ta.key with sub CA

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
steveOV
OpenVpn Newbie
Posts: 14
Joined: Tue Oct 08, 2013 12:50 pm

ta.key with sub CA

Post by steveOV » Tue Oct 08, 2013 1:12 pm

Hello,

Nice thing to have OpenVPN on iPhone :) ...if I make it work !

It seems I'm in a quite complex case.

On iOS 6.1.3., I succeeded in importing my .p12 file but I've problems with ta.key file. :(

How can I deal with a ta.key including :

- 1 root CA
- 1 sub CA

???

If I keep ta.key in its original state, I got an error like "Incompatible format"
So used this command:
# openssl pkcs12 -in 1stname.name.p12 -cacerts -nokeys -out caios.crt
and I got caios.crt with two certificates delimited by BEGIN ... END: root & sub CA.

What is the syntax to put both CA in .ovpn config file ?

This syntax doesn't work:

<ca>
---BEGIN ...----- (root ca)
hihhkhkhhkj
...
---END ....----
---BEGIN ...----- (sub ca)
lkmg-ff-èr_ètiu,bgdg
...
---END ....----
</ca>

Is there any hope to find a solution ?

Thanks in advance,

Regards,

Steve.

steveOV
OpenVpn Newbie
Posts: 14
Joined: Tue Oct 08, 2013 12:50 pm

Re: ta.key with sub CA

Post by steveOV » Wed Oct 09, 2013 12:41 pm

Hello,


If I put in my client profile only the root CA:

<ca>
---BEGIN ...----- (root ca)
hihhkhkhhkj
...
---END ....----
</ca>

I get a time-out: NETWORK_UNREACHABLE
How can I troubleshoot that ?
Can I do a kind of "ping" or "traceroute" from my iPhone 4 ?

The log is:
----------------
2013-10-09 13:53:03 EVENT: [ERR]
2013-10-09 13:53:03 EVENT: DISCONNECT_PENDING
2013-10-09 13:53:35 ----- OpenVPN Start -----
2013-10-09 13:53:35 LZO-ASYM init swap=0 asym=0
2013-10-09 13:53:35 EVENT: RESOLVE
2013-10-09 13:53:36 Contacting 178.x.y.z:1194 via UDP
2013-10-09 13:53:36 EVENT: WAIT
2013-10-09 13:53:36 Connecting to ovpn6.xyz.com:1194 (178.x.y.z)
via UDPv4
2013-10-09 13:53:45 Server poll timeout, trying next remote entry...
2013-10-09 13:53:45 EVENT: RECONNECTING
2013-10-09 13:53:45 LZO-ASYM init swap=0 asym=0
2013-10-09 13:53:45 EVENT: RESOLVE
2013-10-09 13:53:46 Contacting 178.x.y.z:1194 via UDP
2013-10-09 13:53:46 EVENT: WAIT
2013-10-09 13:53:46 Connecting to ovpn8.xyz.com:1194 (178.x.y.z)
via UDPv4
2013-10-09 13:53:55 Server poll timeout, trying next remote entry...
2013-10-09 13:53:55 EVENT: RECONNECTING
2013-10-09 13:53:55 LZO-ASYM init swap=0 asym=0
2013-10-09 13:53:55 EVENT: RESOLVE
2013-10-09 13:53:56 Contacting 178.x.y.z:1194 via UDP
2013-10-09 13:53:56 EVENT: WAIT
2013-10-09 13:53:56 Connecting to ovpn7.xyz.com:1194 (178.x.y.z)
via UDPv4
2013-10-09 13:54:05 Server poll timeout, trying next remote entry...
2013-10-09 13:54:05 EVENT: RECONNECTING
2013-10-09 13:54:05 LZO-ASYM init swap=0 asym=0
2013-10-09 13:54:05 EVENT: RESOLVE
2013-10-09 13:54:06 Contacting 178.x.y.z:1194 via UDP
2013-10-09 13:54:06 EVENT: WAIT
2013-10-09 13:54:06 Connecting to ovpn5.xyz.com:1194 (178.x.y.z)
via UDPv4
2013-10-09 13:54:15 Server poll timeout, trying next remote entry...
2013-10-09 13:54:15 EVENT: RECONNECTING
2013-10-09 13:54:15 LZO-ASYM init swap=0 asym=0
2013-10-09 13:54:15 EVENT: RESOLVE
2013-10-09 13:54:16 Contacting 178.x.y.z:1194 via UDP
2013-10-09 13:54:16 EVENT: WAIT
2013-10-09 13:54:16 Connecting to ovpn9.xyz.com:1194 (178.x.y.z)
via UDPv4
2013-10-09 13:54:25 Server poll timeout, trying next remote entry...
2013-10-09 13:54:25 EVENT: RECONNECTING
2013-10-09 13:54:25 LZO-ASYM init swap=0 asym=0
2013-10-09 13:54:25 EVENT: RESOLVE
2013-10-09 13:54:26 Contacting 178.x.y.z:1194 via UDP
2013-10-09 13:54:26 EVENT: WAIT
2013-10-09 13:54:26 Connecting to ovpn10.xyz.com:1194
(178.x.y.z) via UDPv4
2013-10-09 13:54:35 EVENT: CONNECTION_TIMEOUT [ERR]
2013-10-09 13:54:35 EVENT: DISCONNECTED
2013-10-09 13:54:35 Raw stats on disconnect:
BYTES_OUT : 420
PACKETS_OUT : 30
CONNECTION_TIMEOUT : 1
N_RECONNECT : 5
2013-10-09 13:54:35 Performance stats on disconnect:
CPU usage (microseconds): 130201
Network bytes per CPU second: 3225
Tunnel bytes per CPU second: 0
2013-10-09 13:54:35 ----- OpenVPN Stop -----
2013-10-09 13:54:35 EVENT: DISCONNECT_PENDING

