Setting up VPN on demand for IOS 7.0.4

[IdeCable]

Hello everyone,

I have recently setup an OpenVPN Access Server and purchased a 10 user license. Works great for my desktop needs.

I've been trying to get VPN On Demand working on IOS with a vpn user enabled for Auto Connect.

In iPhone Configuration Utility, I've created my certificate credential using the following way:


cd /usr/local/openvpn_as/scripts
./sacli -a openvpn -o /root/exportedFiles/ --cn user_AUTOLOGIN get5

And then created my pkcs12 file with:

openssl pkcs12 -export -in client.crt -inkey client.key -out clientUser.p12

Then took my clientUser.p12, installed it in Windows, then I was able to get the p.12 certificate credential installed.

I am using net.openvpn.OpenVPN-Connect.vpnplugin identifier using the "Custom SSL" Connection Type.

In my Custom Data:

dev tun
port 943
proto tcp
remote myprivateserver 943
verb 3


for the "ca", I took my ca.crt file and removed all the spaces, making one long

-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----

I get no error when installing the profile on my iPhone.

As I try to open the VPN connection, in my logs it shows:

vpnagent[804] <Error>: LOG: ----- OpenVPN Start (iOS 32-bit) -----
vpnagent[804] <Error>: LOG: Keychain Cert Extraction: 1 certificate(s) found
vpnagent[804] <Error>: OpenVPNCoreThread error: option_error: option 'ca' (4) must have exactly one parameter
vpnagent[804] <Error>: LOG: EVENT: CORE_ERROR option_error: option 'ca' (4) must have exactly one parameter [ERR]

Has anyone seen this error before?

[aMakUzr]

I'm having the same issue. I was using the info at
http://simonguest.com/2013/03/22/on-dem ... n-for-ios/
but the suggested strategy (and many other attempts) didn't work for me.

I posted a comment detailing my issue and what I've tried.

Obviously, would really like to get this working and publish a nice article so others can get on-demand "send all data through my site/firewall via VPN" working with either IPSec and/or OpenVPN.

Anyone have any insight?

[jamesyonan]

for the "ca", I took my ca.crt file and removed all the spaces, making one long

-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----

I get no error when installing the profile on my iPhone.

Don't remove any spaces. But replace all of the line breaks with \n.

In iPhone configuration utility, the custom data section should look like this:

custom-data.png

The value of ca looks like this (with midsection omitted):

Code: Select all

-----BEGIN CERTIFICATE-----\nMIIBuzCCASSgAw...IBAgIBEXykgnAZvdNR\n-----END CERTIFICATE-----\n

James

[aMakUzr]

The value of ca looks like this (with midsection omitted):
...

Thank you very much for taking the time to straighten me out. I knew it was likely a "hardware problem" -- you know, "a nut loose on my keyboard" ... and it was.

I saw the "... replace all of the newline/carriage returns with \n." in the other article and my brain translated \n (not enclosed in double quotes) to mean the newline character. OK, so being a programmer, that's sort of natural -- but I don't know why I never thought of trying "\n" inserted in the literal sense. [Yes, it _is_ difficult working with one's head in _that_ position.]

Given the dismal state of most documentation that I've experienced over the years, I'm "one of those" who normally reads the app's docs last. Of course, in this case, no only is the OpenVPN iOS app's "Help" and "More help" very well done, but it also covers this exact issue in a way that I would have understood it correctly. Shame on me.

Anyway, thanks again. I have things pretty much working the way I want them (modulo the iOS 7 bug of things getting hosed when you turn off WiFi, which is supposed to be fixed in iOS 7.1 _and_ the fact that some of the on-demand rules are not triggered properly -- I'll be filing a bug report). When I've completed some more testing, I'll publish an article in the hope that some of it will be useful to others.

[pfremm]

Do you have a link to the bug report or anything describing the iOS 7 on-demand vpn issue? I am experiencing some sporadic issues with on demand vpn in iOS 7 and am curious if it's the issue you are talking about.

[pfremm]

It definitely has something to do with connecting and dropping wifi signal when available. Turned off wifi and issue goes away.

