Iphone ovpn with ipfire

Getting Started with IPFire
1

Hallo everybody,
i’m new in this community and a beginner in Ipfire!

About 2 weeks ago i installed for me at home the ipfire. I configured a openvpn datei for to connect with my windows 10 computer for if i’m away from home, it funktions well.

i tried to do the same for my iphone using the site below but anyway i have Problems connecting it:

the error is: SSL_CTX_use_privatekey failed: error 05800074:x509 certificate routines:: key values mismatch.

could someone pls help me?

wiki.ipfire.org - Automatic Method to create a unified .ovpn file

2

Hi @walid

Welcome to the IPFire community.

Try the tutorial mentioned in the following thread
https://community.ipfire.org/t/openvpn-error-wrong-password-for-iphone-ios/10492/6

1 Like
3

Hi Adolf,
thanks for the fast reply.
I’ve tried the tutorial and have some issues!

It says in the tutorial i have 2 choises to make the .ovpn file and i chose the encrypted way.
After downloading the .zip folder i have just 2 files but ta.key file is not there within the zip folder.

anyway i shared the 2 files(.ovpn and .p12) to my iphone but as i want to add the .p12 file to the iphone and put the right password it says it’s the wrong password but i’m sure that the password is correct!

the next step would be to add the profile but i’m sure, it makes no sence to add profile without .p12 file!

Thanks alot!

IMG_4103
IMG_41031125×1227 41.7 KB

4

The tutorial was created by @cfusco and he will need to respond to your question.

I only have an android phone and so have no experience or knowledge regarding setting up an iphone.
I suggested the tutorial as in the past it seems to have worked well for other people that have had problems with the existing iphone method in the wiki.

5

It should be there. It is there when I try. I would start from scratch by rebuilding the keys in IPFire, and follow the tutorial to the letter.

1 Like
6

If you are ending up without the ta.key file in the zip file from IPFire then you have not selected the TLS Channel Protection checkbox as shown checked in the first picture in the tutorial. The WUI page is headed Global Settings.

If it is not selected then you need to stop the OpenVPN Server and then check the checkbox and then press Save and then start the OpenVPN Server again. The zip file will then include the ta.key which is created by the TLS Channel Protection.

3 Likes
7

Hello @bonnietwin @cfusco ,

thanks for fast reactions!

yes you are right, the option TLS Channel Protection was unchecked so i changed it and now i have 3 files and so the ta.key too!
i have configured two new openvpn connections for my pc and iphone the one with the pc functions well but the connection with the iphone comes with the above error again INVALID PASSWORD! and i’m sure i enter the password correct!

thanks for helping!

Regards

8

This problem might be the same type of issue as found with older versions of Android OS. I don’t know this for certain but the symptoms are very similar as I describe below.

In Android versions 11 or older the Android certificate store does not understand the Openssl-3.x certificates as they use a stronger hash version than Openssl-2.x.

In my Samsung phone with Android 11 I get the same symptoms as you. By searching I found that the password is correct and the certificate store then tries to read the certificate but it gets an error message due to newer certificate version not being recognised. This error is what occurs but the password was being checked in the app so the message gets fed back that the password is incorrect.

Forum users using Android 12 or newer don’t experience this problem as the certificate store on those versions can recognise the Openssl-3.x certificates.

Unfortunately Samsung has decide to leave my phone on Android 11 and do no further updates.

It might be that the certificate store used on your version of iOS also does not work with Openssl-3.x certificate versions. Maybe you can get a newer version of iOS on your iphone.
You could do an internet search for the issue you are having to see if other people have had the same problem separate from IPFire.
If you can’t get a newer iOS version and it is this problem with not recognising the Openssl-3.x certificate then it may not be solvable.

The only option in my Android phone was to not store the certificate in the certificate store but to store it encrypted on the drive and to open it when the vpn connection is made. That password request works to open it but the password is stored unencrypted in memory and could be accessed if you ended up with malware on the phone.
The password entry box shows just asterisks but behind the scenes the password is in memory in clear text.

Maybe a similar approach could be used with iOS but of course the security is not so good on the phone itself and you have to make your own decision on what is suitable for your situation.

9

Hallo @bonnietwin,
thanks alot,
Definitely my Iphone has the iOS 16.7.2 but i don’t want to update because of some reasons!
And to be honest i don’t think that it’s a problem of the iOS because it’s not too old but it could be anyway!

I would try and search more about the problem and if i solved it so i would let u know!

Thanks alot and happy Christmas :christmas_tree:

Regards
WO

10

Maybe there is another forum user who has iOS 16.7.2 or similar

If they have been successful in getting the OpenVPN roadwarrior connection going they could help with how they did that.

If they have not been successful with a similar fault to you that would indicate a more generic issue with iOS 16.x

11

Hello Everybody,

( How to set up a roadwarrior config in OpenVPN, using “OpenVPN connect” for Android and iOS - Virtual Private Networks / OpenVPN - IPFire Community

i have used the above link to cofigure a opnvpn data for my iphone x but i stuck in this position and i don’t really know where i can implement these construction before i transfer the Data ordner to my Iphone.

iOS How-to

This tutorial has been tested with iOS 10.3.3 (ancient history), however it should work well also in modern versions. For iOS the setting is complicated by the fact that the OS does not make available the certificate authority (CA) from the .p12 bundle, therefore we need to extract the CA certificate and modify the .ovpn file to add a pointer to it.

  1. First, Install from Apple Store OpenVPN connect on your iOS machine;
  2. Deliver the content of the client package from step 5 of the “Common preliminary steps” section to any folder of your desktop or laptop where you also have installed openssl; after unzipping the package and changing directory to the unzipped folder, issue the following openssl command from the console:
openssl pkcs12 -in ios.p12 -cacerts -nokeys -out cacert.pem

It does not matter how you call the certificate, as long as you correctly point to it in the next step.

  1. edit with a text editor the .ovpn file. You need to introduce a link to the cacert file (here I put it below the tls-auth directive, but it should not matter where you place it):
tls-auth ta.key # <--- already present
ca cacert.pem # <--- add this, pointing to the cacert as you called it in the opnessl

I have a laptop and i can edit the opnvpn file on my laptop but i don’t know how to install openssl on my laptop.

i’m a beginner and please don’t mind !!

Have someone an Iphone and uses the opnvpn to connect from outside to ipfire??

i would be glad about every comment!!!

best regards
Walid

12

which Operating System are you running on your laptop?

13

Sorry for incomplete answer… my laptop has a windows 10 OS.
I found a copy of openssl app and downloaded it but there is no .exe data to install it.

Thanks for ur help im advance!

Regards
Walid

14

I hope some member of the community will help you out. Unfortunately I do not use Windows. There are many tutorials around (like this one) but I can’t verify them.