------------------

Regards,

Steve.

steveOV
OpenVpn Newbie
Posts: 14
Joined: Tue Oct 08, 2013 12:50 pm

Re: ta.key with sub CA

Post by steveOV » Thu Oct 10, 2013 10:48 am

Hello !

Thanks for all these answers ! =)

Perhaps some information is missing to understand my problem... :mrgreen:

client.ovpn

Code: Select all

port 1194
proto udp
dev tun
pkcs12 "1stname.name.p12"
pull
comp-lzo
status openvpn-status.log
verb 5
remote ovpn1.xyz.com 
remote ovpn2.xyz.com 
remote ovpn3.xyz.com 
remote ovpn4.xyz.com 
remote ovpn5.xyz.com 
remote ovpn6.xyz.com 
remote ovpn7.xyz.com 
remote ovpn8.xyz.com 
remote ovpn9.xyz.com 
remote ovpn10.xyz.com 
remote-random
resolv-retry 60
tls-clientnobind
#ns-cert-type
#servertls-auth "ta.key" 1
explicit-exit-notify
resolv-retry
infinitescript-security 1 
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>

Last test

From iPhone 4 with iOS 6.1 on public 3G network.

Many times:
...Looking up DNS name
...Waiting for server

and at last:
...Connection timeout

Log file
2013-10-10 12:18:51 ----- OpenVPN Start -----
2013-10-10 12:18:51 LZO-ASYM init swap=0 asym=0
2013-10-10 12:18:51 EVENT: RESOLVE
2013-10-10 12:18:53 Contacting 178.x.y.z:1194 via UDP
2013-10-10 12:18:53 EVENT: WAIT
2013-10-10 12:18:53 Connecting to ovpn5.xyz.com:1194 (178.x.y.z)
via UDPv4
2013-10-10 12:19:01 Server poll timeout, trying next remote entry...
2013-10-10 12:19:01 EVENT: RECONNECTING
2013-10-10 12:19:01 LZO-ASYM init swap=0 asym=0
2013-10-10 12:19:01 EVENT: RESOLVE
2013-10-10 12:19:02 Contacting 178.x.y.z:1194 via UDP
2013-10-10 12:19:02 EVENT: WAIT
2013-10-10 12:19:02 Connecting to ovpn7.xyz.com:1194 (178.x.y.z)
via UDPv4
2013-10-10 12:19:11 Server poll timeout, trying next remote entry...
2013-10-10 12:19:11 EVENT: RECONNECTING
2013-10-10 12:19:11 LZO-ASYM init swap=0 asym=0
2013-10-10 12:19:11 EVENT: RESOLVE
2013-10-10 12:19:12 Contacting 178.x.y.z:1194 via UDP
2013-10-10 12:19:12 EVENT: WAIT
2013-10-10 12:19:12 Connecting to ovpn6.xyz.com:1194 (178.x.y.z)
via UDPv4
2013-10-10 12:19:21 Server poll timeout, trying next remote entry...
2013-10-10 12:19:21 EVENT: RECONNECTING
2013-10-10 12:19:21 LZO-ASYM init swap=0 asym=0
2013-10-10 12:19:21 EVENT: RESOLVE
2013-10-10 12:19:22 Contacting 178.x.y.z:1194 via UDP
2013-10-10 12:19:22 EVENT: WAIT
2013-10-10 12:19:22 Connecting to ovpn8.xyz.com:1194 (178.x.y.z)
via UDPv4
