Upgrade to OpenVPN 1.2.5 (iOS): .mobileconfg files

[alimakki]

I recently noticed the latest updates to iOS OpenVPN connect.

Seeing as it now implements the Network Extensions framework (and thanks for tls-crypt support), I have a question:

Can ovpn connect be configured/provisioned via mobileconfig files (if yes are there any docs)?

The changelog states 'implemented private keychain for storing certficiates and passwords. PKCS#12 bundles imported via Safari or Mail must now end with .ovpn12' -> Does this imply that unified configuration files must be renamed as such, and does the same convention apply for the Android version?

Thank you.

[novaflash]

Some of these things are a bit new, so forgive me if I don't know everything just yet. I have talked with the developers of the app and found out a couple of relevant things:

The naming convention for PKCS#12 key/cert bundles is currently only applied on iOS, but we could roll it out to other platforms too if that makes sense. It kinda does, I suppose. We just needed a way for the import to be possible easily by recognizing it separately. On android for example it doesn't use this file extension.

Regarding .mobileconfig check this page;
https://docs.openvpn.net/faqs/faq-regar ... onfig_file
If you find any problems with any of this information let me know as I can update the documentation accordingly.

Currently there is one specific problem that we are waiting on Apple for to try and fix;
The combination of using PKCS#12 in mobileconfig fails.

If you use PKCS#12 with your own .ovpn config that works fine.
If you use mobleconfig with bundled certificates (not PKCS#12 bundle but 'normal' style certificates) that works fine too.

The combination of PKCS#12 in mobileconfig fails.

I don't really know the technical details, but I do know it's some sort of a permissions problem that is outside of our reach to resolve and we need Apple to step in and give us the means to make it possible for this to function.

[dmq]

Unfortunately I have issues, too. VPN on demand on iOS in Version 1.2.5 is not working. In 1.1.1 everything was fine.

This is the current log. Mutual X.509 authentication c<->s with pkcs#12 imported on iPhone and conf (with tls-auth and not tls-auto) imported through iTunes.

My manual setup is working. But unfortunately the VPN-on-Demand is very important for me

