Merge .p12 .tls and .ovpn into 1 file on iOS

[Emetah]

Hello,
I need help to setup my vpn on my iOS device.
I have three files (.p12 .tls .ovpn)
On w10 I enter with an user and psw.
How can I merge all these three files into one to install it on my device?
Please help me step by step is very important. Thank you.

[TinCanTech]

https://community.openvpn.net/openvpn/wiki/IOSinline

[Emetah]

https://community.openvpn.net/openvpn/wiki/IOSinline

Thx but not helped me because I don't know where to set my .p12 is it a cert or a ca?what's the difference? I don't have both and where I insert usr and psw?

[Emetah]

OVPN

View OriginalClient config

1

2

3

dev tun

4

5

persist-tun

6

7

persist-key

8

9

cipher AES-128-CBC

10

11

ncp-ciphers AES-128-GCM

12

13

auth SHA256

14

15

tls-client

16

17

client

18

19

resolv-retry infinite

20

21

remote XX.XXX.XXXX.XXX udp

22

23

verify-x509-name "YYYYY" name

24

25

auth-user-pass

26

27

pkcs12 pfSense-XXXXX-UDP4-1196-XXXXX.p12

28

29

tls-auth pfSense-XXXXX-UDP4-1196-XXXXX-tls.key 1

30

31

remote-cert-tls server

32

33

compress

34

35

36

37

TLS

38

39

40

41

#

42

43

# 2048 bit OpenVPN static key

44

45

#

46

47

-----BEGIN OpenVPN Static key V1-----

48

49

9f6c8f7409558aa9f851a166cf7abb93

50

51

b6d1e9424afcd7f818ef98aea1ecf78d

52

53

........

54

55

-----END OpenVPN Static key V1-----

56

57

58

59

60

61

p12

62

63

64

65

*a lot of numbers*

66

67

[oconf]

68

69

70

71

72

1

dev tun

2

persist-tun

3

persist-key

4

cipher AES-128-CBC

5

ncp-ciphers AES-128-GCM

6

auth SHA256

7

tls-client

8

client

9

resolv-retry infinite

10

remote XX.XXX.XXXX.XXX udp

11

verify-x509-name "YYYYY" name

12

auth-user-pass

13

pkcs12 pfSense-XXXXX-UDP4-1196-XXXXX.p12

14

tls-auth pfSense-XXXXX-UDP4-1196-XXXXX-tls.key 1

15

remote-cert-tls server

16

compress

17

TLS

18

-----BEGIN OpenVPN Static key V1-----

19

9f6c8f7409558aa9f851a166cf7abb93

20

b6d1e9424afcd7f818ef98aea1ecf78d

21

........

22

-----END OpenVPN Static key V1-----

23

p12

24

*a lot of numbers*

25

[oconf]

[mdibella]

The format of the file is fully described in the URL above.

You need to create a similar file with the specific data from your implementation.

The top part of the file is the contents of your .ovpn...

Code: Select all

client
dev tun
proto udp
remote vpn.server.hostname 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
verb 3
key-direction 1

Code: Select all

<ca>
-----BEGIN CERTIFICATE-----
this part of the data is the Base64 encoded server authentication certificate's ROOT certificate
-----END CERTIFICATE-----
</ca>

Code: Select all

<cert>
-----BEGIN CERTIFICATE-----
this part of the data is the Base64 encoded client authentication certificate
-----END CERTIFICATE-----
</cert>

Code: Select all

<key>
-----BEGIN RSA PRIVATE KEY-----
this part of the data is the Base64 encoded client authentication certificate's KEY
-----END RSA PRIVATE KEY-----
</key>

Code: Select all

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
this part of the data is the Base64 encoded data from the .tls file
-----END OpenVPN Static key V1-----
</tls-auth>

to convert your .p12/.pfx file into usable text, you'll need to use openssl.exe:

Code: Select all

openssl.exe pkcs12 -in certificate.pfx -out cert-data.txt -nodes

[Emetah]

View OriginalClient config

1

2

3

dev tun

4

5

persist-tun

6

7

persist-key

8

9

cipher AES-128-CBC

10

11

ncp-ciphers AES-128-GCM

12

13

auth SHA256

14

15

tls-client

16

17

client

18

19

resolv-retry infinite

20

21

remote 62.77.63.228 1196 udp

22

23

auth-user-pass

24

25

remote-cert-tls server

26

27

compress

28

29

key-direction 1

30

31

32

33

Bag Attributes

34

35

localKeyID: 17 2D 54 8E ...

36

37

subject=...

38

39

issuer=...

40

41

<ca>

42

--STRIPPED INLINE CA CERT--

43

</ca>

44

45

Bag Attributes: <No Attributes>

46

47

subject=...

48

49

issuer=...

50

51

<cert>

52

--STRIPPED INLINE CERT--

53

</cert>

54

55

Bag Attributes

56

57

localKeyID: 17 2D 54 8E ...

58

59

Key Attributes: <No Attributes>

60

61

<key>

62

--STRIPPED INLINE KEY--

63

</key>

64

65

66

67

#

68

69

# 2048 bit OpenVPN static key

70

71

#

72

73

<tls-auth>

74

--STRIPPED INLINE TLS-AUTH KEY--

75

</tls-auth>

76

77

[oconf]

78

79

80

81

I setted It in this way and I get Error message: mbed TLS TLS: SSL read error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed.

82

83

84

1

dev tun

2

persist-tun

3

persist-key

4

cipher AES-128-CBC

5

ncp-ciphers AES-128-GCM

6

auth SHA256

7

tls-client

8

client

9

resolv-retry infinite

10

remote 62.77.63.228 1196 udp

11

auth-user-pass

12

remote-cert-tls server

13

compress

14

key-direction 1

15

Bag Attributes

16

localKeyID: 17 2D 54 8E ...

17

subject=...

18

issuer=...

19

<ca>

20

--STRIPPED INLINE CA CERT--

21

</ca>

22

Bag Attributes: <No Attributes>

23

subject=...

24

issuer=...

25

<cert>

26

--STRIPPED INLINE CERT--

27

</cert>

28

Bag Attributes

29

localKeyID: 17 2D 54 8E ...

30

Key Attributes: <No Attributes>

31

<key>

32

--STRIPPED INLINE KEY--

33

</key>

34

<tls-auth>

35

--STRIPPED INLINE TLS-AUTH KEY--

36

</tls-auth>

37

[oconf]

38

I setted It in this way and I get Error message: mbed TLS TLS: SSL read error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed.

[mdibella]

Remove the Bag Attributes sections from the CA, cert, and key. You only what the BEGIN to END lines.

Also make sure when you export the PKCS12 to PEM format what you don't enter a key encrypt password. Only enter the decrypt password.

[TinCanTech]

@ mdibella - Thanks for writing this up.

@ Moderation, perhaps this thread could be a sticky ?