2013-10-10 12:19:31 Server poll timeout, trying next remote entry...
2013-10-10 12:19:31 EVENT: RECONNECTING
2013-10-10 12:19:31 LZO-ASYM init swap=0 asym=0
2013-10-10 12:19:31 EVENT: RESOLVE
2013-10-10 12:19:32 Contacting 178.x.y.z:1194 via UDP
2013-10-10 12:19:32 EVENT: WAIT
2013-10-10 12:19:32 Connecting to ovpn9.xyz.com:1194 (178.x.y.z)
via UDPv4
2013-10-10 12:19:41 Server poll timeout, trying next remote entry...
2013-10-10 12:19:41 EVENT: RECONNECTING
2013-10-10 12:19:41 LZO-ASYM init swap=0 asym=0
2013-10-10 12:19:41 EVENT: RESOLVE
2013-10-10 12:19:42 Contacting 178.x.y.z:1194 via UDP
2013-10-10 12:19:42 EVENT: WAIT
2013-10-10 12:19:42 Connecting to ovpn10.xyz.com:1194
(178.x.y.z) via UDPv4
2013-10-10 12:19:51 EVENT: CONNECTION_TIMEOUT [ERR]
2013-10-10 12:19:51 EVENT: DISCONNECTED
2013-10-10 12:19:51 Raw stats on disconnect:
BYTES_OUT : 420
PACKETS_OUT : 30
CONNECTION_TIMEOUT : 1
N_RECONNECT : 5
2013-10-10 12:19:51 Performance stats on disconnect:
CPU usage (microseconds): 134767
Network bytes per CPU second: 3116
Tunnel bytes per CPU second: 0
2013-10-10 12:19:51 ----- OpenVPN Stop -----
2013-10-10 12:19:51 EVENT: DISCONNECT_PENDING
NB: I can use this VPN without any problem from a PC or an Androïd tablet.

Do you need more information ?

Regards,

Steve

steveOV
OpenVpn Newbie
Posts: 14
Joined: Tue Oct 08, 2013 12:50 pm

Re: ta.key with sub CA

Post by steveOV » Thu Oct 10, 2013 10:54 am

Last thing.
The same IP address 178.x.y.z is present in the log for each openvpn server (1 to 10)
Is it normal ?

Regards,

Steve.

steveOV
OpenVpn Newbie
Posts: 14
Joined: Tue Oct 08, 2013 12:50 pm

Re: ta.key with sub CA

Post by steveOV » Fri Oct 11, 2013 8:27 am

Hello,

FYI, I've the same problem when using wifi with a different telco than 3G telco.

I read on forums it could be a filter set by telco but I don't think so since OpenVPn works with my Androïd tablet with wifi or 3G connexion.

Regards,

Steve.

steveOV
OpenVpn Newbie
Posts: 14
Joined: Tue Oct 08, 2013 12:50 pm

Re: ta.key with sub CA

Post by steveOV » Tue Oct 15, 2013 2:13 pm

Hello !

Well, well, I've the impress of shouting in the desert. :roll:

I found a helpful app "iNetTools" to analyse network problems.

Traceroute fails to reach OpenVPN server.

If "iNetTools" is reliable, it seems to be a network problem rather than a configuraton problem with my profile in client.ovpn file or a certificate problem ?

Any idea ???

