OpenVPN and support for mobileconfig files

This is where we can discuss what we would like to see added or changed in OpenVPN.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
jelockwood
OpenVpn Newbie
Posts: 5
Joined: Mon Jan 29, 2018 4:07 pm

OpenVPN and support for mobileconfig files

Post by jelockwood » Tue Jun 05, 2018 2:52 pm

The official OpenVPN client for iOS supports using a mobileconfig file to provide all the settings needed for the VPN connection. Apart from the fact that contrary to the release notes the OpenVPN client for iOS still seems to reject embedded .P12 certificate files there is nothing else one needs to worry about for iOS.

However,

As should be obvious mobileconfig files including for VPN configurations are also possible for Macs, indeed most other 'enterprise' VPN solutions do support this for Macs. Examples include Cisco, Juniper and so on.

So, why does it seem OpenVPN not support this for Macs? This approach would enable the following.

1. Install OpenVPN client either at time of imaging or via a software distribution solution e.g. Munki or JAMF all of which could be done without the user requiring Admin privileges.
2. 'Push' mobileconfig to device from MDM solution, Mac would install this automatically, again no user Admin privileges required.
3. As required push new updated settings, again no user Admin privileges required.

Currently installing a VPN configuration requires Admin privileges which if as is common the entire company is using laptops on the road means everyone needs admin privileges - a high security concern.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN and support for mobileconfig files

Post by TinCanTech » Wed Jun 06, 2018 10:33 am

There are two issues with this:
  • Developer resources
    It is very likely that none of the developers have time to do this.
  • Security policy
    It is possible that this is considered a security decision which has been rejected.

looka
OpenVpn Newbie
Posts: 7
Joined: Thu Jun 07, 2018 5:41 am

Re: OpenVPN and support for mobileconfig files

Post by looka » Thu Jun 07, 2018 4:37 pm

We are also trying to make client for iOS connect using mdm pushed profile and user certificate.
Using SCEP to obtain user certificate and server connection to RADIUS with MS CHAPv2 to authenticate.
No luck so far. With Access Server at least.

Cert is sent and recieved, and before auth is sent to Radius, exception is thrown that username is empty (even though logs show CN=username).

Maybe using just OpenVPN with radius plugin would work better.

jelockwood
OpenVpn Newbie
Posts: 5
Joined: Mon Jan 29, 2018 4:07 pm

Re: OpenVPN and support for mobileconfig files

Post by jelockwood » Tue Jun 04, 2019 8:46 am

@looka
I have successfully used JAMF to push a VPN profile to iOS devices and in that profile is a cert and settings to connect to the VPN server. The user can then open the OpenVPN client on iOS and tell it to connect and enter the user name and password. This works.

The problem is that the Mac version does not seem to support the use of MobileConfig files i.e. MDM profiles. Other commercial VPN clients like Cisco's AnyConnect and Juniper etc. do. It can be argued that OpenVPN Access Server is a commercial solution so should be aiming to be equally capable.

For an iOS mobile config to summarise it would have three payloads

1. General (basically name etc.)
2. VPN this is of type Custom SSL, with various keys defined corresponding to the entries normally in the .ovpn file e.g. server address, plus the base64 encoded VPN server CA cert. One of the most important entries is 'Identifier' which for OpenVPN is net.openvpn.connect.app this defines the identifier the mobileconfig is 'sent' to
3. A cert payload this contains the client cert and private key

Post Reply