VPN On Demand - 1.2.6

Official client software for OpenVPN Access Server and OpenVPN Cloud.
CHRISLINDSAY
OpenVpn Newbie
Posts: 9
Joined: Thu Jan 18, 2018 1:25 pm

Re: VPN On Demand - 1.2.6

Post by CHRISLINDSAY » Thu Jan 18, 2018 5:27 pm

The profile installs but the connection just doesn't happen

Everything just stays at connecting ....

Any help on this would be much appreciated, under a lot of pressure to find a solution. Nothing working at present with all the changes I've made.

iphoting
OpenVpn Newbie
Posts: 18
Joined: Thu Apr 04, 2013 8:24 am

Re: VPN On Demand - 1.2.6

Post by iphoting » Thu Jan 18, 2018 9:53 pm

This doesn’t look right from the logs:

Code: Select all

Failed to find VPN plugin bundle container with ID net.openvpn.OpenVPN-Connect.vpnplugin
Are you sure the previous profile has been removed from the device?

iPhrankie
OpenVPN User
Posts: 20
Joined: Mon Jun 30, 2014 11:04 pm

Re: VPN On Demand - 1.2.6

Post by iPhrankie » Thu Jan 18, 2018 10:12 pm

Is this thread related to this question I posted? Can I tweak the .mobileconfig to make it work?

viewtopic.php?f=36&t=25657
https://community.openvpn.net/openvpn/ticket/988

iphoting
OpenVpn Newbie
Posts: 18
Joined: Thu Apr 04, 2013 8:24 am

Re: VPN On Demand - 1.2.6

Post by iphoting » Fri Jan 19, 2018 1:32 am

iPhrankie wrote:Is this thread related to this question I posted? Can I tweak the .mobileconfig to make it work?

viewtopic.php?f=36&t=25657
https://community.openvpn.net/openvpn/ticket/988
Looks like it. You might want to inline your cert and key, in addition to the .p12 payload and see if it works for you?

CHRISLINDSAY
OpenVpn Newbie
Posts: 9
Joined: Thu Jan 18, 2018 1:25 pm

Re: VPN On Demand - 1.2.6

Post by CHRISLINDSAY » Fri Jan 19, 2018 9:36 am

iphoting wrote:
Thu Jan 18, 2018 9:53 pm
This doesn’t look right from the logs:

Code: Select all

Failed to find VPN plugin bundle container with ID net.openvpn.OpenVPN-Connect.vpnplugin
Are you sure the previous profile has been removed from the device?
Definitely mate, that log entry confused me also as im using the new one now.

CHRISLINDSAY
OpenVpn Newbie
Posts: 9
Joined: Thu Jan 18, 2018 1:25 pm

Re: VPN On Demand - 1.2.6

Post by CHRISLINDSAY » Fri Jan 19, 2018 10:55 am

Managed to get back up and running using a custom ovpn file, not ideal but should keep everyone up and running until this fix gets done by OpenVPN.

Thanks for all your help on this guys!

iPhrankie
OpenVPN User
Posts: 20
Joined: Mon Jun 30, 2014 11:04 pm

Re: VPN On Demand - 1.2.6

Post by iPhrankie » Mon Jan 22, 2018 9:39 pm

What are the security implications of putting everything inline?

With the P12 method the key and cert were protected by a password. There is a password prompt at the time of importing the profile into the iPhone.

With this new method if the .mobileconfig escapes in transit then everything is compromised by having everything inline.

trifster
OpenVpn Newbie
Posts: 5
Joined: Tue Jan 23, 2018 6:57 pm

Re: VPN On Demand - 1.2.6

Post by trifster » Tue Jan 23, 2018 7:51 pm

Hi all...so I stumbled onto this thread trying to make an .mobileconfig file for my home OpenVPN server that is built into my Netgear 7000P router. I'm having similar issues with the iOS client and no log information. When the ca.crt, client.crt, client3.key and *.opvpn file are copied over to an ios device and the openvpn connect app the vpn works just fine. I'm also an amateur at .mobileconfig. I've been building it in Apple Configurator 2. I have the two .crt files being imported as certificates, key file as a key/value pair as well as the information in the .opvpn as key/value pairs. without any log data i can't tell what is and isn't working.

my purpose is to create an always on vpn connection anytime my son's iphone is not on our home wifi. so i've figured out the conditional parts of the .mobileconfig to handle that but i feel i need to do something more to the .mobileconfig file that the AC2 program doesn't provided for.