[aMakUzr]

I've put up an article that I hope will help others:

see Setting Up an iOS 7 On-Demand VPN

[sugxgus]

Hello

That's my openvpn.ovpn

Code: Select all

dev tun
tls-client
remote MyServer 1194
pull
proto udp
script-security 2
ca ca.crt
comp-lzo
reneg-sec 0
auth-user-pass

and then here my custom data

Code: Select all

dev = tun
tls-client = NOARGS
remote = MyServer 1194
pull = NOARGS
proto = udp
script-security = 2
ca = -----BEGIN CERTIFICATE-----\nAXE.......WZB\n-----END CERTIFICATE-----\n
comp-lzo = NOARGS
reneg-sec = 0
auth-user-pass = NOARGS

but it's not running on my iPhone with iOS7.1.

I hope i find held here and i find the problem.

Thank you very much

regards

[sugxgus]

Hello

Now it's works, but i have a little problem, i will add my own DNS-Server. In the openvpn.ovpn i can do that with

Code: Select all

dhcp-option DNS DNS_IP_ADDRESS

but what is the right KEY/STRING for the mobileconfig, i think

Code: Select all

KEY: dhcp-option DNS
STRING: DNS_IP_ADDRESS

it not works, because the KEY as a space.

What is the right value?

regards
Steve

[tdlwv]

I've been trying to get VPN On Demand working on IOS with a vpn user enabled for Auto Connect.

Glad you got your CA issued fixed. I too was surprised that \n really meant "\n".

I wanted to chime in and share my On Demand settings for iOS. I've spent literally two months (when not working) trying to get iOS 7's on demand feature to work as well as iOS 6's. I'm already typing up a start-to-finish tutorial but this tidbit doesn't seem to be explained anywhere. Apple was forced to change the way on demand connections worked due to a lawsuit and it's been painful recreating the behavior. There are now three ways to invoke on demand connections and iOS 6 and 7 respond differently to each. The link aMakUzr shared explained the what, but not the why.

iOS 7 allows us to use one or more of many different dictionaries and keys to invoke the VPN. There are two classes of triggers though. One is "network change" and the other is "per connection".

The network change method uses keys DNSDomainMatch, DNSServerAddress-Match, InterfaceTypeMatch, SSIDMatch, and URLStringProbe. It has been my experience that these network change keys are nearly useless in starting the VPN. For example, a change will only happen once (e.g. WiFi to cellular) compared to how likely you are to actually need the VPN. Let's say you leave the house (and naturally the WiFi network) then try to use a domain listed in the profile. The change from WiFi to cellular will trigger the check and the VPN starts. Once the screen locks then the VPN drops due to timeouts, etc. The VPN won't start when the device is unlocked and the VPN resource is needed again. The trigger for the VPN was the WiFi to cellular change, not the resource being accessed.

I've had 100% success with using the "ActionParameters" key. This is the per connection trigger. There are two additional keys that can be added when using ActionParameters, "RequiredDNSServers" and "RequiredURLString-Probe". Go with RequiredURLString-Probe. See my excerpt below--it's directly from my iPhone .mobileconfig. Here is the logic of it though: 1) if WiFi SSID is "My Home WiFi", then disconnect. 2) if any domain, test non-existent URL for connectivity (HTTP 200 Success), invoke VPN if URL test fails (it is designed to always fail). 3) if rule one or two doesn't match, then connect.

If I find the VPN is getting in the way or that I don't need it, then I just toggle the "Connect On Demand" feature off from the Settings in iOS. Happy tunneling!

Code: Select all

<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
	<dict>
		<key>Action</key>
		<string>Disconnect</string>
		<key>SSIDMatch</key>
		<array>
			<string>My Home WiFi</string>
		</array>
	</dict>
	<dict>
		<key>Action</key>
		<string>EvaluateConnection</string>
		<key>ActionParameters</key>
		<array>
			<dict>
				<key>Domains</key>
					<array>
						<string>*</string>
					</array>
				<key>RequiredURLStringProbe</key>
				<string>https://test-non-existent-URL-for-connectivity.com</string>
				<key>DomainAction</key>
				<string>ConnectIfNeeded</string>
			</dict>
		</array>
	</dict>
	<dict>
		<key>Action</key>
		<string>Connect</string>
	</dict>
</array>