Upgrade to OpenVPN 1.2.5 (iOS): .mobileconfg files

[ordex]

As long as i keep the certificate payload in the file it works BUT, there is no connection to the given dns servers (so the .local adress is not resolved).
The moment I delete the payload, it does nothing anymore.

I can live with the payload attached, but how to manage the dns-resolvement and not route all trafic through vpn...

that sounds like what we are tracking here: viewtopic.php?f=36&t=25598

[agelwarg]

You need to extract the key and cert from your p12 file (or maybe you still have the original files) and add them to the VPN settings (same section where the ca is defined), like this:

Code: Select all

<key>key</key>
<string>-----BEGIN PRIVATE KEY-----\n#############\n-----END PRIVATE KEY-----</string>
<key>cert</key>
<string>-----BEGIN CERTIFICATE-----\n#############\n-----END CERTIFICATE-----</string>

Am I correct in stating that there is no way to handle a key that is encrypted with a passphrase -- only an unencrypted key will work?

[tent_icle]

I tried manually editing my mobileconfig last night to replace the PCKS#12 payload with <key>cert</key> and <key>key</key> but kept getting a ‘profile not valid’ error from iOS, which I’m assuming indicates some kind of syntax error on my behalf.

Can someone who has got this working please be so kind as to post an example of their full working mobileconfig file (with private details redacted)? I don’t own a Mac, so I can’t generate the file with Apple Configurator (I normally use ovpnmcgen.rb, but as above this doesn’t support the new format just yet).

Thanks!

[iphoting]

(I normally use ovpnmcgen.rb, but as above this doesn’t support the new format just yet)

A pre-release version of ovpnmcgen.rb has been released that supports the required changes. It may help.

[tent_icle]

A pre-release version of ovpnmcgen.rb has been released that supports the required changes. It may help.

Awesome, thank you for turning this around so quickly! I can see the NE-1.2 branch in the repo. I will give it a try tonight and let you know my results one way or another.

[ordex]

You need to extract the key and cert from your p12 file (or maybe you still have the original files) and add them to the VPN settings (same section where the ca is defined), like this:

Code: Select all

<key>key</key>
<string>-----BEGIN PRIVATE KEY-----\n#############\n-----END PRIVATE KEY-----</string>
<key>cert</key>
<string>-----BEGIN CERTIFICATE-----\n#############\n-----END CERTIFICATE-----</string>

Am I correct in stating that there is no way to handle a key that is encrypted with a passphrase -- only an unencrypted key will work?

It is expected to work also with password protected keys.

However, note that mbedTLS (that is used by OpenVPN Connect to handle crypto) is a bit behind compared to OpenSSL (normally used to create keys on desktop systems).
Keys encrypted with OpenSSL 1.1.0 are not compatible with mbedTLS 2.6.0 by default - they need to be re-encrypted.

We have filed a patch to mbedTLS to address this, but we are still waiting for a reply: https://github.com/ARMmbed/mbedtls/pull/1219

[tent_icle]

Awesome, thank you for turning this around so quickly! I can see the NE-1.2 branch in the repo. I will give it a try tonight and let you know my results one way or another.

Unfortunately, importing the mobileconfig profile generated by ovpnmcgen.rb gives me the same iOS error: 'Profile Installation Failed. Profile Failed to install'.

This is the command I'm running:

Code: Select all

ovpnmcgen.rb generate --host vpn.example.org --proto tcp --port 12345 --untrusted-ssids guest --security-level medium --v12compat --cafile ../pki/ca.crt --cert ../pki/issued/iPhone.crt --key ../pki/private/iPhone.key --ovpnconfigfile iPhone.ovpn --output iPhone.mobileconfig iPhone iPhone

The same ca/cert/key/ovpn files work fine when I import them directly into the OpenVPN Connect app as an 'autologin profile' (ie, a manual connection), instead of trying to use them to create an iOS VoD Configuration Profile.