Thanks,

Regards,

Steve.

steveOV
OpenVpn Newbie
Posts: 14
Joined: Tue Oct 08, 2013 12:50 pm

Re: ta.key with sub CA

Post by steveOV » Fri Oct 18, 2013 5:54 pm

Eureka ! :idea:

This "little jewel" is working for me :D on iPhone 4 (iOS 6.1) with wifi and 3G after spending hours to investigate, alas alone :( !
Now I've a secured access to remote servers via "X2 RDP Client", for example to restart a broken service or do other small tasks that don't need a large screen.

Since I'm not resentful ;) , I share MY solution, not THE universal solution, hoping it can help.
Tell me if it's working for you... or not !

As I read somewhere, the secret is to get rid of .p12 keychain file and to put all its content in client.ovpn file.
Perhaps not very neat but it works !
Use a client.ovpn file that works fine on PC.
All references to external files (.p12, .key) have to be disabled.
At the begining, I tried to keep keys inside .p12 file but it was a mistake.

Now, it's working but I have to type my private key password each time I start the VPN.
It's possible to save it but it's less secured except if you have a strong password to unlock your iPhone/Pad.
In fact, in my case, it's not a problem since I have to logon to remote servers with specific credentials.

:evil: Will it be possible, one day, to use .p12 and ta.key without doing such a "little do it yourself" :?:

In any case, thanks for "OpenVPN Connect" for iOS, it's a good job !

So here is my winning profile : :)

Code: Select all

 # Validated profile sample for "OpenVPN Connect"(v.2013/9/23) on "iPhone 4" (iOS 6.1) 
port 1194
proto udp
dev tun

# pkcs12 "firstname.name.p12"
# No more used since all its content is put in this .ovpn file

pull
comp-lzo
status openvpn-status.log
verb 5

# Random failover between 10 OpenVPN servers, that's HA !
remote ovpn1.xyz.com
remote ovpn2.xyz.com
remote ovpn3.xyz.com
remote ovpn4.xyz.com
remote ovpn5.xyz.com
remote ovpn6.xyz.com
remote ovpn7.xyz.com
remote ovpn8.xyz.com
remote ovpn9.xyz.com
remote ovpn10.xyz.com
remote-random
resolv-retry 60
tls-client
nobind

#ns-cert-type server

explicit-exit-notify
resolv-retry infinite

script-security 1

# Begining of pasted content of "firstname.name.p12"
# between right tags

# Easy ! "key" tag for "PRIVATE KEY"

<key>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC, ...

DFGghTrgV
.....
DdfGhtGd==
-----END RSA PRIVATE KEY-----
</key>


# Certificate with in its "header": friendlyName: firstname.name

<cert>
-----BEGIN CERTIFICATE-----
dFGErtHRh
...
feGREGevef
-----END CERTIFICATE-----
</cert>

 

# Certificate with in its "header": friendlyName: rootCA

<ca>
-----BEGIN CERTIFICATE-----
KlbvDes
...
wEBytK==
-----END CERTIFICATE-----
</ca>

# Certificate with in its "header" : friendlyName: SubCA1

<ca>
-----BEGIN CERTIFICATE-----
MIErYD
...
4nkQ==
-----END CERTIFICATE-----
</ca>

#tls-auth ta.key 1
# No more used since ta.key content
# is put in this file instead of using external file ta.key

key-direction 1

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
sdDfFgtrj
...
jrghOKdvDrv
-----END OpenVPN Static key V1-----
</tls-auth>
Regards,

Steve.

steveOV
OpenVpn Newbie
Posts: 14
Joined: Tue Oct 08, 2013 12:50 pm

Re: ta.key with sub CA

Post by steveOV » Fri Oct 18, 2013 8:31 pm

Ooooops!
Can't edit my previous post.

Juste a few additional info to understand the story...

:ugeek: At the beginning were dinosaurs... hum, not here... :)

At the beginning were 3 files provided by the VPN service provider, working fine on PC (Win&Linux):

- client.ovpn : the config file of client's profile
- firstname.lastname.p12 : my personnal informations (key, certificates...) protected by a password I use to access VPN
- ta.key : including 2 certificates, root and sub-CA

Now, on the iPhone, I just only have "client.ovpn" file, including the content of the 2 other files.

To extract info from the encoded keychain "firstname.name.p12", if I well remember, I used this command:

Code: Select all

openssl pkcs12 -in firstname.name.p12 -out p12_kchain.pem
My password was asked many times.

"p12_kchain.pem" is generated in a readable text format so private key and certificates can be copied and pasted into "client.ovpn" file.

