you need to create the files, collectively containing all this data. Second, you need to deliver those files to OpenVPN client. The first step is common between Android and iOS, the delivery step instead diverges.

Common preliminary steps

  1. from the Web User Interface, /Services/OpenVPN select add;

1
12328×1394 310 KB

  1. Select Host-to-Net Virtual Private Network (RoadWarrior) and Add;

2
22176×1042 243 KB

  1. Fill up the form, in particular the Fields with an asterisk and the Organization Name: and save;

3
32100×1804 317 KB

  1. Here there is a fork in the road. If you fill up the PKCS12 File Password fields:

4
42230×1796 329 KB

  1. after saving you will see that the WUI creates a zip file called Client package

5
52194×1648 406 KB

The zip archive contain the following files:

test.p12 <--- CA, private and client certificates
ta.key <--- TA certificate
test-TO-IPFire.ovpn <--- configuration file

This is the best way to communicate the 5 pieces of information to OpenVPN connect, because the sensitive parts (the private and client certificates) are encrypted and password protected. Instead:

  1. If PKCS12 File Password fields is left empty in step 4, after saving there will be a second zip archive called insecure client package

7
72090×1714 427 KB

which will contain the following files:

cacert.pem <--- Certificate Autority (CA)
test2.pem <--- Client certificate
test2-TO-IPFire.ovpn <--- configuration file
ta.key <--- TA certificate
test2.key <--- Private Key

All 5 piece of information here are unencrypted and in the open. Thus, OpenVPN connect will have everything it needs just by importing the .ovpn configuration file, as all the certificates are embedded inside the file. Therefore, you could have a functional installation for Android or iOS by just delivering this insecure version of the .ovpn file. This should be avoided and therefore this tutorial will show only how to accomplish the goal of a successful roadwarrior connection in a secure way (with the certificates encrypted and protected by the OS).

Now that you have created all the configuration files, you need to deliver them to OpenVPN client. We shall see in the next sections how to do this for both Android and iOS devices.

Android How-to

The following steps are tested in a stock android but they should work for any Android variant.

  1. First, Install from Google Store OpenVPN connect

Screenshot_20220808-171427
Screenshot_20220808-1714271080×2220 276 KB

  1. Deliver the content of the client package from step 5 of the “Common preliminary steps” section to any folder you like in the android machine. Here I sent to myself an email with those 3 files in attachment and downloaded them in the Download folder (shown here with the stock Files app).

Screenshot_20220808-171624
Screenshot_20220808-1716241080×2220 81.5 KB

  1. Open OpenVPN connect client app and go to Import Profile/File

Screenshot_20220808-171648
Screenshot_20220808-1716481080×2220 69.4 KB

  1. Find the Download folder and select test.p12 file (the main certificates, encrypted)

Screenshot_20220808-171753
Screenshot_20220808-1717531080×2220 83.9 KB

  1. Choose VPN & app user certificate

Screenshot_20220808-171911
Screenshot_20220808-1719111080×2220 78.9 KB

  1. Enter the password you have previously chosen

    Screenshot_20220808-171804
    Screenshot_20220808-1718041080×2220 68.8 KB

  2. Choose a name for the certificates bundle

Screenshot_20220808-171919
Screenshot_20220808-1719191080×2220 68.4 KB

  1. Now import the .ovpn configuration file and the ta.key certificate, select both at the same time, otherwise the ta.key will not be found

Screenshot_20220808-171942
Screenshot_20220808-1719421080×2220 84.5 KB

  1. Select OK

Screenshot_20220808-171950
Screenshot_20220808-1719501080×2220 73.9 KB

  1. The profile now has been imported, just choose Add

1
11080×2220 62.6 KB

  1. you will see the profile ready to be activated

2
21080×2220 52.8 KB

  1. Activate and choose SELECT CERTIFICATE

3
31080×2220 96 KB

  1. Now OpenVPN connect will ask you which certificate you want to associate to this profile. You will see the one you have previously imported.