Since im brand new, did i read in other parts of this thread that i will have to include the ca and client as key/value pairs and using \n to keep it all on one line (ugh, was trying to avoid that). So my main question for this thread am i running into a client side bug on the iOS app?

Thanks, trifster

jason.salameh
OpenVpn Newbie
Posts: 7
Joined: Thu Jan 11, 2018 7:44 pm

Re: VPN On Demand - 1.2.6

Post by jason.salameh » Tue Jan 23, 2018 10:24 pm

trifster wrote:
Tue Jan 23, 2018 7:51 pm
Hi all...so I stumbled onto this thread trying to make an .mobileconfig file for my home OpenVPN server that is built into my Netgear 7000P router. I'm having similar issues with the iOS client and no log information. When the ca.crt, client.crt, client3.key and *.opvpn file are copied over to an ios device and the openvpn connect app the vpn works just fine. I'm also an amateur at .mobileconfig. I've been building it in Apple Configurator 2. I have the two .crt files being imported as certificates, key file as a key/value pair as well as the information in the .opvpn as key/value pairs. without any log data i can't tell what is and isn't working.

my purpose is to create an always on vpn connection anytime my son's iphone is not on our home wifi. so i've figured out the conditional parts of the .mobileconfig to handle that but i feel i need to do something more to the .mobileconfig file that the AC2 program doesn't provided for.

Since im brand new, did i read in other parts of this thread that i will have to include the ca and client as key/value pairs and using \n to keep it all on one line (ugh, was trying to avoid that). So my main question for this thread am i running into a client side bug on the iOS app?

Thanks, trifster
Be careful, I Believe Netgear uses MD5 to sign as opposed to SHA. They're trying to update this now...

trifster
OpenVpn Newbie
Posts: 5
Joined: Tue Jan 23, 2018 6:57 pm

Re: VPN On Demand - 1.2.6

Post by trifster » Tue Jan 23, 2018 11:49 pm

jason.salameh wrote:
Tue Jan 23, 2018 10:24 pm
trifster wrote:
Tue Jan 23, 2018 7:51 pm
Hi all...so I stumbled onto this thread trying to make an .mobileconfig file for my home OpenVPN server that is built into my Netgear 7000P router. I'm having similar issues with the iOS client and no log information. When the ca.crt, client.crt, client3.key and *.opvpn file are copied over to an ios device and the openvpn connect app the vpn works just fine. I'm also an amateur at .mobileconfig. I've been building it in Apple Configurator 2. I have the two .crt files being imported as certificates, key file as a key/value pair as well as the information in the .opvpn as key/value pairs. without any log data i can't tell what is and isn't working.

my purpose is to create an always on vpn connection anytime my son's iphone is not on our home wifi. so i've figured out the conditional parts of the .mobileconfig to handle that but i feel i need to do something more to the .mobileconfig file that the AC2 program doesn't provided for.

Since im brand new, did i read in other parts of this thread that i will have to include the ca and client as key/value pairs and using \n to keep it all on one line (ugh, was trying to avoid that). So my main question for this thread am i running into a client side bug on the iOS app?

Thanks, trifster
Be careful, I Believe Netgear uses MD5 to sign as opposed to SHA. They're trying to update this now...
Thanks. I'm less worried about privacy and more looking to keep kids cellular through my parental-controls enabled home network. With respect to MD5 vs SHA (im fully aware MD5 is compromised) does it change anything i have to specify in my .mobileconfig file?