Also, the mobileconfig profile installs fine if I use --p12file payload (though obviously then the VPN itself doesn't actually work), so this seems to prove the issue is specifically related to the --cert or --key payloads.

Any ideas??

[agelwarg]

You need to extract the key and cert from your p12 file (or maybe you still have the original files) and add them to the VPN settings (same section where the ca is defined), like this:

Code: Select all

<key>key</key>
<string>-----BEGIN PRIVATE KEY-----\n#############\n-----END PRIVATE KEY-----</string>
<key>cert</key>
<string>-----BEGIN CERTIFICATE-----\n#############\n-----END CERTIFICATE-----</string>

Am I correct in stating that there is no way to handle a key that is encrypted with a passphrase -- only an unencrypted key will work?

It is expected to work also with password protected keys.

However, note that mbedTLS (that is used by OpenVPN Connect to handle crypto) is a bit behind compared to OpenSSL (normally used to create keys on desktop systems).
Keys encrypted with OpenSSL 1.1.0 are not compatible with mbedTLS 2.6.0 by default - they need to be re-encrypted.

We have filed a patch to mbedTLS to address this, but we are still waiting for a reply: https://github.com/ARMmbed/mbedtls/pull/1219

It looks like if I re-encrypt the key, I can get it to work WITHOUT Connect on Demand. With Connect on Demand, I don't get the ability to enter the passphrase in the app. If I can be of any help, just let me know.

[ordex]

It looks like if I re-encrypt the key, I can get it to work WITHOUT Connect on Demand. With Connect on Demand, I don't get the ability to enter the passphrase in the app. If I can be of any help, just let me know.

Right. VPN on Demand is expected to work without any user input, therefore entering a password is not supported by VoD.

[iphoting]

Awesome, thank you for turning this around so quickly! I can see the NE-1.2 branch in the repo. I will give it a try tonight and let you know my results one way or another.

Unfortunately, importing the mobileconfig profile generated by ovpnmcgen.rb gives me the same iOS error: 'Profile Installation Failed. Profile Failed to install'.

This is the command I'm running:

Code: Select all

ovpnmcgen.rb generate --host vpn.example.org --proto tcp --port 12345 --untrusted-ssids guest --security-level medium --v12compat --cafile ../pki/ca.crt --cert ../pki/issued/iPhone.crt --key ../pki/private/iPhone.key --ovpnconfigfile iPhone.ovpn --output iPhone.mobileconfig iPhone iPhone

The same ca/cert/key/ovpn files work fine when I import them directly into the OpenVPN Connect app as an 'autologin profile' (ie, a manual connection), instead of trying to use them to create an iOS VoD Configuration Profile.

Also, the mobileconfig profile installs fine if I use --p12file payload (though obviously then the VPN itself doesn't actually work), so this seems to prove the issue is specifically related to the --cert or --key payloads.

Any ideas??

Try specifying all 3 switches, i.e., p12file, cert, and key. I got the profile to install that way.

[ordex]

Did you switch the authentication method to password? If you leave that to Certificate and you have no certificate payload, I fear that iOS will complain.

[agelwarg]

It looks like if I re-encrypt the key, I can get it to work WITHOUT Connect on Demand. With Connect on Demand, I don't get the ability to enter the passphrase in the app. If I can be of any help, just let me know.

Right. VPN on Demand is expected to work without any user input, therefore entering a password is not supported by VoD.

But putting an inline unencrypted key on my device doesn't sound like a good solution. Is an encrypted .ovpn12 bundle on the (new) openvpn-specific keychain intended for more security? I was under the impression that prior to 1.2.5, my p12 cert bundle (deployed with a .mobileconfig file) was encrypted and transferred securely to the iOS keychain where it remained somehow encrypted. Any chance you can explain the way it was and the way it's expected to be with the new app-specific keychain?

[manchik]

As long as i keep the certificate payload in the file it works BUT, there is no connection to the given dns servers (so the .local adress is not resolved).
The moment I delete the payload, it does nothing anymore.

