OpenVPN and support for mobileconfig files

This is where we can discuss what we would like to see added or changed in OpenVPN.
Post Reply
jelockwood
OpenVpn Newbie
Posts: 1
Joined: Mon Jan 29, 2018 4:07 pm

OpenVPN and support for mobileconfig files

Post by jelockwood » Tue Jun 05, 2018 2:52 pm

The official OpenVPN client for iOS supports using a mobileconfig file to provide all the settings needed for the VPN connection. Apart from the fact that contrary to the release notes the OpenVPN client for iOS still seems to reject embedded .P12 certificate files there is nothing else one needs to worry about for iOS.

However,

As should be obvious mobileconfig files including for VPN configurations are also possible for Macs, indeed most other 'enterprise' VPN solutions do support this for Macs. Examples include Cisco, Juniper and so on.

So, why does it seem OpenVPN not support this for Macs? This approach would enable the following.

1. Install OpenVPN client either at time of imaging or via a software distribution solution e.g. Munki or JAMF all of which could be done without the user requiring Admin privileges.
2. 'Push' mobileconfig to device from MDM solution, Mac would install this automatically, again no user Admin privileges required.
3. As required push new updated settings, again no user Admin privileges required.

Currently installing a VPN configuration requires Admin privileges which if as is common the entire company is using laptops on the road means everyone needs admin privileges - a high security concern.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4636
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN and support for mobileconfig files

Post by TinCanTech » Wed Jun 06, 2018 10:33 am

There are two issues with this:
  • Developer resources
    It is very likely that none of the developers have time to do this.
  • Security policy
    It is possible that this is considered a security decision which has been rejected.

looka
OpenVpn Newbie
Posts: 7
Joined: Thu Jun 07, 2018 5:41 am

Re: OpenVPN and support for mobileconfig files

Post by looka » Thu Jun 07, 2018 4:37 pm

We are also trying to make client for iOS connect using mdm pushed profile and user certificate.
Using SCEP to obtain user certificate and server connection to RADIUS with MS CHAPv2 to authenticate.
No luck so far. With Access Server at least.

Cert is sent and recieved, and before auth is sent to Radius, exception is thrown that username is empty (even though logs show CN=username).

Maybe using just OpenVPN with radius plugin would work better.

Post Reply