--

Code: Select all

Jan 10 14:43:03 anon assertiond[74] <Notice>: Now tracking extension process <BKProcess: 0x10780bde0; NIP; net.openvpn.connect.app.NIP; pid: 426; agency: Extension; visibility: none; task: running> with host (null)
Jan 10 14:43:03 anon symptomsd(SymptomEvaluator)[174] <Notice>: 426 net.openvpn.connect.app.NIP: ForegroundRunning (most elevated: ForegroundRunning)
Jan 10 14:43:03 anon SpringBoard(WiFiPicker)[59] <Notice>: WIFI PICKER [net.openvpn.connect.app.NIP]: isProcessLaunch: 1,    isForegroundActivation: 1,     isForegroundDeactivation: 0
Jan 10 14:43:03 anon mediaserverd(CoreMedia)[409] <Notice>: -CMSessionMgr- CMSessionMgrHandleApplicationStateChange: CMSession: Client net.openvpn.connect.app.NIP with pid '426' is now Foreground Running. Background entitlement: NO
Jan 10 14:43:03 anon symptomsd(SymptomEvaluator)[174] <Notice>: Entry, display name net.openvpn.connect.app.NIP uuid B73A2F13-19E3-3436-8641-A0DDEF41673C pid 426 isFront 1
Jan 10 14:43:03 anon symptomsd(SymptomEvaluator)[174] <Notice>: Continue with bundle name net.openvpn.connect.app, is front 1
Jan 10 14:43:03 anon symptomsd(SymptomEvaluator)[174] <Notice>: net.openvpn.connect.app: Foreground: true
Jan 10 14:43:03 anon NIP[426] <Notice>: NIP: Logfile: /private/var/mobile/Containers/Data/PluginKitPlugin/5F78B170-A252-4600-9453-4B6D7C6B3CA2/tmp/openvpn-current.ovpnlog
Jan 10 14:43:03 anon NIP[426] <Notice>: LOG: ----- OpenVPN Start -----OpenVPN core 3.1.2 ios arm64 64-bit built on Jan  5 2018 23:09:59
Jan 10 14:43:03 anon SpringBoard(WiFiPicker)[59] <Notice>: WIFI PICKER [net.openvpn.connect.app.NIP]: isProcessLaunch: 0,    isForegroundActivation: 0,     isForegroundDeactivation: 1
Jan 10 14:43:03 anon symptomsd(SymptomEvaluator)[174] <Notice>: 426 net.openvpn.connect.app.NIP: BackgroundTaskSuspended (most elevated: BackgroundTaskSuspended)
Jan 10 14:43:03 anon mediaserverd(CoreMedia)[409] <Notice>: -CMSessionMgr- CMSessionMgrHandleApplicationStateChange: CMSession: Client net.openvpn.connect.app.NIP with pid '426' is now Background Suspended. Background entitlement: NO
Jan 10 14:43:03 anon assertiond[74] <Notice>: Process exited: <BKProcess: 0x10780bde0; NIP; net.openvpn.connect.app.NIP; pid: 426; agency: Extension; visibility: background; task: none>
Jan 10 14:43:03 anon symptomsd(SymptomEvaluator)[174] <Notice>: Entry, display name net.openvpn.connect.app.NIP uuid B73A2F13-19E3-3436-8641-A0DDEF41673C pid 426 isFront 0
Jan 10 14:43:03 anon symptomsd(SymptomEvaluator)[174] <Notice>: Continue with bundle name net.openvpn.connect.app, is front 0
Jan 10 14:43:03 anon symptomsd(SymptomEvaluator)[174] <Notice>: net.openvpn.connect.app: Foreground: false
Jan 10 14:43:03 anon assertiond[74] <Notice>: Checking for deferred bootstrap request for net.openvpn.connect.app.NIP
Jan 10 14:43:03 anon symptomsd(SymptomEvaluator)[174] <Notice>: 426 net.openvpn.connect.app.NIP: Terminated (most elevated: Terminated)
Jan 10 14:43:03 anon symptomsd(SymptomEvaluator)[174] <Notice>: Entry, display name net.openvpn.connect.app.NIP uuid (null) pid 426 isFront 0
Jan 10 14:43:03 anon SpringBoard(WiFiPicker)[59] <Notice>: WIFI PICKER [net.openvpn.connect.app.NIP]: isProcessLaunch: 0,    isForegroundActivation: 0,     isForegroundDeactivation: 0
Jan 10 14:43:03 anon mediaserverd(CoreMedia)[409] <Notice>: -CMSessionMgr- CMSessionMgrHandleApplicationStateChange: CMSession: Client net.openvpn.connect.app.NIP with pid '426' is now Terminated. Background entitlement: NO

[dmq]

Thanks for the article / information.

I renamed the .p12 to .ovpn12 and imported in again. It appears under certs in the OpenVPN-App. I can select it. But the behaviour did not change. The on-demand profile is not working. No single packet seems to go out of the phone. I am looking into the server Log and with tcpdump for incoming packets on the server side.

[dmq]

At the moment my client configuration hast the key material inline and the directive 'key-direction 1' is set.

Do I need to change this and add 'tls-auth file.key 1' because I reimported the .ovpn12?

Thanks.

[ordex]

At the moment my client configuration hast the key material inline and the directive 'key-direction 1' is set.

Do I need to change this and add 'tls-auth file.key 1' because I reimported the .ovpn12?

Thanks.

No, the inline key material is fine. Moreover, tls-auth is unrelated to the p12 file as they are used for different mechanisms.
Are you using a .mobileconfig file to configure your VPN on Demand? Could you please forward it to ios @ openvpn . net and quickly summarise your problem? this way we can open an internal ticket.

Thanks

[tent_icle]

Hi all,

Would someone please be able to share a sample mobileconfig using ‘normal’ style certs?

