iPhone Cannot Import Profile - Going Nuts

[gbguy71]

I am not an Apple person, but the wife has an iPhone. Updated phone and needed to reconfigure OpenVPN.

I cannot figure out a way to get the .crt, ,key, and .ovpn files onto her phone.

It appears that Windows iTunes no longer supports apps, so "iTunes sync" is out of the question (or I haven't discovered the secret)

When I tried emailing the files, her current mail app, Outlook.com, won't allow downloads of .crt, .key, or .ovpn files. (I was able to use a browser, go to live.com, and download the 3 files into OneDrive on her phone, but have no idea what to do next).

I then installed the Apple Mail app, but it appears that I have to create an entirely new account/email address on one of the supported servers (icloud, google, yahoo, etc.).

I've spent a day trying to get this to work and am now pleading for help

TIA

[mdibella]

Upload the files to iCloud and they will be accessible in the iOS Files app.

Note that iOS cannot import private keys discreetly. You will either need to convert the seperate .crt and .key into a .pfx/.p12, or create a monolithic .ovpn file with the certificate embedded.

[gbguy71]

mdibella,
Thanks!!! I had no idea what your last paragraph meant, but I googled ".crt and .key into a .pfx/.p12' and it looks like the answer will be found among the results (not a lot of success in trying to find how to create a "monolithic .ovpn file").

Seriously, thanks again as I could find nothing current about how configure OpenVPN for an iPhone.

[mdibella]

There are some online converters but openssl is the gold standard for handling these conversions on your own local machine. I'd stay away from the online converters because you have to disclose your private key.

A single file .ovpn has settings at the top, then several sections delimited by <section> and </section> containing the certificates. If your .ovpn doesn't have these sections:

<cert>
-----BEGIN CERTIFICATE-----
data
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
data
-----END PRIVATE KEY-----
</key>

you might be able to insert them.

On my .ovpns, these sections come after

</ca>

and before

key-direction 1
<tls-auth>.

[gbguy71]

Well I am stuck. I found out that it is a "Unified" format (https://openvpn.net/vpn-server-resource ... nnect-ios/).
I changed my previously working .ovpn file to directly include the CERTIFICATE and KEY portions of my .ca, .crt, and .key files (with their BEGIN/END header/footers). FWIW- I think that this will be method that ends up working.

I then uploaded the .ovpn file to iCloud Drive and accessed it via the Files app on the phone, selected the .ovpn file and then the Share option. "Copy to OpenVPN" was given as a Share choice. (Thanks for getting me this far!)

When I tried to add the profile it was rejected with a "Failed to import OVPN profile from selected file. option_error: option <key> was not properly closed out". Here is the end of my .ovpn file (I can see no issue and no problems were flagged in the earlier parts of the file). I've double checked the key data to make sure that matches the key portion of my .key file.

----------------------------------------------------------------
<key>
-----BEGIN PRIVATE KEY-----
key data
-----END PRIVATE KEY-----
</key>
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 4
-------------------------------------------------------------------

FWIW, I have never had tls-auth specified in any of my four other currently working OpenVPN profiles. I am running an OpenVPN server in my Merlin router.

Then I tried the .pfx/.p12 route. I used openssl to generate a file that contained the .ca, .crt, and .key files. I tried both .pfx and .p12 suffixes, but neither one gave me a "Copy to OpenVPN" when I tried to share them from iCloud with the Files app. In any event I had no idea what changes would need to be made to .ovpn file to reflect that I would be using a .pfx/.p12 file.

For completeness this is how I generated both the .pfx and .p12 files:
..\bin\openssl.exe pkcs12 -export -in iPhone.crt -inkey iPhone.key -certfile ca.crt -out iPhonePFX.p12
WARNING: can't open config file: c:/openssl/ssl/openssl.cnf
Loading 'screen' into random state - done
Enter Export Password:
Verifying - Enter Export Password:
unable to write 'random state'

NOTE: I have no idea if the Warning has any effect on the output. I did use the OPENSSL_CONF environment variable to point to the openssl.cnf file, but it got a parsing error. Since I didn't know how to deal with .ovpn file or how to share the file I didn't pursue it further.

For a Windows/Android guy, Apple software is a pain!

[mdibella]

If you have a Mac you can install Apple Configurator and create a .mobileconfig from the .ovpn and include the certificates in the .mobileconfig.

[gbguy71]

No Macs here I apologize for hitting the Submit key too soon. My complete response was just posted.

[mdibella]

The only thing i have in my unified .ovpn file below </key> is:

key-direction 1
<tls-auth>
data
</tls-auth>

So I think you need to move the <ca>, <cert> and <key> section below all the option lines.

[gbguy71]

SUCCESS!!! moving the option lines above the <ca>, <cert>, and <key> elements did the trick!

Again, I truly wish to thank you for your helping a Windows/Android guy on this.

[Pippin]

That should not make a difference.
Probably a line ending thing...