I can live with the payload attached, but how to manage the dns-resolvement and not route all trafic through vpn...

This is a known issue which is fixed and will be available in the next release as per this thread. The workaround is to use redirect-gateway def1 which will route all traffic through VPN.

[ordex]

But putting an inline unencrypted key on my device doesn't sound like a good solution. Is an encrypted .ovpn12 bundle on the (new) openvpn-specific keychain intended for more security?

Somehow - but it does not really increase security per se.
Security level will be similar to what we had in the previous version. However, the OpenVPN app is now restricted (i.e. it can't access the general iOS Keychain anymore, but only the portion it owns).
Using the .ovpn12 extension is required so that the file is opened by OpenVPN and not by iOS. This way OpenVPN can store the bundle in its own portion of the keychain.

I was under the impression that prior to 1.2.5, my p12 cert bundle (deployed with a .mobileconfig file) was encrypted and transferred securely to the iOS keychain where it remained somehow encrypted. Any chance you can explain the way it was and the way it's expected to be with the new app-specific keychain?

First of all we have to make a distinction: opening a .p12 file manually (i.e. from Safari/Mail) is different than bundling it in a .mobileconfig.

When opening a .p12 file manually it's iOS that takes care of opening the file and storing it. Thus it will endup in the iOS-specific keychain. OpenVPN can't access that part of the keychain anymore.
For this reason we have introduced the .ovpn12 file extension. When opening a file ending with .ovpn12 manually, it will be OpenVPN to take over and it will be able to store it in its own portion of the keychain. Overriding the .p12/.pfx extension was not possible as they are special and reserved to iOS.

Files dropped via iTunes can end either with .ovpn12, .p12 or .pfx because they are directly given to the app and iOS is bypassed.

When bundling a .p12 in a .mobileconfig it's again iOS to take over, HOWEVER, after we have introduced the fix that we are working on with Apple, iOS will understand that the bundle belongs to OpenVPN and will allow access to it. As of 1.2.5 this fix is not there yet, therefore bundled .p12 are still unaccessible.

In either case, when some key material is stored in the keychain it's encrypted by iOS and accessible only to the App responsible for it.

Storing the cert/key as a string in the profile or in the .mobileconfig will leave it as is.

Hope this clarifies

[iphoting]

Also, the mobileconfig profile installs fine if I use --p12file payload (though obviously then the VPN itself doesn't actually work), so this seems to prove the issue is specifically related to the --cert or --key payloads.

Any ideas??

It sounds like a profile-specific issue.
We are tracking and discussing this here: https://github.com/iphoting/ovpnmcgen.rb/pull/12.

[ordex]

Also, the mobileconfig profile installs fine if I use --p12file payload (though obviously then the VPN itself doesn't actually work), so this seems to prove the issue is specifically related to the --cert or --key payloads.

Any ideas??

It sounds like a profile-specific issue.
We are tracking and discussing this here: https://github.com/iphoting/ovpnmcgen.rb/pull/12.

I posted my test mobileconfig in your GH issue.

[tent_icle]

It sounds like a profile-specific issue.
We are tracking and discussing this here: https://github.com/iphoting/ovpnmcgen.rb/pull/12.

Thanks! I was able to borrow a friend's MacBook today and generate a working config using Apple Configurator. I've just posted a diff of the (non-wokring) ovpnmcgen.rb config against the (working) Apple Configurator config on your PR. I'm not 100% certain which difference is the critical one, but hopefully this will help find some correlation with ordex's config.

[tent_icle]

For anyone else who comes across this thread, I just wanted to confirm the latest fixes pushed to the ovpnmcgen.rb feature branch have resolved my ‘Profile Installation Failed’ issues.

Thanks again for your help, @iphoting!

[ordex]

OpenVPN Connect for iOS 1.2.6 is out!

Please refer to this post if you want to submit bugs of feature requests: viewtopic.php?f=36&t=25650

Thanks!