/!\ Warning: keep your private key secret /!\

No transcoding was used for "ta.key". I pasted it 'as is' into "client.ovpn".

I hope it's more understandable...

Don't hesitate to leave questions & comments.

Regards,

Steve.

firefedot
OpenVpn Newbie
Posts: 13
Joined: Fri Oct 18, 2013 8:12 am

Re: ta.key with sub CA

Post by firefedot » Sat Oct 19, 2013 7:33 pm

steveOV wrote:
"p12_kchain.pem" is generated in a readable text format so private key and certificates can be copied and pasted into "client.ovpn" file.
Tell me, under which tag to insert the data from the "p12_kchain.pem"?

steveOV
OpenVpn Newbie
Posts: 14
Joined: Tue Oct 08, 2013 12:50 pm

Re: ta.key with sub CA

Post by steveOV » Sat Oct 19, 2013 8:22 pm

Hi!

Whaooo! Two persons alive on this forurm ! =)

Try to put the base64 content of your .p12 file between <pkcs12> and </pkcs12> tags in your client.ovpn file.
I have not tested this solutiion yet but it should work according to OpenVPN documentation.
https://community.openvpn.net/openvpn/w ... n23ManPage
=> search in this doc page "INLINE FILE SUPPORT"

If it's not OK, see my comments in the validated sample above to identify what to past between each tag (<cert>, <key>, <ca>).

I'll try the <pkcs12> solution tonight, if I don't fall asleep (I've a bad f*ck!ng cold !).

Regards,

Steve.

steveOV
OpenVpn Newbie
Posts: 14
Joined: Tue Oct 08, 2013 12:50 pm

Re: ta.key with sub CA

Post by steveOV » Sat Oct 19, 2013 10:53 pm

Hi!

Aaaargh! It makes me crazy !

<pkcs12> tag doesn't help.

But I've discovered an other working solution.

Import .p12 keychain into iPhone

- send to myself .p12 binary original file by secured email (SMTPS)
- import into iPhone .p12 file recognized as a certificate
- enter password protecting my private key
- warning : certificate "not reliable" (not validated by an official authority)
=> I ignore this warning cause I know very well the "non official authority" ;)

In client.ovpn file

- put inline the 2 certificates extracted from .p12 (root CA and sub CA) else error "ca certificate is undefined" (bug?)
(<key> and <cert> info are not needed to be inline cause they're in the imported .p12 keychain)
- put inline original "ta.key" file (or "ca.key")


User interface

- send to myself client.opvn file by secured email (SMTPS)
- in email, tap it to create a new entry in OpenVPN app, tap (+)
- choose a certificate (the one that has been imported!)
- no password required (cause already entered to import certificate)
- connect ! (for me, it takes from 6 sec. to 17 sec.) :D

In my case, the minimum inline tags required in client.ovpn are:

Code: Select all

<ca>
-----BEGIN CERTIFICATE-----
... Root CA content from .p12 file ....
-----END CERTIFICATE-----
</ca>
<ca>
-----BEGIN CERTIFICATE-----
... Sub CA content from .p12 file ...
-----END CERTIFICATE-----
</ca>


#tls-auth ta.key 1
key-direction 1

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
... "ta.key" content ...
-----END OpenVPN Static key V1-----
</tls-auth>
Good luck !

Now, I'm going to try to sleep...

Steve.

firefedot
OpenVpn Newbie
Posts: 13
Joined: Fri Oct 18, 2013 8:12 am

Re: ta.key with sub CA

Post by firefedot » Sun Oct 20, 2013 3:39 am

thanks for reply and help) 'm going to try to work. good night)))

firefedot
OpenVpn Newbie
Posts: 13
Joined: Fri Oct 18, 2013 8:12 am

Re: ta.key with sub CA

Post by firefedot » Mon Oct 21, 2013 3:02 pm

In general, something went wrong)
In the file. P12 no strachek for certificates, and all base64 bebz tags.
that is, the file is not present that ios.p12 for
<ca>
----- BEGIN CERTIFICATE -----
... Root CA content from. P12 file ....
----- END CERTIFICATE -----
</ ca>
<ca>
----- BEGIN CERTIFICATE -----
... Sub CA content from. P12 file ...
----- END CERTIFICATE -----
</ ca>

there abracadabra)
may be all. pem translate .. but there is also not found a solution.
something I'm confused.
Have you tried using the. P12 and its analogs to connect to, you normally go? )


