mobileconfig import using ca/tls-auth with no client cert gives error on connect.
-
- OpenVpn Newbie
- Posts: 7
- Joined: Wed Feb 05, 2020 7:59 pm
mobileconfig import using ca/tls-auth with no client cert gives error on connect.
Using the FAQ for importing an ovpn config to a mobileconfig file I am able to get the configuration to show in OpenVPN although it will not successfully connect. Using the ovpn file that the values were derived from, connection is a success after authentication. The error I get on the OpenVPN client is a popup stating Connection Error - Missing external certificate with the options to Continue or Select. The error shown in the log is Missing External PKI alias.
FAQ: https://openvpn.net/faq/can-i-import-an ... nfig-file/
ovpn config:
persist-tun
persist-key
cipher AES-128-CBC
ncp-ciphers AES-128-GCM
auth SHA256
tls-client
client
remote REDACTED 1194 udp
auth-user-pass
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
</ca>
setenv CLIENT_CERT 0
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
REDACTED
-----END OpenVPN Static key V1-----
</tls-auth>
mobileconfig:
<key>VPN</key>
<dict>
<key>AuthName</key>
<string>REDACTED</string>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>RemoteAddress</key>
<string>DEFAULT</string>
</dict>
<key>VPNSubType</key>
<string>net.openvpn.connect.app</string>
<key>VPNType</key>
<string>VPN</string>
<key>VendorConfig</key>
<dict>
<key>auth</key>
<string>SHA256</string>
<key>auth-user-pass</key>
<string>NOARGS</string>
<key>ca</key>
<string>-----BEGIN CERTIFICATE-----\nREDACTED\n-----END CERTIFICATE-----\n</string>
<key>cipher</key>
<string>AES-128-CBC</string>
<key>client</key>
<string>NOARGS</string>
<key>key-direction</key>
<string>1</string>
<key>ncp-ciphers</key>
<string>AES-128-GCM</string>
<key>persist-key</key>
<string>NOARGS</string>
<key>persist-tun</key>
<string>NOARGS</string>
<key>remote</key>
<string>"REDACTED 1194 udp"</string>
<key>remote-cert-tls</key>
<string>server</string>
<key>setenv</key>
<string>"CLIENT_CERT 0"</string>
<key>tls-auth</key>
<string>-----BEGIN OpenVPN Static key V1-----\nREDACTED\n-----END OpenVPN Static key V1-----\n</string>
<key>tls-client</key>
<string>NOARGS</string>
<key>vpn-on-demand</key>
<string>0</string>
</dict>
Thanks for any help regarding this.
FAQ: https://openvpn.net/faq/can-i-import-an ... nfig-file/
ovpn config:
persist-tun
persist-key
cipher AES-128-CBC
ncp-ciphers AES-128-GCM
auth SHA256
tls-client
client
remote REDACTED 1194 udp
auth-user-pass
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
</ca>
setenv CLIENT_CERT 0
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
REDACTED
-----END OpenVPN Static key V1-----
</tls-auth>
mobileconfig:
<key>VPN</key>
<dict>
<key>AuthName</key>
<string>REDACTED</string>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>RemoteAddress</key>
<string>DEFAULT</string>
</dict>
<key>VPNSubType</key>
<string>net.openvpn.connect.app</string>
<key>VPNType</key>
<string>VPN</string>
<key>VendorConfig</key>
<dict>
<key>auth</key>
<string>SHA256</string>
<key>auth-user-pass</key>
<string>NOARGS</string>
<key>ca</key>
<string>-----BEGIN CERTIFICATE-----\nREDACTED\n-----END CERTIFICATE-----\n</string>
<key>cipher</key>
<string>AES-128-CBC</string>
<key>client</key>
<string>NOARGS</string>
<key>key-direction</key>
<string>1</string>
<key>ncp-ciphers</key>
<string>AES-128-GCM</string>
<key>persist-key</key>
<string>NOARGS</string>
<key>persist-tun</key>
<string>NOARGS</string>
<key>remote</key>
<string>"REDACTED 1194 udp"</string>
<key>remote-cert-tls</key>
<string>server</string>
<key>setenv</key>
<string>"CLIENT_CERT 0"</string>
<key>tls-auth</key>
<string>-----BEGIN OpenVPN Static key V1-----\nREDACTED\n-----END OpenVPN Static key V1-----\n</string>
<key>tls-client</key>
<string>NOARGS</string>
<key>vpn-on-demand</key>
<string>0</string>
</dict>
Thanks for any help regarding this.
-
- OpenVPN Power User
- Posts: 51
- Joined: Thu Dec 13, 2018 11:15 pm
Re: mobileconfig import using ca/tls-auth with no client cert gives error on connect.
To get this to work for me both the CA certificate as Base64 PEM and the client certificate as PKCS#12 had to be added to the profile. There is no linkage on the VPN payload for the CA cert...it just gets added to the trust store. The client credential is selected on the Custom VPN payload.