I currently use ovpnmcgen.rb to generate the VoD mobileconfig. This tool only supports PKCS#12 so the config is broken with 1.2.5. I’d like to try manually updating the mobileconfig to use normal certs to confirm that fixes the issue, but I don’t know what those fields look like.

[ordex]

I moved some posts from the generic thread to this one as I am trying to avoid confusion. Feel free to continue here any discussion about provisioning profiles/.mobileconfig files

[ordex]

Not sure if this can be helpful to all of you, but please have a look at the FAQ related to .mobileconfig files and make sure the criteria match:
https://docs.openvpn.net/faqs/faq-regar ... onfig_file

In particular note that the identifier to be used has changed compared to what it used to be in the past. Now it needs to be net.openvpn.connect.app

[iphoting]

Not sure if this can be helpful to all of you, but please have a look at the FAQ related to .mobileconfig files and make sure the criteria match:
https://docs.openvpn.net/faqs/faq-regar ... onfig_file

In particular note that the identifier to be used has changed compared to what it used to be in the past. Now it needs to be net.openvpn.connect.app

Maintainer of `ovpnmcgen.rb` here.

Are there any more unannounced breaking changes from 1.1.1 to 1.2.5, with respect to the handling of .mobileconfig files?
Can we have a summary of breaking changes posted either as an FAQ or a support article, please?

[iphoting]

Hi all,

Would someone please be able to share a sample mobileconfig using ‘normal’ style certs?

I currently use ovpnmcgen.rb to generate the VoD mobileconfig. This tool only supports PKCS#12 so the config is broken with 1.2.5. I’d like to try manually updating the mobileconfig to use normal certs to confirm that fixes the issue, but I don’t know what those fields look like.

You might want to consider this post: viewtopic.php?f=36&t=25587&start=40#p75668

[ordex]

Maintainer of `ovpnmcgen.rb` here.

Are there any more unannounced breaking changes from 1.1.1 to 1.2.5, with respect to the handling of .mobileconfig files?
Can we have a summary of breaking changes posted either as an FAQ or a support article, please?

Hi and thanks for chiming in.

Unfortunately this feature is not widely used in the Enterprise environment, therefore it does not get as much love as we would like.
I will extend the documentation as soon as we have some more spare cycles. However, the FAQ are current, therefore you should find there what you need.

The major changes right now are:

• identifier changed to net.openvpn.connect.app

• certificate payload currently unavailable due to Apple sandboxing (this is WIP)

The FAQ concerning mobileconfig files is the one in my post above

[Dinges28]

After upgrading to 1.2.5 on iOS, the VoD wich previously worked flawless is broken.
It does not not connect, and if you manually trigger the connection, the slider wil go green for less than 1 second and goes gray (off) again.
In openvpn app not any debug message comes up..

The profile i use is:

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>IPv4</key>
			<dict>
				<key>OverridePrimary</key>
				<integer>0</integer>
			</dict>
			<key>PayloadDescription</key>
			<string>Configures VPN settings, including authentication.</string>
			<key>PayloadDisplayName</key>
			<string>VPN (OpenVPN: - on demand)</string>
			<key>PayloadIdentifier</key>
			<string>VPN_ON_DEMAND.vpn</string>
			<key>PayloadOrganization</key>
			<string></string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>898CD9EF-ABABABABABABA</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>Proxies</key>
			<dict/>
			<key>UserDefinedName</key>
			<string>OpenVPN: - vpn_ond_demand</string>
			<key>VPN</key>
			<dict>
				<key>AuthName</key>
				<string>DEFAULT</string>
				<key>AuthenticationMethod</key>
				<string>Certificate</string>
				<key>OnDemandMatchDomainsAlways</key>
				<array/>
				<key>OnDemandMatchDomainsNever</key>
				<array/>
				<key>OnDemandMatchDomainsOnRetry</key>
				<array/>
				<!-- Enabling OnDemand – This can be toggled on/off via System Settings/Network [macOS] and Settings/VPN [iOS] -->
				<key>OnDemandEnabled</key>
				<integer>1</integer>
				<key>DisconnectOnIdle</key>
				<integer>1</integer>
				<key>DisconnectOnIdleTimer</key>
				<integer>1</integer>
				