Thanks and sorry to trouble you) head around already)

firefedot
OpenVpn Newbie
Posts: 13
Joined: Fri Oct 18, 2013 8:12 am

Re: ta.key with sub CA

Post by firefedot » Mon Oct 21, 2013 5:43 pm

I do not have it in the file. p12
# Certificate with in its "header": friendlyName: firstname.name

<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>

# Certificate with in its "header": friendlyName: rootCA

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

# Certificate with in its "header" : friendlyName: SubCA1

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
I have only now that
Bag Attributes
friendlyName: ios
localKeyID: 53 E8 5D E7 B7 06 79 8E 32 D4 DC CD CC 30 F1 9B CE E0 64 30
subject=/C=RU/ST=SAM/L=SAM/O=AP/CN=ios/name=ios/emailAddress=ios@ap.net
issuer=/C=RU/ST=SAM/L=SAM/O=AP/OU=ITDPT/CN=AP CA/name=AP/emailAddress=netmaster@ap.net
-----BEGIN CERTIFICATE-----
MIIEyDC
-----END CERTIFICATE-----
Bag Attributes: <No Attributes>
subject=/C=RU/ST=SAM/L=SAM/O=AP/OU=ITDPT/CN=AP CA/name=AP/emailAddress=netmaster@ap.net
issuer=/C=RU/ST=SAM/L=SAM/O=AP/OU=ITDPT/CN=AP CA/name=AP/emailAddress=netmaster@ap.net
-----BEGIN CERTIFICATE-----
MIIEmzC
-----END CERTIFICATE-----
Bag Attributes
friendlyName: ios
localKeyID: 53 E8 5D E7 B7 06 79 8E 32 D4 DC CD CC 30 F1 9B CE E0 64 30
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,0DEAAC1D236B2381

n6zQb1
-----END RSA PRIVATE KEY-----
I can not poyat where is that) where ca, cert?

steveOV
OpenVpn Newbie
Posts: 14
Joined: Tue Oct 08, 2013 12:50 pm

Re: ta.key with sub CA

Post by steveOV » Mon Oct 21, 2013 8:20 pm

Hi!

It's actually a nightmare to find out the good solution ! :twisted:
There are so many different config files, parameters, formats... :roll:

My original personal "firstname.name.p12" file is in a binary format, totally unreadable if I try to open it in a text editor.

So, to extract from .p12 file certificates that I put inline into client.ovpn I did:
openssl pkcs12 -in firstname.name.p12 -cacerts -nokeys -out caios.crt
Then I found 2 certificates (---BEGIN CERTIFICATE---- .... ---END CERTIFICATE---) that I copied/pasted into my client.ovpn .
(The first friendly name is "Root CA" and the second is "Sub CA1")

What exactly do you get in "caios.crt" file if you type the same command ?

Regards,

Steve.

firefedot
OpenVpn Newbie
Posts: 13
Joined: Fri Oct 18, 2013 8:12 am

Re: ta.key with sub CA

Post by firefedot » Tue Oct 22, 2013 5:25 am

I have since
openssl pkcs12 -in ios.p12 -cacerts -nokeys -out caios.crt

only one certificate within

Here are the contents of my file caios.crt
Bag Attributes: <No Attributes>
subject=/C=RU/ST=SAM/L=SAM/O=AP/OU=ITDPT/CN=AP CA/name=AP/emailAddress=netmaster@ap.net
issuer=/C=RU/ST=SAM/L=SAM/O=AP/OU=ITDPT/CN=AP CA/name=AP/emailAddress=netmaster@ap.net
-----BEGIN CERTIFICATE-----
MIIEmz
....
sPbFRj
-----END CERTIFICATE-----

Can not do or hand curves?))))

steveOV
OpenVpn Newbie
Posts: 14
Joined: Tue Oct 08, 2013 12:50 pm

Re: ta.key with sub CA

Post by steveOV » Tue Oct 22, 2013 9:26 pm

Hi !

It's difficult to help you more since you don't have exactly the same configuration as mine.

Let's try to summarize...

What config. & security files do you have ?

- ios.p12
- client.ovpn
- ca.key or ta.key ?
- others ?
...

