How to use Openvpn Connect?

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
frriction
OpenVpn Newbie
Posts: 12
Joined: Wed Jan 23, 2013 10:08 am

How to use Openvpn Connect?

Post by frriction » Wed Jan 23, 2013 10:22 am

Code: Select all

# TsunamiVPN Client Config

tls-client
client
dev tun
proto udp
remote 173.245.95.76 53
#ca tsunami.crt
route-method exe
route-delay 2
resolv-retry infinite
nobind
float
persist-key
persist-tun
comp-lzo
reneg-sec 0
verb 3
mute 3
#win-sys env
script-security 2
explicit-exit-notify 2
auth-user-pass #account.txt

<snip>

I have ovpn file with above content

fired up the itune, in the app section added added the ovpn file in "openvpn connect" app

now I can see this screen


Image

added my user and password, but there is no option to connect

frriction
OpenVpn Newbie
Posts: 12
Joined: Wed Jan 23, 2013 10:08 am

Re: How to use Openvpn Connect?

Post by frriction » Wed Jan 23, 2013 11:24 am


Some more info.

When I press "Select a cerificate (required)"


I see this

Image

which certificated it is asking for and how to get one?
certificate is already in my ovpn file isn't it?

above config works perfectly well in CYDIA APP GUIZMOVPN and lot easier to setup.

User avatar
jamesyonan
OpenVPN Inc.
Posts: 169
Joined: Thu Jan 24, 2013 12:13 am

Re: How to use Openvpn Connect?

Post by jamesyonan » Thu Jan 24, 2013 1:37 am

The problem is that 1.0.0 doesn't support client profiles that don't have a client certificate. This has already been fixed in the upcoming 1.0.1 release where you can add this to your profile to disable client certificate usage:

Code: Select all

setenv CLIENT_CERT 0
This is necessary to resolve an ambiguity when the profile contains no client certificate or key, because otherwise the client app can't know whether an external certificate/key pair should be obtained from the Keychain, or whether the server actually doesn't require a client certificate/key. The option is given as a "setenv" to avoid breaking other OpenVPN clients that might not recognize it.

As a workaround before 1.0.1 is available, you can simply include a randomly generated certificate/key pair. The client will send it to the server, but the server will ignore it if it doesn't require a client certificate.

James

frriction
OpenVpn Newbie
Posts: 12
Joined: Wed Jan 23, 2013 10:08 am

Re: How to use Openvpn Connect?

Post by frriction » Thu Jan 24, 2013 5:01 pm

By adding some random key and certificate, config added successfully.
But I am not able to connect using the config, it gives connection time out.

I have tested same config on android and got same error but today evening play store has pushed update and same config worked without changes.

I think ios required update too so the same config work under ios as well.

frriction
OpenVpn Newbie
Posts: 12
Joined: Wed Jan 23, 2013 10:08 am

Re: How to use Openvpn Connect?

Post by frriction » Fri Jan 25, 2013 12:10 pm

Code: Select all

2013-01-25 17:36:10 ----- OpenVPN Start -----
2013-01-25 17:36:10 LZO-ASYM init swap=0 asym=0
2013-01-25 17:36:10 EVENT: RESOLVE
2013-01-25 17:36:10 EVENT: WAIT
2013-01-25 17:36:10 Connecting to 173.245.95.76:9201 (173.245.95.76) via UDPv4
2013-01-25 17:36:11 EVENT: CONNECTING
2013-01-25 17:36:11 Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
2013-01-25 17:36:11 Peer Info:
IV_VER=1.0
IV_PLAT=ios
IV_NCP=1
IV_LZO=1

2013-01-25 17:36:13 VERIFY OK: depth=0
cert. version : 3
serial number : 01
issuer name   : C=PH, ST=Manila, L=Manila, O=TsunamiVPN, CN=TsunamiVPN, emailAddress=contact@tsunamivpn.com
subject name  : C=PH, ST=Manila, L=Manila, O=TsunamiVPN, CN=tsunami, emailAddress=contact@tsunamivpn.com
issued  on    : 2011-03-17 14:06:22
expires on    : 2021-03-14 14:06:22
signed using  : RSA+SHA1
RSA key size  : 1024 bits