				<!-- OnDemand Rules Dictionary -->
				<!-- Value for "Action" can either be "Connect", "Disconnect", "Ignore", or "EvaluateConnection" -->
				<key>OnDemandRules</key>
				<array>

					<!-- Disconnect if device is connected to one of the listed Wifi networks -->
					<dict>
						<key>Action</key>
						<string>Disconnect</string>
						<key>InterfaceTypeMatch</key>
						<string>WiFi</string>
						<key>SSIDMatch</key>
						<array>
							<!-- List one or more WiFi networks -->
							<string>Wireless_SSID</string>
						</array>
					</dict>

					<!-- Connect if connected to Wifi and domain name matches the pattern -->
					<dict>
						<key>Action</key>
						<string>EvaluateConnection</string>
						<key>InterfaceTypeMatch</key>
						<string>WiFi</string>						
						<key>ActionParameters</key>
						<array>
							<!-- Connect to VPN if needed for the listed URLs -->
							<dict>
								<key>Domains</key>
								<array>
									<string>DOMAIN1TOSTARTVPN</string>
									<string>DOMAIN2TOSTARTVPN</string>
								</array>
								<key>DomainAction</key>
								<string>ConnectIfNeeded</string>
							</dict>
						</array>
					</dict>
			
					<!-- Connect if connected to Cellular and domain name matches the pattern -->
					<dict>
						<key>Action</key>
						<string>EvaluateConnection</string>
						<key>InterfaceTypeMatch</key>
						<string>Cellular</string>						
						<key>ActionParameters</key>
						<array>
							<!-- Connect to VPN if needed for the listed URLs -->
							<dict>
								<key>Domains</key>
								<array>
									<string>DOMAIN1TOSTARTVPN</string>
									<string>DOMAIN2TOSTARTVPN</string>
								</array>
								<key>DomainAction</key>
								<string>ConnectIfNeeded</string>
							</dict>
						</array>
					</dict>

					<!-- Default action if none of the above mentioned rules matches -->
					<dict>
						<key>Action</key>
						<string>Ignore</string>
					</dict>
				</array>
				
			
				
				
				
				
				<key>PayloadCertificateUUID</key>
				<string>CEBEF06F-ABABABABA</string>
				<key>RemoteAddress</key>
				<string>DEFAULT</string>
			</dict>
			<key>VPNSubType</key>
			<string>net.openvpn.OpenVPN-Connect.vpnplugin</string>
			<key>VPNType</key>
			<string>VPN</string>
			<key>VendorConfig</key>
			<dict>
				<key>ca</key>
				<string>-----BEGIN CERTIFICATE-----\n#############\n-----END CERTIFICATE-----</string>
				<key>cipher</key>
				<string>AES-256-CBC</string>
				<key>comp-lzo</key>
				<string>NOARGS</string>
				<key>dev</key>
				<string>tun</string>
				<key>inactive</key>
				<string>30</string>
				<key>key-direction</key>
				<string>1</string>
				<key>net.openvpn.OpenVPN-Connect.vpnplugin</key>
				<string>NOARGS</string>
				<key>nobind</key>
				<string>NOARGS</string>
				<key>ns-cert-type-</key>
				<string>server</string>
				<key>proto</key>
				<string>udp</string>
				<key>remote</key>
				<string>#server# 1194</string>
			</dict>
		</dict>
		<dict>
			<key>Password</key>
			<string>########</string>
			<key>PayloadCertificateFileName</key>
			<string>ondemandvpn.p12</string>
			<key>PayloadContent</key>
			<data>
			#CERTIFICATE#
			</data>
			<key>PayloadDescription</key>
			<string>Provides device authentication (certificate or identity).</string>
			<key>PayloadDisplayName</key>
			<string>ondemandvpn.p12</string>
			<key>PayloadIdentifier</key>
			<string>VPN_O_D.credential</string>
			<key>PayloadOrganization</key>
			<string></string>
			<key>PayloadType</key>
			<string>com.apple.security.pkcs12</string>
			<key>PayloadUUID</key>
			<string>CEBEF06FABABABABABABAAB</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>Profile description.</string>
	<key>PayloadDisplayName</key>
	<string>VPN on demand</string>
	<key>PayloadIdentifier</key>
	<string>VPN_ONE_DEMAND</string>
	<key>PayloadOrganization</key>
	<string></string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>E97A8200-ABABAABA</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Did something change in the syntax? Or is this a bug that has to be reported?