Other notes here: viewtopic.php?f=36&t=28134#p84662
Other notes here: viewtopic.php?f=36&t=28134#p84662
-
- OpenVpn Newbie
- Posts: 7
- Joined: Wed Feb 05, 2020 7:59 pm
Re: mobileconfig import using ca/tls-auth with no client cert gives error on connect.
I don't use client certs, only the CA cert and a PSK key using tls-auth username/password. I was able to apply the CA cert to the Certificates section and remove it from the parameters for the VPN config, but I should have also specified I use a MacOS Server as a MDM for OTA profile management. The other notes section you included specifies that tls auth won't work with a MDM because it can't pass the tls-auth PSK.
Any suggestions other than changing authentication methods?
It seems bizarre that MacOS Server profile management and mobileconfig options should be able to be configured the same and work in the same manner, but I guess not. I can even download a mobileconfig version of the OTA profile to apply via Configurator if the need arises.
Thanks for your response as well, kept me from driving myself more nuts.
Any suggestions other than changing authentication methods?
It seems bizarre that MacOS Server profile management and mobileconfig options should be able to be configured the same and work in the same manner, but I guess not. I can even download a mobileconfig version of the OTA profile to apply via Configurator if the need arises.
Thanks for your response as well, kept me from driving myself more nuts.
-
- OpenVPN Power User
- Posts: 51
- Joined: Thu Dec 13, 2018 11:15 pm
Re: mobileconfig import using ca/tls-auth with no client cert gives error on connect.
I haven't tried using Profile Manager to distribute the Custom VPN profile. MobileIron has a string-length limit on a custom-key's value, and that is where I encountered the tls-auth issue. I was proving the per-app-vpn use case, where cert-auth is a prerequisite, so the mutual auth provided by the combination of server and client certs was sufficient security for me to accept disabling static key auth.
I suggest you start with a working .ovpn and carefully use trial-and-error to build the .mobileconfig in Configurator. Don't try to go directly to building the profile using the Profile Manager UI. once you have a converted a working .ovpn into a working .molbielconfig, then tranfer the setting into Profile Manager's UI.
I also seem to remember there was a critical interaction between the VPN-on-demand options defined in key-value pairs and in the profile UI, so take care to insure agreement in those sections. You can't have any on-demand behavior enabled simultaneously with password use.
Here are the pairs defined in my working config:
<key>VendorConfig</key>
<dict>
<key>client</key>
<string>NOARGS</string>
<key>comp-lzo</key>
<string>no</string>
<key>dev</key>
<string>tun</string>
<key>dev-type</key>
<string>tun</string>
<key>key-direction</key>
<string>1</string>
<key>nobind</key>
<string>NOARGS</string>
<key>ns-cert-type</key>
<string>server</string>
<key>port</key>
<string>port-number</string>
<key>proto</key>
<string>udp</string>
<key>rcvbuf</key>
<string>0</string>
<key>remote</key>
<string>vpn-host-name</string>
<key>reneg-sec</key>
<string>604800</string>
<key>server-poll-timeout</key>
<string>4</string>
<key>setenv</key>
<string>opt tls-version-min 1.0 or-highest</string>
<key>sndbuf</key>
<string>0</string>
<key>verb</key>
<string>3</string>
</dict>
I suggest you start with a working .ovpn and carefully use trial-and-error to build the .mobileconfig in Configurator. Don't try to go directly to building the profile using the Profile Manager UI. once you have a converted a working .ovpn into a working .molbielconfig, then tranfer the setting into Profile Manager's UI.
I also seem to remember there was a critical interaction between the VPN-on-demand options defined in key-value pairs and in the profile UI, so take care to insure agreement in those sections. You can't have any on-demand behavior enabled simultaneously with password use.
Here are the pairs defined in my working config:
<key>VendorConfig</key>
<dict>
<key>client</key>
<string>NOARGS</string>
<key>comp-lzo</key>
<string>no</string>
<key>dev</key>
<string>tun</string>
<key>dev-type</key>
<string>tun</string>
<key>key-direction</key>
<string>1</string>
<key>nobind</key>
<string>NOARGS</string>
<key>ns-cert-type</key>
<string>server</string>
<key>port</key>
<string>port-number</string>
<key>proto</key>
<string>udp</string>
<key>rcvbuf</key>
<string>0</string>
<key>remote</key>
<string>vpn-host-name</string>
<key>reneg-sec</key>
<string>604800</string>
<key>server-poll-timeout</key>
<string>4</string>
<key>setenv</key>
<string>opt tls-version-min 1.0 or-highest</string>
<key>sndbuf</key>
<string>0</string>
<key>verb</key>
<string>3</string>
</dict>
-
- OpenVpn Newbie
- Posts: 7
- Joined: Wed Feb 05, 2020 7:59 pm
Re: mobileconfig import using ca/tls-auth with no client cert gives error on connect.
Thanks for your help, I'll try that way and see if I can come up with a working config.