I would try:

- delete .p12 from your device
- re-import .p12 in your devise (password required)
- add in .ovpn file the certificate you've got in your previous post
According to what I read, OpenVPN for iOS is able to read all info in ios.p12 except this certificate (2 certificates in my case). So you have to put it 'inline' client.ovpn file.

Code: Select all

<ca>
-----BEGIN CERTIFICATE-----
MIIEmz
....
sPbFRj
-----END CERTIFICATE-----
</ca>
- add in .ovpn file:
key-direction 1
- add in .ovpn file the content of your "ta.key" or "ca.key"
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
... "ta.key" or "ca.key" content ...
-----END OpenVPN Static key V1-----
</tls-auth>
Good luck and go ahead ! ;)

Regards,

Steve.

firefedot
OpenVpn Newbie
Posts: 13
Joined: Fri Oct 18, 2013 8:12 am

Re: ta.key with sub CA

Post by firefedot » Wed Oct 23, 2013 5:53 am

Totals. so results))))
my files:
ios.p12
ios_b64.p12
clientios-64.ovpn
ios_kchain.pem
dh2048.pem
ios.key
ta.key
ca.key
ca.crt
ios.crt
Some of the files in the container ios.p12.
Long attempts and permutation slogan) I got 15 seconds on the Connect to Server))) but really it certainly did not help)
Setting up openvpn on ios - this is not a nightmare. this is ... pizdec) (in Russian))))

steveOV
OpenVpn Newbie
Posts: 14
Joined: Tue Oct 08, 2013 12:50 pm

Re: ta.key with sub CA

Post by steveOV » Wed Oct 23, 2013 7:06 pm

Hi!

Since you want to connect to your own server you can try to simplify things by using a minimum of security & config files.

You can try to follow my example...

I can connect to a server that is not mine with only 3 files get from the OpenVPN server provider :

- firstname.name.p12 : a binary file (unreadable with a text editor). Sorry, I don't know how it was generated since created by the VPN provider.
It contains : private key, private certificate (friendly name=firstnane.name), 2 certificates (Root & Sub CA).
I had to extract the 2 Root & Sub certificates (only 1 in your case) but original .p12 is not modified.(

Code: Select all

openssl pkcs12 -in ios.p12 -cacerts -nokeys -out caios.crt
)
I have imported my .p12 to iPhone in its original binary format (sent to myself by secured email).

- ta.key: contains the static key

Code: Select all

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
f22...
...
...6d7
-----END OpenVPN Static key V1-----
All that is between BEGIN an END is base64 format.

- client.ovpn
I created 3 tags sections and copied/pasted certificates.
In your case you will have only 2 tags sections <ca> and <tls-auth>.

Code: Select all

# Try 1st to use standard port and protocol
port 1194
proto udp
dev tun

pull
tls-client
nobind

comp-lzo
status openvpn-status.log
verb 3

# For you, only 1 remote server
remote ovpn1.xyz.com
remote ovpn2.xyz.com
remote ovpn3.xyz.com
remote ovpn4.xyz.com
remote ovpn5.xyz.com
remote ovpn6.xyz.com
remote ovpn7.xyz.com
remote ovpn8.xyz.com
remote ovpn9.xyz.com
remote ovpn10.xyz.com
remote-random

resolv-retry 60

explicit-exit-notify

script-security 1

# The 2 certificate extracted from .p12 file
# For you, only one certificate to copy/paste
<ca>
-----BEGIN CERTIFICATE-----
MIIG...
...
...BKPQ==
-----END CERTIFICATE-----
</ca>
<ca>
-----BEGIN CERTIFICATE-----
MIIG...
...
...4nkQ==
-----END CERTIFICATE-----
</ca>


#tls-auth ta.key 1

key-direction 1

# ta.key content
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
f22...
...
..6d7
-----END OpenVPN Static key V1-----
</tls-auth>
Sorry, I can't help you more because I don't know how the VPN provider has generated my files.

But I'm not alone on this forum!

Where are the experts :?: :shock:

Regards,

Steve.

firefedot
OpenVpn Newbie
Posts: 13
Joined: Fri Oct 18, 2013 8:12 am

Re: ta.key with sub CA

Post by firefedot » Thu Oct 24, 2013 3:45 am

thank you)) I will try again and again)))

Post Reply