4
41080×2220 104 KB

  1. Select, and success!!!

5
51080×2220 99.4 KB

If you decide to delete the profile, the certificate will not be removed as it is protected by the Operating System. To remove it you need to go to Options\Security\Encryption & Credentials\User Credentials, there you can remove the certificate:

Screenshot_20220808-172211
Screenshot_20220808-1722111080×2220 78.2 KB

There is no mechanism for OpenVPN connect to communicate to any other App the use of a proxy server. For this you need to input the information in the WiFi or APN configuration file. You can find many tutorials online to accomplish this task. This is not true for iOS, which can be easily configured to relay this information to other apps, as we shall see in the next section.

The two factor authentication scheme is not supported at the moment for mobile devices.

iOS How-to

This tutorial has been tested with iOS 10.3.3 (ancient history), however it should work well also in modern versions. For iOS the setting is complicated by the fact that the OS does not make available the certificate authority (CA) from the .p12 bundle, therefore we need to extract the CA certificate and modify the .ovpn file to add a pointer to it.

  1. First, Install from Apple Store OpenVPN connect on your iOS machine;

  2. Deliver the content of the client package from step 5 of the “Common preliminary steps” section to any folder of your desktop or laptop where you also have installed openssl; after unzipping the package and changing directory to the unzipped folder, issue the following openssl command from the console:

openssl pkcs12 -in ios.p12 -cacerts -nokeys -out cacert.pem

It does not matter how you call the certificate, as long as you correctly point to it in the next step.

  1. edit with a text editor the .ovpn file. You need to introduce a link to the cacert file (here I put it below the tls-auth directive, but it should not matter where you place it):
tls-auth ta.key # <--- already present
ca cacert.pem # <--- add this, pointing to the cacert as you called it in the opnessl command
  1. Connect the iOS machine with a USB cable to your desktop/laptop and start iTunes. Using the file sharing section of iTunes, deliver into the OpenVPN connect folder the client package content, including the CA certificate and the modified .ovpn configuration file from previous steps:

0
02196×1352 232 KB

  1. From the iOS machine, start OpenVPN connect

1
11536×2048 81.2 KB

  1. Automatically the app will offer the possibility to import the configuration file and the .p12 certificates bundle:

2
21536×2048 93.7 KB

  1. First, import the certificates:

3
31536×2048 190 KB

The app will ask for the password protecting the certificates you have entered in step 4 of the “Common preliminary steps” section; after you will be asked to save the certificate in the secure enclave of iOS:

9
91536×2048 94.2 KB

You will be asked the pin protecting the iOS machine;

  1. Now the certificate has been imported and you will notice how the .p12 file has disappeared from iTunes window:

5
52202×1370 226 KB

  1. Click ADD to import the .ovpn file

    4
    41536×2048 55.4 KB

  2. Now you have to link to the profile the certificate previously imported:

6
61536×2048 65.2 KB

You will find it listed in the Certificate section (select the symbol >) and click ADD:

7
71536×2048 67.1 KB

  1. Ready to connect:

8
81536×2048 58.8 KB

  1. Success!

10
101536×2048 114 KB

To have an automatic configuration for a proxy server in the OpenVPN tunnels, add the following directives to the .ovpn file before importing it:

dhcp-option PROXY_HTTP proxy_ip 800
dhcp-option PROXY_HTTPS proxy_ip 800

where proxy_ip is the IPFire local IP where squid is running.

In alternative, you can push this directive to any client adding the following directive to /var/ipfire/ovpn/scripts/server.conf.local, assuming you have selected Additional configuration from the Web User Interface Services/OpenVPN/Advanced server options

push "dhcp-option PROXY_HTTP proxy_ip 800"
push "dhcp-option PROXY_HTTPS proxy_ip 800"

Contrary to android, you can delete the certificates (if you so desire) from inside OpenVPN connect app, in the certificates section of the app.

Links

3 Likes
FW-Rules for openVPN neccessary?
No DNS via OpenVPN
Are there some kind of firewall rules neccessary after a vpn connection is set up?
OpenVPN error "wrong password" for iPhone iOS
Iphone ovpn with ipfire
OpenVPN LAN access
OpenVPN and ios - working instructions wanted
OpenVPN error "wrong password" for iPhone iOS
OVPN not working outside from mobile
Cannot find .p12 file in Windows 11?
VPN clients won't connect
OpenVPN with Proxy
OpenVPN host certificate
OpenVPN host certificate
Help me chat, I can´t connect to my vpn server
How to setup a newCore 191: OPNVPN Connection for a android handy
Cannot connect to ipfire via openvpn