Micky42
OpenVpn Newbie
Posts: 9
Joined: Thu Sep 17, 2015 8:14 am

Re: VPN On Demand - 1.2.6

Post by Micky42 » Wed Jan 24, 2018 2:48 pm

CHRISLINDSAY wrote:
Fri Jan 19, 2018 10:55 am
Managed to get back up and running using a custom ovpn file, not ideal but should keep everyone up and running until this fix gets done by OpenVPN.
Is there a time schedule for fixing this issue? I have the same problem here with my mobileconfig.

iPhrankie
OpenVPN User
Posts: 20
Joined: Mon Jun 30, 2014 11:04 pm

Re: VPN On Demand - 1.2.6

Post by iPhrankie » Fri Jan 26, 2018 2:02 am

Yes, any ETA would be welcome. Our organization is offline. We are approaching 3 weeks with being offline.

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: VPN On Demand - 1.2.6

Post by ordex » Fri Jan 26, 2018 2:05 am

iPhrankie wrote:
Fri Jan 26, 2018 2:02 am
Yes, any ETA would be welcome. Our organization is offline. We are approaching 3 weeks with being offline.
The next release should be out soon (Apple has been quite slow on this round). Re-enabling .p12 payloads should go in the release right after.

However, in the meantime, doesn't embedding key/cert in the .mobileconfig work for you? Or if you need to use a .p12, why not uploading a separate profile (non mobileconfig) and ovpn12 file?

Micky42
OpenVpn Newbie
Posts: 9
Joined: Thu Sep 17, 2015 8:14 am

Re: VPN On Demand - 1.2.6

Post by Micky42 » Fri Jan 26, 2018 12:00 pm

ordex wrote:
Fri Jan 26, 2018 2:05 am
However, in the meantime, doesn't embedding key/cert in the .mobileconfig work for you? Or if you need to use a .p12, why not uploading a separate profile (non mobileconfig) and ovpn12 file?
No, my mobileconfigs donot work any more - we have approx 600 devices running with 140 OpenVpn Servers.
Our procedure in the past was.
1. sending an cert-File and
2. using an integrated complete mobileconfig

I must admit, I was not responsible for the VPN stuff in the past, but unfortunately now I am.
As far as I know, this mobileconfig was somehow generated with an Mac/iTunes and only the relevant parts are changed during config process. This has been working til version 1.2.5

I made an experienent with changing

Code: Select all

<key>VPNSubType</key>
<string>net.openvpn.OpenVPN-Connect.vpnplugin</string>
to t

Code: Select all

<key>VPNSubType</key>
<string>net.openvpn.connect.app</string>
as I read somewhere here, but this didnot make any difference.

I also did seperate uploading a p12 file, a ovpn12 file and a cert file, but this didnot connect properly, either. At least I saw there, that the client tried to connect to the servers, whereas in the other case (mobileconfig), nothing can be seen in the log (as reported other users before).
I hope there is a chance to avoid updating the 140 Severs (who provide the configs via webserver) and the 600 Clients.

trifster
OpenVpn Newbie
Posts: 5
Joined: Tue Jan 23, 2018 6:57 pm

Re: VPN On Demand - 1.2.6

Post by trifster » Fri Jan 26, 2018 12:28 pm

Micky42 wrote:
Fri Jan 26, 2018 12:00 pm
ordex wrote:
Fri Jan 26, 2018 2:05 am
However, in the meantime, doesn't embedding key/cert in the .mobileconfig work for you? Or if you need to use a .p12, why not uploading a separate profile (non mobileconfig) and ovpn12 file?
No, my mobileconfigs donot work any more - we have approx 600 devices running with 140 OpenVpn Servers.
Our procedure in the past was.
1. sending an cert-File and
2. using an integrated complete mobileconfig

I must admit, I was not responsible for the VPN stuff in the past, but unfortunately now I am.
As far as I know, this mobileconfig was somehow generated with an Mac/iTunes and only the relevant parts are changed during config process. This has been working til version 1.2.5

I made an experienent with changing

Code: Select all

<key>VPNSubType</key>
<string>net.openvpn.OpenVPN-Connect.vpnplugin</string>
to t

Code: Select all

<key>VPNSubType</key>
<string>net.openvpn.connect.app</string>
as I read somewhere here, but this didnot make any difference.

