OpenVPN Connect + iOS + MDM

Post Reply
thisisreal
OpenVpn Newbie
Posts: 1
Joined: Thu Mar 28, 2019 3:16 pm

OpenVPN Connect + iOS + MDM

Post by thisisreal » Thu Mar 28, 2019 3:38 pm

Currently: The .ovpn can be imported into the app one of 3 ways: Airdropped, emailed, downloaded from web server. User enters creds > connects.

We would like to be able to push out the config so the user doesn't have to install it manually. Is this possible via AppConfig (app is already distributed via MDM) or Configuration Profile using a MDM server?

Have tried so far the Config Profile route with just VPN payload:
VPN Type: VPN
Connection Type: Custom SSL
Provider Type: Packet-tunnel
Identifier: net.openvpn.connect.app
Server: ###.###.###.###
Account: username
User Authentication: Password
Password: **************

mdibella
OpenVPN User
Posts: 27
Joined: Thu Dec 13, 2018 11:15 pm

Re: OpenVPN Connect + iOS + MDM

Post by mdibella » Thu Mar 28, 2019 6:48 pm

I got this to work by first building a working .mobileconfig using Configurator and then carefully transferring the configuration into the MDM's VPN profile settings. A few notes:

* The user must be configured to allow auto-login in OpenVPN unless you want to require both password and client certificate. I was proving a per-app vpn use case, so I wanted to create a payload that performed an autoconnect using certificate authentication only. My key-value pairs below reflect this use case.

* I used the Custom SSL VPN sub-type.

* The client certificate must be attached to the configuration as a certificate & key payload. I simply ran the .ovpn file unaltered through openssl pkcs12 -export -out openvpn.pfx -inkey openvpn.ovpn -in openvpn.ovpn to create the .pfx and attached the .pfx to the .mobileconfig in Configurator during the test phase. In the production phase, each user must download their own connection profile, run the command to convert it, and upload the certificate through the MDM user portal to the MDM's user-certificate escrow for insertion in the MDM-created payload.

* The CA certificate in the .ovpn must be attached to the configuration as a trust-anchor payload. I manually copied it from the .ovpn file into a text file and and attached the .cer to the .mobileconfig in Configurator during the test phase. In the production phase, the certificate is sent to the device using the MDM's standard certificate payload to create a new trusted root authority on the device.

* Set the server hostname to DEFAULT. It will set set using the remote key-value pair.

* Additional key-value pairs must be set to match your sever configuration. For my case, I had to set quite a few pairs: client=NOARGS, comp-lzo=no, dev=tun, dev-type=tun, nobind=NOARGS, ns-cert-type=server, port=5443, proto=tcp, rcvbuf=0, remote=server-name, reneg-sec=604800, server-poll-timeout=4, setenv=opt tls-version-min 1.0 or-highest, sndbuf=0, verb=3.

* I found the tls-auth PSK could be passed statically in the Configurator .mobileconfg, but was too long to pass in the MDM-generated key-value pairs, so I has to disable tls-auth on the server.

Post Reply