How to get a standard profile to OpenVPN using SCEP process?

Post Reply
hansooloo
OpenVpn Newbie
Posts: 7
Joined: Wed Jun 05, 2013 5:36 pm

How to get a standard profile to OpenVPN using SCEP process?

Post by hansooloo » Fri Aug 15, 2014 1:28 am

Using an SCEP server that I built, trying to send a configuration profile to my iPhone that has 2 things in it:
(1) an SCEP request to obtain a key/cert pair signed by the SCEP server
(2) an OVPN profile that uses the cert that was signed/sent in step-1 above

I want this VPN to be used/initiated by the user when s/he wants it, instead of being tied to a connection rule, i.e., not based on domain names, but based on user swiping the connect button from 0 to 1.

So far, I am able to get the configuration profile accepted by the phone, and show the VPN profile under VPN settings, as well as showing it in the OpenVPN connection list.

However, this profile ends up being recognized as an "VPN-On-Demand profile". Net effect being twofold:
(1) iOS VPN settings screen tells me to use the OpenVPN app to start the connection
(2) OpenVPN does not allow me to start the connection; Connection button is greyed out / in OFF position.

Image Image

QUESTIONS / REQUIREMENTS:
How can I allow my users:
(1) to start OpenVPN connection when they want,
(2) using a cert that was created part of the SCEP process,
(3) where the cert is used in OpenVPN authentication process (no username/password)

Final configuration profile that gets sent to the iPhone (in EncryptedPayloadContent format):

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
	<dict>
		<key>PayloadContent</key>
		<dict>
			<key>Challenge</key>
			<string>foo</string>
			<key>Key Type</key>
			<string>RSA</string>
			<key>Key Usage</key>
			<integer>5</integer>
			<key>Keysize</key>
			<integer>1024</integer>
			<key>Name</key>
			<string>VPNCertificate</string>
			<key>Subject</key>
			<array>
				<array>
					<array>
						<string>O</string>
						<string>bin919.tk</string>
					</array>
				</array>
				<array>
					<array>
						<string>CN</string>
						<string>VPNCertificate (ebbda99c-3b52-4602-9f44-1a0531dde2f7)</string>
					</array>
				</array>
			</array>
			<key>URL</key>
			<string>https://x-wing-air13.local:5000/scep</string>
		</dict>
		<key>PayloadDescription</key>
		<string>Provides device encryption identity</string>
		<key>PayloadDisplayName</key>
		<string>VPNCertificate</string>
		<key>PayloadIdentifier</key>
		<string>tk.bin919.encryption-cert-request</string>
		<key>PayloadOrganization</key>
		<string>bin919.tk</string>
		<key>PayloadType</key>
		<string>com.apple.security.scep</string>
		<key>PayloadUUID</key>
		<string>321387af-7a23-409f-8efa-1cafa2473dcc</string>
		<key>PayloadVersion</key>
		<integer>1</integer>
	</dict>
	<dict>
		<key>PayloadDescription</key>
		<string>Install this profile to access the VPN service</string>
		<key>PayloadDisplayName</key>
		<string>bin919.tk VPN Service Configuration</string>
		<key>PayloadIdentifier</key>
		<string>tk.bin919.vpn.VPNService</string>
		<key>PayloadOrganization</key>
		<string>bin919.tk</string>
		<key>PayloadType</key>
		<string>com.apple.vpn.managed</string>
		<key>PayloadUUID</key>
		<string>a3ca392b-2b8d-4b9d-8f97-bc0557c6316b</string>
		<key>PayloadVersion</key>
		<integer>1</integer>
		<key>VPN</key>
		<dict>
			<key>AuthenticationMethod</key>
			<string>Certificate</string>
			<key>PayloadCertificateUUID</key>
			<string>321387af-7a23-409f-8efa-1cafa2473dcc</string>
			<key>RemoteAddress</key>
			<string>vpn.bin919.tk</string>
		</dict>
		<key>VPNSubType</key>
		<string>net.openvpn.OpenVPN-Connect.vpnplugin</string>
		<key>VPNType</key>
		<string>VPN</string>
		<key>VendorConfig</key>
		<dict>
			<key>client</key>
			<string>NOARGS</string>
			<key>comp-lzo</key>
			<string>NOARGS</string>
			<key>dev</key>
			<string>tun</string>
			<key>nobind</key>
			<string>NOARGS</string>
			<key>redirect-gateway</key>
			<string>NOARGS</string>
			<key>remote</key>
			<string>vpn.bin919.tk</string>
		</dict>
	</dict>
</array>
</plist>

hansooloo
OpenVpn Newbie
Posts: 7
Joined: Wed Jun 05, 2013 5:36 pm

Re: How to get a non-VOD profile to OpenVPN using SCEP proce

Post by hansooloo » Fri Aug 29, 2014 9:11 pm

I was able to get this working by adding the following configuration under VendorConfig section:

Code: Select all

			<key>vpn-on-demand</key>
			<string>0</string>
This makes OpenVPN to change the profile from being a VPN-On-Demand profile to one that uses what it calls an "External Certificate"

Image

hansooloo
OpenVpn Newbie
Posts: 7
Joined: Wed Jun 05, 2013 5:36 pm

Re: How to get a standard profile to OpenVPN using SCEP proc

Post by hansooloo » Fri Aug 29, 2014 9:30 pm

NEXT CHALLENGE:
I would like my provisioning payload to make OpenVPN client automatically select the user/device certificate that was provisioned on the device before the OVPN profile was provisioned.

However, the OpenVPN client DOES NOT want to auto-select the certificate that was provisioned on the device earlier. I always have to manually go in and instruct it to use the certificate I just provisioned.

QUESTION:
How can I make the OpenVPN client pick the certificate based on the provisioning payload UUID of the SCEP cert request?


In VPN-On-Demand scenario, I can place a PayloadCertificateUUID field and point that to the UUID of the SCEP payload that asks the device to sign up for a CA-issued certificate. Not so much for an "External Certificate" profile; seems like it's being ignored.

Code: Select all

			<key>PayloadCertificateUUID</key>
			<string>58941184-52eb-446e-8e71-1676056930d4</string>
The above UUID would actually be the UUID of the profile that gets the device a certificate:

Code: Select all

	<dict>
		<key>PayloadContent</key>
		<dict>
			<key>Challenge</key>
			<string>foo</string>
			<key>Key Type</key>
			<string>RSA</string>
			<key>Key Usage</key>
			<integer>5</integer>
			<key>Keysize</key>
			<integer>1024</integer>
			<key>Name</key>
			<string>  bin919.tk VPN Certificate</string>
			<key>Subject</key>
			<array>
				<array>
					<array>
						<string>O</string>
						<string>bin919.tk</string>
					</array>
				</array>
				<array>
					<array>
						<string>CN</string>
						<string>  bin919.tk VPN Certificate</string>
					</array>
				</array>
			</array>
			<key>URL</key>
			<string>https://bin919.tk/scep</string>
		</dict>
		<key>PayloadDescription</key>
		<string>Provides device encryption identity</string>
		<key>PayloadDisplayName</key>
		<string>  bin919.tk VPN Certificate</string>
		<key>PayloadIdentifier</key>
		<string>tk.bin919.encryption-cert-request</string>
		<key>PayloadOrganization</key>
		<string>bin919.tk</string>
		<key>PayloadType</key>
		<string>com.apple.security.scep</string>
		<key>PayloadUUID</key>
		<string>58941184-52eb-446e-8e71-1676056930d4</string>
		<key>PayloadVersion</key>
		<integer>1</integer>
	</dict>

hansooloo
OpenVpn Newbie
Posts: 7
Joined: Wed Jun 05, 2013 5:36 pm

Re: How to get a standard profile to OpenVPN using SCEP proc

Post by hansooloo » Mon Sep 08, 2014 6:45 am

Hoping to hear from the iOS developers if there is a way to get the client to auto-select a certificate.

looka
OpenVpn Newbie
Posts: 7
Joined: Thu Jun 07, 2018 5:41 am

Re: How to get a standard profile to OpenVPN using SCEP process?

Post by looka » Fri Jun 08, 2018 7:16 pm

Are you saying you got SCEP on iOS working?
I'm at my wits end here, I keep getting "VPN Auth Failed: u'exception in AuthDelegateProplist: credential username must not be empty".
I am using Radius to authenticate the certificate (from MS AD CS) but it fails miserably.
I presume your SCEP server is not Microsoft?

hansooloo
OpenVpn Newbie
Posts: 7
Joined: Wed Jun 05, 2013 5:36 pm

Re: How to get a standard profile to OpenVPN using SCEP process?

Post by hansooloo » Sun Jun 10, 2018 1:12 am

Wrote my own in Python and deployed on Heroku!


Sent from my iPad using Tapatalk

looka
OpenVpn Newbie
Posts: 7
Joined: Thu Jun 07, 2018 5:41 am

Re: How to get a standard profile to OpenVPN using SCEP process?

Post by looka » Sun Jun 10, 2018 11:40 am

Which works with OpenVPNs own PKI or some external?
My SCEP and iOS works fine actully, cert is generated, delivered to phone and submitted on vpn connection.
I just can't get OpenVPN to authenticate certificate with my external MS PKI.

Post Reply