I also did seperate uploading a p12 file, a ovpn12 file and a cert file, but this didnot connect properly, either. At least I saw there, that the client tried to connect to the servers, whereas in the other case (mobileconfig), nothing can be seen in the log (as reported other users before).
I hope there is a chance to avoid updating the 140 Severs (who provide the configs via webserver) and the 600 Clients.
Micky, Spend the time to get ovpnmcgen.rb working and use it to generate the .mobileconfig. its handling of sucking in the certs/keys got me working. be sure to install with the --pre option (gem install ovpnmcgen.rb --pre). https://github.com/iphoting/ovpnmcgen.rb

Trifster

Micky42
OpenVpn Newbie
Posts: 9
Joined: Thu Sep 17, 2015 8:14 am

Re: VPN On Demand - 1.2.6

Post by Micky42 » Mon Jan 29, 2018 5:16 pm

Hi Trifster,
thanks for the hint. I tried - just for a test - to install this (it did) but I have no idea of howto start this ruby-Script after installing on my Linux machine. I have no ruby expierience at all...

trifster
OpenVpn Newbie
Posts: 5
Joined: Tue Jan 23, 2018 6:57 pm

Re: VPN On Demand - 1.2.6

Post by trifster » Mon Jan 29, 2018 5:33 pm

Micky42 wrote:
Mon Jan 29, 2018 5:16 pm
Hi Trifster,
thanks for the hint. I tried - just for a test - to install this (it did) but I have no idea of howto start this ruby-Script after installing on my Linux machine. I have no ruby expierience at all...
Same here, never used ruby before ever. i just typed ovpnmcgen.rb followed by the arguments and it worked. This is on macOS High Sierra. Here's the command i used:

ovpnmcgen.rb generate --v12compat --host dynamic_hostename.ddns.net --port 12973 --proto udp --cafile ca.crt --cert client.crt --key client.key --vod --trusted-ssids TrifNet5,TrifNet2.4 --security-level medium --url-probe https://www.apple.com/ --ovpnconfigfile client3.ovpn --output TrifHome2.mobileconfig trifster iphone

One note, i ran this from a folder where all the files were located together so i didn't have to specify paths above.

Micky42
OpenVpn Newbie
Posts: 9
Joined: Thu Sep 17, 2015 8:14 am

Re: VPN On Demand - 1.2.6

Post by Micky42 » Mon Jan 29, 2018 7:10 pm

Ok. I will try to install it on a windows machine.

Micky42
OpenVpn Newbie
Posts: 9
Joined: Thu Sep 17, 2015 8:14 am

Re: VPN On Demand - 1.2.6

Post by Micky42 » Tue Jan 30, 2018 11:31 am

Under windows I could install and execute the ruby file. The config file seems (at a first sight) to be same as my old but the p12 was there integrated in the config. I didnot test the new one, but is the p12 Certifcate in the config the problem?

trifster
OpenVpn Newbie
Posts: 5
Joined: Tue Jan 23, 2018 6:57 pm

Re: VPN On Demand - 1.2.6

Post by trifster » Tue Jan 30, 2018 12:08 pm

Micky42 wrote:
Tue Jan 30, 2018 11:31 am
Under windows I could install and execute the ruby file. The config file seems (at a first sight) to be same as my old but the p12 was there integrated in the config. I didnot test the new one, but is the p12 Certifcate in the config the problem?
From what i've been reading in this thread is that the fix for 1.2.x client issues is that it needs to be in the .mobileconfig file. I don't have a p12 file in my usage so you may need to see if there is a different way to handle that.

Post Reply