2013-01-25 17:36:13 VERIFY OK: depth=1
cert. version : 3
serial number : CB:15:27:CA:FF:EC:B8:7E
issuer name   : C=PH, ST=Manila, L=Manila, O=TsunamiVPN, CN=TsunamiVPN, emailAddress=contact@tsunamivpn.com
subject name  : C=PH, ST=Manila, L=Manila, O=TsunamiVPN, CN=TsunamiVPN, emailAddress=contact@tsunamivpn.com
issued  on    : 2011-03-17 14:06:01
expires on    : 2021-03-14 14:06:01
signed using  : RSA+SHA1
RSA key size  : 1024 bits

2013-01-25 17:36:40 EVENT: CONNECTION_TIMEOUT [ERR]
2013-01-25 17:36:40 EVENT: DISCONNECTED
2013-01-25 17:36:40 Raw stats on disconnect:
  BYTES_IN : 2805
  BYTES_OUT : 5607
  PACKETS_IN : 27
  PACKETS_OUT : 40
  CONNECTION_TIMEOUT : 1
2013-01-25 17:36:40 Performance stats on disconnect:
  CPU usage (microseconds): 196688
  Network bytes per CPU second: 42768
  Tunnel bytes per CPU second: 0
2013-01-25 17:36:40 ----- OpenVPN Stop -----
2013-01-25 17:36:40 EVENT: DISCONNECT_PENDING
This is my log I getting connection time out, same config works in android.

Please suggest some tweak so this config works in IOS too.

tonign
OpenVpn Newbie
Posts: 1
Joined: Fri Mar 08, 2013 12:46 pm

Re: How to use Openvpn Connect?

Post by tonign » Fri Mar 08, 2013 12:53 pm

I'm having a similar problem:

In my config, using certificates, when i import the profile in iPad OpenVPN Connect client (with inline certificate), the clietn doesn't import it, and same message is displayed "No certificates are present in the Keychain"

I read version 1.0.1 can correct this, but it's not publicly realeased, isn't it?

My profile file is (also tryed adding "setenv CLIENT_CERT 0" with no success):

Code: Select all

persist-tun
persist-key
cipher AES-128-CBC
tls-client
client
remote XXXXXXXXXXXXXX 443 tcp
auth-user-pass

# dont terminate service process on wrong password, ask again
auth-retry interact
# open management channel
management 127.0.0.1 166
# wait for management to explicitly start connection
management-hold
# query management channel for user/pass
management-query-passwords
# disconnect VPN when managment program connection is closed
management-signal
# forget password when management disconnects
management-forget-disconnect


<ca>
-----BEGIN CERTIFICATE-----
...snipped...
-----END CERTIFICATE-----
</ca>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...snipped...
-----END OpenVPN Static key V1-----
</tls-auth>
 key-direction 1

frriction
OpenVpn Newbie
Posts: 12
Joined: Wed Jan 23, 2013 10:08 am

Re: How to use Openvpn Connect?

Post by frriction » Sat Mar 09, 2013 6:47 pm

You need to add some random key and cert, i have post both somewhere in forum.

TryWait
OpenVpn Newbie
Posts: 1
Joined: Mon Mar 25, 2013 4:58 pm

Re: How to use Openvpn Connect?

Post by TryWait » Mon Mar 25, 2013 7:17 pm

You need to add some random key and cert, i have post both somewhere in forum.
Overall, installing and trying to use OpenVPN on my iPad has wasted a lot of my time. I cannot find anyplace in the forums about how to create and install random keys and certificates.

frriction
OpenVpn Newbie
Posts: 12
Joined: Wed Jan 23, 2013 10:08 am

Re: How to use Openvpn Connect?

Post by frriction » Tue Mar 26, 2013 6:17 am

No need to creat one, just paste one I posted in your config.

tamadite
OpenVpn Newbie
Posts: 2
Joined: Sun Apr 28, 2013 8:32 pm

Re: How to use Openvpn Connect?

