How to set up a roadwarrior config in OpenVPN, using "OpenVPN connect" for Android and iOS

Roadwarrior configuration for mobile machines using OpenVPN connect client


Premise: you have either an Android or an iPhone mobile device and you have installed from the app store OpenVPN connect. You also have a functioning IPFire OpenVPN installation and your goal is to create a roadwarrior tunnel between the server and the mobile device.

OpenVPN connect needs 5 pieces of information:

  1. the .ovpn configuration file;
  2. the client certificate;
  3. the private key;
  4. the Certificate Authority (CA);
  5. the TA certificate, HMAC authentication key (tls-auth).

First, you need to create the files, collectively containing all this data. Second, you need to deliver those files to OpenVPN client. The first step is common between Android and iOS, the delivery step instead diverges.

Common preliminary steps

  1. from the Web User Interface, /Services/OpenVPN select add;

  1. Select Host-to-Net Virtual Private Network (RoadWarrior) and Add;

  1. Fill up the form, in particular the Fields with an asterisk and the Organization Name: and save;

  1. Here there is a fork in the road. If you fill up the PKCS12 File Password fields:

  1. after saving you will see that the WUI creates a zip file called Client package

The zip archive contain the following files:

test.p12 <--- CA, private and client certificates
ta.key <--- TA certificate
test-TO-IPFire.ovpn <--- configuration file

This is the best way to communicate the 5 pieces of information to OpenVPN connect, because the sensitive parts (the private and client certificates) are encrypted and password protected. Instead:

  1. If PKCS12 File Password fields is left empty in step 4, after saving there will be a second zip archive called insecure client package

which will contain the following files:

cacert.pem <--- Certificate Autority (CA)
test2.pem <--- Client certificate
test2-TO-IPFire.ovpn <--- configuration file
ta.key <--- TA certificate
test2.key <--- Private Key

All 5 piece of information here are unencrypted and in the open. Thus, OpenVPN connect will have everything it needs just by importing the .ovpn configuration file, as all the certificates are embedded inside the file. Therefore, you could have a functional installation for Android or iOS by just delivering this insecure version of the .ovpn file. This should be avoided and therefore this tutorial will show only how to accomplish the goal of a successful roadwarrior connection in a secure way (with the certificates encrypted and protected by the OS).

Now that you have created all the configuration files, you need to deliver them to OpenVPN client. We shall see in the next sections how to do this for both Android and iOS devices.

Android How-to

The following steps are tested in a stock android but they should work for any Android variant.

  1. First, Install from Google Store OpenVPN connect

  1. Deliver the content of the client package from step 5 of the “Common preliminary steps” section to any folder you like in the android machine. Here I sent to myself an email with those 3 files in attachment and downloaded them in the Download folder (shown here with the stock Files app).

  1. Open OpenVPN connect client app and go to Import Profile/File

  1. Find the Download folder and select test.p12 file (the main certificates, encrypted)

  1. Choose VPN & app user certificate

  1. Enter the password you have previously chosen

  2. Choose a name for the certificates bundle

  1. Now import the .ovpn configuration file and the ta.key certificate, select both at the same time, otherwise the ta.key will not be found

  1. Select OK

  1. The profile now has been imported, just choose Add

  1. you will see the profile ready to be activated

  1. Activate and choose SELECT CERTIFICATE

  1. Now OpenVPN connect will ask you which certificate you want to associate to this profile. You will see the one you have previously imported.

  1. Select, and success!!!

If you decide to delete the profile, the certificate will not be removed as it is protected by the Operating System. To remove it you need to go to Options\Security\Encryption & Credentials\User Credentials, there you can remove the certificate:

There is no mechanism for OpenVPN connect to communicate to any other App the use of a proxy server. For this you need to input the information in the WiFi or APN configuration file. You can find many tutorials online to accomplish this task. This is not true for iOS, which can be easily configured to relay this information to other apps, as we shall see in the next section.

The two factor authentication scheme is not supported at the moment for mobile devices.

iOS How-to

This tutorial has been tested with iOS 10.3.3 (ancient history), however it should work well also in modern versions. For iOS the setting is complicated by the fact that the OS does not make available the certificate authority (CA) from the .p12 bundle, therefore we need to extract the CA certificate and modify the .ovpn file to add a pointer to it.

  1. First, Install from Apple Store OpenVPN connect on your iOS machine;

  2. Deliver the content of the client package from step 5 of the “Common preliminary steps” section to any folder of your desktop or laptop where you also have installed openssl; after unzipping the package and changing directory to the unzipped folder, issue the following openssl command from the console:

openssl pkcs12 -in ios.p12 -cacerts -nokeys -out cacert.pem

It does not matter how you call the certificate, as long as you correctly point to it in the next step.

  1. edit with a text editor the .ovpn file. You need to introduce a link to the cacert file (here I put it below the tls-auth directive, but it should not matter where you place it):
tls-auth ta.key # <--- already present
ca cacert.pem # <--- add this, pointing to the cacert as you called it in the opnessl command
  1. Connect the iOS machine with a USB cable to your desktop/laptop and start iTunes. Using the file sharing section of iTunes, deliver into the OpenVPN connect folder the client package content, including the CA certificate and the modified .ovpn configuration file from previous steps:

  1. From the iOS machine, start OpenVPN connect

  1. Automatically the app will offer the possibility to import the configuration file and the .p12 certificates bundle:

  1. First, import the certificates:

The app will ask for the password protecting the certificates you have entered in step 4 of the “Common preliminary steps” section; after you will be asked to save the certificate in the secure enclave of iOS:

You will be asked the pin protecting the iOS machine;

  1. Now the certificate has been imported and you will notice how the .p12 file has disappeared from iTunes window:

  1. Click ADD to import the .ovpn file

  2. Now you have to link to the profile the certificate previously imported:

You will find it listed in the Certificate section (select the symbol >) and click ADD:

  1. Ready to connect:

  1. Success!

To have an automatic configuration for a proxy server in the OpenVPN tunnels, add the following directives to the .ovpn file before importing it:

dhcp-option PROXY_HTTP proxy_ip 800
dhcp-option PROXY_HTTPS proxy_ip 800

where proxy_ip is the IPFire local IP where squid is running.

In alternative, you can push this directive to any client adding the following directive to /var/ipfire/ovpn/scripts/server.conf.local, assuming you have selected Additional configuration from the Web User Interface Services/OpenVPN/Advanced server options

push "dhcp-option PROXY_HTTP proxy_ip 800"
push "dhcp-option PROXY_HTTPS proxy_ip 800"

Contrary to android, you can delete the certificates (if you so desire) from inside OpenVPN connect app, in the certificates section of the app.