[ordex]

Did something change in the syntax? Or is this a bug that has to be reported?

I merged your thread as it is related to what we are discussing in here.
As mentioned in my previous post, the App is now sandboxed and can't access certificates imported as payload in a .mobileconfig file. We are working on this right now and we are waiting for Apple to give our new app a special permission.

VoD are not controllable via the app, therefore your way around this for the time being is to embed ca, key and cert directly in the VPN settings.

[Dinges28]

Did something change in the syntax? Or is this a bug that has to be reported?

I merged your thread as it is related to what we are discussing in here.
As mentioned in my previous post, the App is now sandboxed and can't access certificates imported as payload in a .mobileconfig file. We are working on this right now and we are waiting for Apple to give our new app a special permission.

VoD are not controllable via the app, therefore your way around this for the time being is to embed ca, key and cert directly in the VPN settings.

Do you mean, adding the certificates in the .mobileconfig itself?

As that is the case, is that not done by the following? (already have that in, but made anonimous)


[
<dict>
<key>ca</key>
<string>-----BEGIN CERTIFICATE-----\n#############\n-----END CERTIFICATE-----</string>
<key>cipher</key>
<string>AES-256-CBC</string>
]
and
[
<dict>
<key>Password</key>
<string>########</string>
<key>PayloadCertificateFileName</key>
<string>ondemandvpn.p12</string>
<key>PayloadContent</key>
<data>
#CERTIFICATE#
</data>
]

[ordex]

Do you mean, adding the certificates in the .mobileconfig itself?

As that is the case, is that not done by the following? (already have that in, but made anonimous)


[
<dict>
<key>ca</key>
<string>-----BEGIN CERTIFICATE-----\n#############\n-----END CERTIFICATE-----</string>
<key>cipher</key>
<string>AES-256-CBC</string>
]

the above part is ok

and
[
<dict>
<key>Password</key>
<string>########</string>
<key>PayloadCertificateFileName</key>
<string>ondemandvpn.p12</string>
<key>PayloadContent</key>
<data>
#CERTIFICATE#
</data>
]

This is exactly whatis currently not working: with this section, the mobileconfig is uploading a certificate payload that the App cannot access.

You need to extract the key and cert from your p12 file (or maybe you still have the original files) and add them to the VPN settings (same section where the ca is defined), like this:

Code: Select all

<key>key</key>
<string>-----BEGIN PRIVATE KEY-----\n#############\n-----END PRIVATE KEY-----</string>
<key>cert</key>
<string>-----BEGIN CERTIFICATE-----\n#############\n-----END CERTIFICATE-----</string>

edit: I wrote the above section manually, therefore there might be typ0s. Normally I use the Apple Configurator to create these files.

[Dinges28]

I'm gonna try this, will get back!

[Dinges28]

I cannot get it to work
The key and certificate I still have, and also tried to export them from the p12, but it keeps giving me a hard time....

I hope the update will be ready soon..

[ordex]

I cannot get it to work
The key and certificate I still have, and also tried to export them from the p12, but it keeps giving me a hard time....

Can you be a bit more specific about what is failing? Please, don't forget to remove the Certificate Payload from your mobileconfig file.

[Dinges28]

As long as i keep the certificate payload in the file it works BUT, there is no connection to the given dns servers (so the .local adress is not resolved).
The moment I delete the payload, it does nothing anymore.

I can live with the payload attached, but how to manage the dns-resolvement and not route all trafic through vpn...