mobileconfig import using ca/tls-auth with no client cert gives error on connect.

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
DaMac
OpenVpn Newbie
Posts: 7
Joined: Wed Feb 05, 2020 7:59 pm

mobileconfig import using ca/tls-auth with no client cert gives error on connect.

Post by DaMac » Wed Feb 05, 2020 8:46 pm

Using the FAQ for importing an ovpn config to a mobileconfig file I am able to get the configuration to show in OpenVPN although it will not successfully connect. Using the ovpn file that the values were derived from, connection is a success after authentication. The error I get on the OpenVPN client is a popup stating Connection Error - Missing external certificate with the options to Continue or Select. The error shown in the log is Missing External PKI alias.

FAQ: https://openvpn.net/faq/can-i-import-an ... nfig-file/

ovpn config:

persist-tun
persist-key
cipher AES-128-CBC
ncp-ciphers AES-128-GCM
auth SHA256
tls-client
client
remote REDACTED 1194 udp
auth-user-pass
remote-cert-tls server

<ca>
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
</ca>
setenv CLIENT_CERT 0
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
REDACTED
-----END OpenVPN Static key V1-----
</tls-auth>

mobileconfig:

<key>VPN</key>
<dict>
<key>AuthName</key>
<string>REDACTED</string>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>RemoteAddress</key>
<string>DEFAULT</string>
</dict>
<key>VPNSubType</key>
<string>net.openvpn.connect.app</string>
<key>VPNType</key>
<string>VPN</string>
<key>VendorConfig</key>
<dict>
<key>auth</key>
<string>SHA256</string>
<key>auth-user-pass</key>
<string>NOARGS</string>
<key>ca</key>
<string>-----BEGIN CERTIFICATE-----\nREDACTED\n-----END CERTIFICATE-----\n</string>
<key>cipher</key>
<string>AES-128-CBC</string>
<key>client</key>
<string>NOARGS</string>
<key>key-direction</key>
<string>1</string>
<key>ncp-ciphers</key>
<string>AES-128-GCM</string>
<key>persist-key</key>
<string>NOARGS</string>
<key>persist-tun</key>
<string>NOARGS</string>
<key>remote</key>
<string>"REDACTED 1194 udp"</string>
<key>remote-cert-tls</key>
<string>server</string>
<key>setenv</key>
<string>"CLIENT_CERT 0"</string>
<key>tls-auth</key>
<string>-----BEGIN OpenVPN Static key V1-----\nREDACTED\n-----END OpenVPN Static key V1-----\n</string>
<key>tls-client</key>
<string>NOARGS</string>
<key>vpn-on-demand</key>
<string>0</string>
</dict>

Thanks for any help regarding this.

mdibella
OpenVPN Power User
Posts: 51
Joined: Thu Dec 13, 2018 11:15 pm

Re: mobileconfig import using ca/tls-auth with no client cert gives error on connect.

Post by mdibella » Wed Feb 05, 2020 11:51 pm

To get this to work for me both the CA certificate as Base64 PEM and the client certificate as PKCS#12 had to be added to the profile. There is no linkage on the VPN payload for the CA cert...it just gets added to the trust store. The client credential is selected on the Custom VPN payload.

Other notes here: viewtopic.php?f=36&t=28134#p84662

DaMac
OpenVpn Newbie
Posts: 7
Joined: Wed Feb 05, 2020 7:59 pm

Re: mobileconfig import using ca/tls-auth with no client cert gives error on connect.

Post by DaMac » Sun Feb 09, 2020 7:42 pm

I don't use client certs, only the CA cert and a PSK key using tls-auth username/password. I was able to apply the CA cert to the Certificates section and remove it from the parameters for the VPN config, but I should have also specified I use a MacOS Server as a MDM for OTA profile management. The other notes section you included specifies that tls auth won't work with a MDM because it can't pass the tls-auth PSK.

Any suggestions other than changing authentication methods?

It seems bizarre that MacOS Server profile management and mobileconfig options should be able to be configured the same and work in the same manner, but I guess not. I can even download a mobileconfig version of the OTA profile to apply via Configurator if the need arises.

Thanks for your response as well, kept me from driving myself more nuts.

mdibella
OpenVPN Power User
Posts: 51
Joined: Thu Dec 13, 2018 11:15 pm

Re: mobileconfig import using ca/tls-auth with no client cert gives error on connect.

Post by mdibella » Sun Feb 09, 2020 8:05 pm

I haven't tried using Profile Manager to distribute the Custom VPN profile. MobileIron has a string-length limit on a custom-key's value, and that is where I encountered the tls-auth issue. I was proving the per-app-vpn use case, where cert-auth is a prerequisite, so the mutual auth provided by the combination of server and client certs was sufficient security for me to accept disabling static key auth.

I suggest you start with a working .ovpn and carefully use trial-and-error to build the .mobileconfig in Configurator. Don't try to go directly to building the profile using the Profile Manager UI. once you have a converted a working .ovpn into a working .molbielconfig, then tranfer the setting into Profile Manager's UI.

I also seem to remember there was a critical interaction between the VPN-on-demand options defined in key-value pairs and in the profile UI, so take care to insure agreement in those sections. You can't have any on-demand behavior enabled simultaneously with password use.