Post by tamadite » Sun Apr 28, 2013 8:48 pm

I got OpenVPN to work on my iphone by just sending the ovpn file via email after replacing line "ca ca.crt" with content of the ca.crt. Here you go a copy of my openvpn.ovpn file which I slightly modified based on inputs I found in this forum:

Code: Select all

client
dev tun
script-security 3
proto udp
remote  [your_wan_ip]  1194
resolv-retry infinite
nobind

<ca>
-----BEGIN CERTIFICATE-----
MIIDszCCAxygA....
....n1KLGtBBtPH9e
-----END CERTIFICATE-----
</ca>

auth-user-pass
cipher AES-128-CBC
comp-lzo

pkcs12 client_iphone.p12
reneg-sec 3600
pull

<cert>
-----BEGIN CERTIFICATE-----
MIIDszCCAxygA....
....n1KLGtBBtPH9e
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALVEXIZYYu1Inmej
uo4Si6Eo5AguTX5sg1pGbLkJSTR4BXQsy6ocUnZ9py8htYkipkUUhjY7zDu+wJlU
tWnVCwCYtewYfEc/+azH7+7eU6ueT2K2IKdik1KWhdtNbaNphVvSlgdyKiuZDTCe
dptgWyiL50N7FMcUUMjjXYh/hftBAgMBAAECgYEAsNjgOEYVRhEaUlzfzmpzhakC
SKT8AALYaAPbYO+ZVzJdh8mIbg+xuF7A9G+7z+5ZL35lrpXKnONuvmlxkK5ESwvV
Q7EOQYCZCqa8xf3li3GUBLwcwXKtOUr3AYXhdbOh2viQdisD4Ky7H6/Nd3yMc3bu
R4pErmWeHei+l6dIwAECQQDqljNxi9babmHiei6lHaznCMg5+jfAyDXgHvO/afFr
1bDQVDTDK+64kax4E9pvDZC6B/HGse9hOUGWXTjb0WZBAkEAxdAw/14iJIUcE5sz
HDy2R0RmbUQYFjrNgBCi5tnmr1Ay1zHAs1VEF+Rg5IOtCBO50I9jm4WCSwCtN6zF
FoFVAQJAUGfBJDcZIm9ZL6ZPXJrqS5oP/wdLmtFE3hfd1gr7C8oHu7BREWB6h1qu
8c1kPlI4+/qDHWaZtQpJ977mIToJwQJAMcgUHKAm/YPWLgT31tpckRDgqgzh9u4z
e1A0ft5FlMcdFFT8BuWlblHWJIwSxp6YO6lqSuBNiuyPqxw6uVAxAQJAWGxOgn2I
fGkWLLw4WMpkFHmwDVTQVwhTpmMP8rWGYEdYX+k9HeOJyVMrJKg2ZPXOPtybrw8T
PUZE7FgzVNxypQ==
-----END PRIVATE KEY-----
</key>
Sections "ca" and "cert" contains the content of ca.crt file. The section "key" is just junk data.

It is important to note that on line "remote [your_wan_ip] 1194" it is needed to replace [your_wan_ip] by the current WAN IP of the openVPN server.

Douglas
Forum Team
Posts: 285
Joined: Wed Aug 27, 2008 2:41 am

Re: How to use Openvpn Connect?

Post by Douglas » Mon Apr 29, 2013 4:48 am

Original post snipped.

tamadite
OpenVpn Newbie
Posts: 2
Joined: Sun Apr 28, 2013 8:32 pm

Re: How to use Openvpn Connect?

Post by tamadite » Fri Apr 21, 2017 9:24 pm

Unfortunately I cannot edit my previous post to give an update. Please follow these new instructions:

On the iPhone, go to Settings and scroll down until you see OpenVPN, get there and activate setting "Force AES-CBC ciphersuites"

Then edit your openvpn.ovpn file and change it as follows:

Code: Select all

client
dev tun
script-security 3
proto udp
remote  [your_wan_ip] 1194
resolv-retry infinite
nobind

<ca>
-----BEGIN CERTIFICATE-----
MIIDszCCAxygA....
....n1KLGtBBtPH9e
-----END CERTIFICATE-----
</ca>

auth-user-pass
cipher AES-256-CBC
tls-cipher TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
comp-lzo
pull
where the section "ca" contains the content of ca.crt file.

It is important to note that on line "remote [your_wan_ip] 1194" it is needed to replace [your_wan_ip] with the current WAN IP of the openVPN server.

Post Reply