*UPDATE*
I have a working .mobileconfig using ca/tls-auth PSK, both in the custom data section of the VPN payload without importing the CA into the Certificates section. This .mobileconfig now works just like the inline .ovpn file. Now to see if it'll work over MDM config, I'll update once I get it back on the MDM.
*UPDATE*
I have a working .mobileconfig using ca/tls-auth PSK, both in the custom data section of the VPN payload without importing the CA into the Certificates section. This .mobileconfig now works just like the inline .ovpn file. Now to see if it'll work over MDM config, I'll update once I get it back on the MDM.
-
- OpenVpn Newbie
- Posts: 7
- Joined: Wed Feb 05, 2020 7:59 pm
Re: mobileconfig import using ca/tls-auth with no client cert gives error on connect.
I've got tls-auth username/password working on both .mobileconfig profile as well as MacOS Server MDM Profile Manager using the same settings and including the ca values as well as the key values in the custom data fields on the VPN payload. I didn't have to use the Certificates payload at all.
It seems the last bullet on your other notes section could be out-dated considering I have that scenario working now.
Is it possible their is an total overall max value for the custom values in the VPN payload and not just a single value? I wonder that because I can get the CA and PSK to be accepted in the custom data section on my config and they work.
It seems the last bullet on your other notes section could be out-dated considering I have that scenario working now.
Is it possible their is an total overall max value for the custom values in the VPN payload and not just a single value? I wonder that because I can get the CA and PSK to be accepted in the custom data section on my config and they work.
-
- OpenVpn Newbie
- Posts: 7
- Joined: Wed Feb 05, 2020 7:59 pm
Re: mobileconfig import using ca/tls-auth with no client cert gives error on connect.
Last edited by DaMac on Sun Feb 09, 2020 11:51 pm, edited 1 time in total.
-
- OpenVpn Newbie
- Posts: 7
- Joined: Wed Feb 05, 2020 7:59 pm
-
- OpenVPN Power User
- Posts: 51
- Joined: Thu Dec 13, 2018 11:15 pm
Re: mobileconfig import using ca/tls-auth with no client cert gives error on connect.
I needed to have the client certificate outside the Custom VPN payload so that the UEM could assign a user-specific cert to each device. This was done up uploading each user's certificate from the unified .ovpn into the UEM's certificate escrow for that user. Then, when the device enrolls, the matching client cert is dynamically merged with the the rest of the VPN payload and sent to the device attached to the manifest for the app that has been configured for per-app-vpn.DaMac wrote: ↑Sun Feb 09, 2020 11:16 pmI've got tls-auth username/password working on both .mobileconfig profile as well as MacOS Server MDM Profile Manager using the same settings and including the ca values as well as the key values in the custom data fields on the VPN payload. I didn't have to use the Certificates payload at all.
It seems the last bullet on your other notes section could be out-dated considering I have that scenario working now.
Is it possible their is an total overall max value for the custom values in the VPN payload and not just a single value? I wonder that because I can get the CA and PSK to be accepted in the custom data section on my config and they work.
Then, when that app is brought to the foreground on iOS, the VPN autoconnects.
-
- OpenVpn Newbie
- Posts: 7
- Joined: Wed Feb 05, 2020 7:59 pm
Re: mobileconfig import using ca/tls-auth with no client cert gives error on connect.
Understood, I took that line to mean the PSK was too long for MDM, not specific to that scenario. My mistake.mdibella wrote: ↑Mon Feb 10, 2020 12:33 amI needed to have the client certificate outside the Custom VPN payload so that the UEM could assign a user-specific cert to each device. This was done up uploading each user's certificate from the unified .ovpn into the UEM's certificate escrow for that user. Then, when the device enrolls, the matching client cert is dynamically merged with the the rest of the VPN payload and sent to the device attached to the manifest for the app that has been configured for per-app-vpn.DaMac wrote: ↑Sun Feb 09, 2020 11:16 pmI've got tls-auth username/password working on both .mobileconfig profile as well as MacOS Server MDM Profile Manager using the same settings and including the ca values as well as the key values in the custom data fields on the VPN payload. I didn't have to use the Certificates payload at all.
It seems the last bullet on your other notes section could be out-dated considering I have that scenario working now.
Is it possible their is an total overall max value for the custom values in the VPN payload and not just a single value? I wonder that because I can get the CA and PSK to be accepted in the custom data section on my config and they work.
Then, when that app is brought to the foreground on iOS, the VPN autoconnects.
I really do appreciate your assistance and direction with regard to your parameters for your setup. I used some of yours and kept some of mine to make a working setup as seen in my initial post compared to the end result for the successful pushing of the config. Now I can move on to deployment.
-
- OpenVPN Power User
- Posts: 51
- Joined: Thu Dec 13, 2018 11:15 pm
Re: mobileconfig import using ca/tls-auth with no client cert gives error on connect.
In any case, glad you got it working.