Here are the pairs defined in my working config:

<key>VendorConfig</key>
<dict>
<key>client</key>
<string>NOARGS</string>
<key>comp-lzo</key>
<string>no</string>
<key>dev</key>
<string>tun</string>
<key>dev-type</key>
<string>tun</string>
<key>key-direction</key>
<string>1</string>
<key>nobind</key>
<string>NOARGS</string>
<key>ns-cert-type</key>
<string>server</string>
<key>port</key>
<string>port-number</string>
<key>proto</key>
<string>udp</string>
<key>rcvbuf</key>
<string>0</string>
<key>remote</key>
<string>vpn-host-name</string>
<key>reneg-sec</key>
<string>604800</string>
<key>server-poll-timeout</key>
<string>4</string>
<key>setenv</key>
<string>opt tls-version-min 1.0 or-highest</string>
<key>sndbuf</key>
<string>0</string>
<key>verb</key>
<string>3</string>
</dict>

DaMac
OpenVpn Newbie
Posts: 7
Joined: Wed Feb 05, 2020 7:59 pm

Re: mobileconfig import using ca/tls-auth with no client cert gives error on connect.

Post by DaMac » Sun Feb 09, 2020 8:21 pm

Thanks for your help, I'll try that way and see if I can come up with a working config.

*UPDATE*

I have a working .mobileconfig using ca/tls-auth PSK, both in the custom data section of the VPN payload without importing the CA into the Certificates section. This .mobileconfig now works just like the inline .ovpn file. Now to see if it'll work over MDM config, I'll update once I get it back on the MDM.

DaMac
OpenVpn Newbie
Posts: 7
Joined: Wed Feb 05, 2020 7:59 pm

Re: mobileconfig import using ca/tls-auth with no client cert gives error on connect.

Post by DaMac » Sun Feb 09, 2020 11:16 pm

I've got tls-auth username/password working on both .mobileconfig profile as well as MacOS Server MDM Profile Manager using the same settings and including the ca values as well as the key values in the custom data fields on the VPN payload. I didn't have to use the Certificates payload at all.

It seems the last bullet on your other notes section could be out-dated considering I have that scenario working now.

Is it possible their is an total overall max value for the custom values in the VPN payload and not just a single value? I wonder that because I can get the CA and PSK to be accepted in the custom data section on my config and they work.

DaMac
OpenVpn Newbie
Posts: 7
Joined: Wed Feb 05, 2020 7:59 pm

Re: mobileconfig import using ca/tls-auth with no client cert gives error on connect.

Post by DaMac » Sun Feb 09, 2020 11:30 pm

This is the mobileconfig/MDM config that works.

Image
Last edited by DaMac on Sun Feb 09, 2020 11:51 pm, edited 1 time in total.

DaMac
OpenVpn Newbie
Posts: 7
Joined: Wed Feb 05, 2020 7:59 pm

Re: mobileconfig import using ca/tls-auth with no client cert gives error on connect.

Post by DaMac » Sun Feb 09, 2020 11:50 pm

OpenVPN server config.

Image

mdibella
OpenVPN Power User
Posts: 51
Joined: Thu Dec 13, 2018 11:15 pm

Re: mobileconfig import using ca/tls-auth with no client cert gives error on connect.

Post by mdibella » Mon Feb 10, 2020 12:33 am

DaMac wrote:
Sun Feb 09, 2020 11:16 pm
I've got tls-auth username/password working on both .mobileconfig profile as well as MacOS Server MDM Profile Manager using the same settings and including the ca values as well as the key values in the custom data fields on the VPN payload. I didn't have to use the Certificates payload at all.

It seems the last bullet on your other notes section could be out-dated considering I have that scenario working now.

Is it possible their is an total overall max value for the custom values in the VPN payload and not just a single value? I wonder that because I can get the CA and PSK to be accepted in the custom data section on my config and they work.
I needed to have the client certificate outside the Custom VPN payload so that the UEM could assign a user-specific cert to each device. This was done up uploading each user's certificate from the unified .ovpn into the UEM's certificate escrow for that user. Then, when the device enrolls, the matching client cert is dynamically merged with the the rest of the VPN payload and sent to the device attached to the manifest for the app that has been configured for per-app-vpn.

Then, when that app is brought to the foreground on iOS, the VPN autoconnects.

DaMac
OpenVpn Newbie
Posts: 7
Joined: Wed Feb 05, 2020 7:59 pm

Re: mobileconfig import using ca/tls-auth with no client cert gives error on connect.

Post by DaMac » Mon Feb 10, 2020 12:53 am

mdibella wrote:
Mon Feb 10, 2020 12:33 am
DaMac wrote:
Sun Feb 09, 2020 11:16 pm
I've got tls-auth username/password working on both .mobileconfig profile as well as MacOS Server MDM Profile Manager using the same settings and including the ca values as well as the key values in the custom data fields on the VPN payload. I didn't have to use the Certificates payload at all.

It seems the last bullet on your other notes section could be out-dated considering I have that scenario working now.

Is it possible their is an total overall max value for the custom values in the VPN payload and not just a single value? I wonder that because I can get the CA and PSK to be accepted in the custom data section on my config and they work.
I needed to have the client certificate outside the Custom VPN payload so that the UEM could assign a user-specific cert to each device. This was done up uploading each user's certificate from the unified .ovpn into the UEM's certificate escrow for that user. Then, when the device enrolls, the matching client cert is dynamically merged with the the rest of the VPN payload and sent to the device attached to the manifest for the app that has been configured for per-app-vpn.

Then, when that app is brought to the foreground on iOS, the VPN autoconnects.
Understood, I took that line to mean the PSK was too long for MDM, not specific to that scenario. My mistake.

I really do appreciate your assistance and direction with regard to your parameters for your setup. I used some of yours and kept some of mine to make a working setup as seen in my initial post compared to the end result for the successful pushing of the config. Now I can move on to deployment.

mdibella
OpenVPN Power User
Posts: 51
Joined: Thu Dec 13, 2018 11:15 pm

Re: mobileconfig import using ca/tls-auth with no client cert gives error on connect.

Post by mdibella » Mon Feb 10, 2020 1:53 am

In any case, glad you got it working.

Post Reply