OpenVPN Client/Server config for iOS devices

OpenVPN Client/Server config for iOS devices

This should get you started configuring a Linux OpenVPN server, creating your own certificate authority and generating certificates and profiles for use with Apple iOS devices like the iPad and iPhone.

The following script will generate a .ovpn profile that can be imported straight into the OpenVPN iOS app.

You will need to perform the steps as the root user or execute the commands using sudo.

Create certificate authority and client certs

For this we'll use easy_rsa that should be installed as part of your distributions OpenVPN install.

These instructions were written with the server being an Ubuntu installation, paths may need to be adjusted to suit your distribution.

mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/

Next, edit /etc/openvpn/easy-rsa/vars adjusting the following to your environment:

export KEY_COUNTRY="US"
export KEY_PROVINCE="NC"
export KEY_CITY="Winston-Salem"
export KEY_ORG="Example Company"
export KEY_EMAIL="[email protected]"
export KEY_CN=MyVPN
export KEY_NAME=MyVPN
export KEY_OU=MyVPN

Enter the following to generate the master Certificate Authority (CA) certificate and key:

cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-ca
Server Certificates

Next, we will generate a certificate and private key for the server:

./build-key-server myservername

As in the previous step, most parameters can be defaulted. Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

Diffie Hellman parameters must be generated for the OpenVPN server:

./build-dh

All certificates and keys have been generated in the subdirectory keys/. Common practice is to copy them to /etc/openvpn/:

cd keys/
cp myservername.crt myservername.key ca.crt dh2048.pem /etc/openvpn/
Client Certificates

The VPN client will also need a certificate to authenticate itself to the server. Usually you create a different certificate for each client. To create the certificate, enter the following in a terminal while being user root:

cd /etc/openvpn/easy-rsa/
source vars
./build-key client1

Now that you have generated server and client certificates its time to configure the server

/etc/openvpn/server.conf

port 1194
proto udp
dev tun
# Server CA and certificate
ca ca.crt
cert myservername.crt
dh dh2048.pem
# Hand out IPs 192.168.1.67-79
server 192.168.1.64 255.255.255.224
# make sure clients know to use this route
push "route 192.168.1.0 255.255.255.0"
ifconfig-pool-persist pp.txt
# Allow clients to see each other
client-to-client
keepalive 30 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

You should now be able to start the OpenVPN server.

Before you can connect your iOS device you need to generate a .ovpn file that contains the certificates for your client and some additional configuration options.

Create the following script and then use it to generate a .ovpn file.

create-ovpn-profile

#!/bin/bash
NAME=$1
KEYSTORE=/etc/openvpn/easy-rsa/keys
CA=$(< ${KEYSTORE}/ca.crt)
CERT=$(< ${KEYSTORE}/${NAME}.crt)
KEY=$(< ${KEYSTORE}/${NAME}.key)
OUTPUT=./${NAME}.ovpn

cat > ${OUTPUT} << __EOF__
client
dev tun
proto udp
remote vpn.host.com 1194
comp-lzo
redirect-gateway
<ca>
${CA}
</ca>
<cert>
${CERT}
</cert>
<key>
${KEY}
</key>
# other options (mostly defaults)
nobind
persist-key
persist-tun
user nobody
group nogroup
resolv-retry infinite
__EOF__

Usage ./create-ovpn-profile client1

The generated .ovpn file can then be copied to the device and imported into the OpenVPN app.

For more information see the OpenVPN iOS FAQ

Related Article