Configuring OpenVPN in iOS
Quietly and quietly passed the release of the OpenVPN client for iOS. For many, including for me, this may be the last reason for abandoning Jailbreak. For those who wish to learn in more detail about the capabilities of the client at the moment, as well as about the pitfalls of customization, welcome to the desktop.
You can download the OpenVPN Connect client from iTunes . Currently, according to information from the developers forum , it is available in stores of all countries except France. Delays are associated with the need to obtain an Encryption Import License and are temporary.
Restrictions present in the application:
Let's move on to setting up our OpenVPN. First, the server part (an example is given for Linux). We use easy-rsa to generate certificates and private keys of the certification authority (CA), server (server.crt and server.key) and client (ios.crt and ios.key). We also generate the parameters of the Diffie-Hellman algorithm.
For more security, we will also generate a TLS authentication key.
General view of the server configuration is presented below:
We now turn to the client configuration. The most important point of adjustment is that the client's private key must be in RSA format. If you did everything according to the instructions on the OpenVPN website, or you already had ready keys, then they need to be converted beforehand. You can use openssl for this:
Now we collect all the necessary keys and certificates in one PKCS # 12 container:
Be sure to provide a password for export. Installing a container without a password for export into an iOS keychain fails. The resulting container is transmitted to the device via e-mail or Safari.
To organize the client configuration file, we will use the unified ovpn format. A general view of the configuration is presented below.
The resulting file can be imported to your iOS device via iTunes (the recommended option) or via email.
OpenVPN HOWTO
Openvpn connect
OpenVPN Connect (iOS) forum
You can download the OpenVPN Connect client from iTunes . Currently, according to information from the developers forum , it is available in stores of all countries except France. Delays are associated with the need to obtain an Encryption Import License and are temporary.
Restrictions present in the application:
- The size of the settings file cannot exceed 256KB. However, this should be enough even to store the configuration file in a uniform ovpn format, which will be discussed later.
- Only tun connections are supported due to iOS VPN API restrictions.
- A number of directives in the configuration file are not supported: dev tap, tls-remote, fragment, mssfix.
- The work of clients without certificates is not supported. This feature will appear in a future release.
- It is possible to use only AES or Blowfish encryption. This is due to the fact that these algorithms are more adapted to the ARM architecture. In this way, greater energy efficiency is achieved.
- Using HTTP proxy is configured at the application settings level, not in the configuration file.
- Using PKCS # 12 containers is only possible if they are imported into an iOS keychain. This behavior is a strong recommendation from the developers, because unlike storing the private key directly in the ovpn file, it provides a higher level of security of secret data. Especially in the case of using the device with jailbreak.
Let's move on to setting up our OpenVPN. First, the server part (an example is given for Linux). We use easy-rsa to generate certificates and private keys of the certification authority (CA), server (server.crt and server.key) and client (ios.crt and ios.key). We also generate the parameters of the Diffie-Hellman algorithm.
./vars ./build-ca ./build-key-server server ./build-key ios ./build-dh For more security, we will also generate a TLS authentication key.
openvpn --genkey --secret ta.key General view of the server configuration is presented below:
proto udp dev tun0 topology subnet option server "10.19.2.0 255.255.255.0" push "dhcp-option DNS 8.8.8.8" push "route 10.19.1.0 255.255.255.0" keepalive "10 120" cipher AES-128-CBC comp_lzo 1 persist_key 1 persist_tun 1 ca ca.crt cert server.crt key server.key dh dh1024.pem tls-auth "ta.key 0" We now turn to the client configuration. The most important point of adjustment is that the client's private key must be in RSA format. If you did everything according to the instructions on the OpenVPN website, or you already had ready keys, then they need to be converted beforehand. You can use openssl for this:
openssl rsa -in ios.key -out ios_rsa.key Now we collect all the necessary keys and certificates in one PKCS # 12 container:
openssl pkcs12 -export -in ios.crt -inkey ios_rsa.key -certfile ca.crt -name ios -out ios.p12 Be sure to provide a password for export. Installing a container without a password for export into an iOS keychain fails. The resulting container is transmitted to the device via e-mail or Safari.
To organize the client configuration file, we will use the unified ovpn format. A general view of the configuration is presented below.
client tls-client dev tun proto udp remote _ resolv-retry infinite key-direction 1 cipher AES-128-CBC persist-tun persist-key comp-lzo verb 3 redirect-gateway <tls-auth> -----BEGIN OpenVPN Static key V1----- # ta.key -----END OpenVPN Static key V1----- </tls-auth> <ca> -----BEGIN CERTIFICATE----- # ca.crt -----END CERTIFICATE----- </ca> The resulting file can be imported to your iOS device via iTunes (the recommended option) or via email.
useful links
OpenVPN HOWTO
Openvpn connect
OpenVPN Connect (iOS) forum
')
Source: https://habr.com/ru/post/168853/
All Articles