This tutorial explains the OpenVPN iPhone client configuration steps for remote connectivity to a Ubiquiti EdgeRouter OpenVPN server. Create the OpenVPN configuration profile (.ovpn), sync with iTunes and import the profile into OpenVPN Connect.
Project series index:
- Ubiquiti EdgeRouter Lite SOHO Network Design
- Ubiquiti EdgeRouter Lite SOHO Network Configuration
- EdgeRouter Lite SOHO Network Firewall Rules
- Ubiquiti EdgeRouter DNS Security & Content Filtering – Block Ransomware, Botnets, Phishing and Inappropriate Content
- Ubiquiti EdgeRouter: How to Enforce Different DNS Servers per VLAN
- Ubiquiti EdgeRouter OpenVPN Server-Client Configuration Tutorial
- EdgeRouter OpenVPN: Create Public Key Infrastructure with Easy-RSA
- EdgeRouter OpenVPN Server – Client Mode Configuration Steps
- OpenVPN iPhone Client Configuration Steps (you are here)
- OpenVPN Windows 10 Client Configuration Steps
OpenVPN iPhone Client Configuration Steps
This tutorial was last updated on April 7, 2018 for the latest versions of OpenVPN Connect and Easy-RSA 2.0. See the project introduction for details.
The iPhone client configuration steps are summarized in the following excerpt from the OpenVPN configuration process diagram:
5. Configure OpenVPN Clients
The Public Key Infrastructure (PKI) was created using the easy-rsa 2 batch scripts included with OpenVPN on the Admin Desktop PC:
The various certificates and keys for the Certificate Authority (CA), EdgeRouter server, iPhone and Laptop clients are in the
C:\OpenVPN-Server-Client-Build\easy-rsa\keys> folder on the Admin PC:
The OpenVPN configuration file (.ovpn) needs to be created, then merge the certs & keys and installed on the iPhone.
6 iPhone OpenVPN Client Configuration
Organize the files for each OpenVPN client by creating a folder for it’s set of certs and keys.
Create a new iPhone subfolder (
C:\OpenVPN-Server-Client-Build\easy-rsa\keys\iPhone>) and copy the files:
If you need to configure several smart phone clients, create a unique folder name for each such as “Bob_iPhone” and “Alex_iPhone” instead of a generic “iPhone”.
Note: The above links to the actual certificates and private keys used in this tutorial are provided to compare with the Bob_iPhone.opvn configuration file that will be created shortly. There’s no risk to by disclosing this information because I tore down and created a new PKI after verifying everything worked. (It has no value to a hacker.) A .txt file extension is added such that the files are not interpreted in a special way by the web browser and other applications on your computer.
Also the BobER3.dyndns.org host name is no longer valid. And if it is, someone else reserved it.
An OpenVPN client Profile which has an .ovpn file extension. It’s a text file that specifies the client configuration parameters. The configuration file used in the tutorial is Bob_iPhone.ovpn. It’s saved to the
C:\OpenVPN-Server-Client-Build\easy-rsa\keys\iPhone\ folder. The folder now contains:
6.a Create OpenVPN Profile: iPhone.ovpn
The easiest way to create an .ovpn configuration profile is modify mine: iPhone_OpenVPN_Configuration_Template.ovpn. Many thanks to GainfulShrimp on the Ubiquiti EdgeMax forum for posting his client configuration that I copied for my setup.
Because the iPhone doesn’t have folders and directories like a personal computer, it’s best to use the “Unified Format” with the certs and keys embedded in the .ovpn configuration file.
Edit your .opvn profile with a text editor.
The .ovpn file sections you’ll need to customize for your network are:
# Connect to the server at port 443 at yourdomainname.com (replace with your
# actual domain name, if you’ve setup dynamic (or static) DNS, or put your
# static external IP address if not)
remote BobER3.dyndns.org 443
# Use medium level verbosity for the logs. For debug purposes, increase this to
# a value between 6 – 11, where higher numbers give far more detail about what
# is happening. 3 is standard.
Certificates & Keys:
# These files must be installed on the OpenVPN iPhone client.
# ca cacert.pem
# cert iPhone.pem
# key iPhone.key
# tls-auth ta.key 1
contents of ca.crt
only the –BEGIN CERTIFICATE– to –END CERTIFICATE–
section of Bob_iPhone.crt
contents of Bob_iPhone.key
# The following line defines the direction of TLS authentication, when using
# inline format for the key:
contents of ta.crt
Note the key-direction must be 1 for all clients and 0 (zero) on the EdgeRouter server.
I’m using UltraEdit to copy & paste the CA certificate into the iPhone.ovpn here but any text editor is fine:
April 2018 Update: OpenVPN Connect 1.2.9
—–BEGIN ENCRYPTED PRIVATE KEY—–
<many more lines>
—–END ENCRYPTED PRIVATE KEY—–
Where the PKCS#5 format required by OpenVPN Connect 1.2.9 (and later versions) is:
—–BEGIN RSA PRIVATE KEY—–
<many more lines>
—–END RSA PRIVATE KEY—–
The Easy-RSA PKCS#8 format will cause the following error when you try to connect your iPhone:
The error message in the OpenVPN Connect iPhone log is:
2018-04-05 18:20:27 ----- OpenVPN Start ----- OpenVPN core 3.2 ios arm64 64-bit built on Feb 22 2018 12:39:28 2018-04-05 18:20:27 Frame=512/2048/512 mssfix-ctrl=1250 2018-04-05 18:20:27 EVENT: CORE_ERROR mbed TLS: error parsing config private key : PK - Bad input parameters to function [ERR]
The solution is to encrypt RSA private key using the following command:
C:\OpenVPN-Server-Client-Build\easy-rsa\keys\Bob iPhone>openssl rsa -aes256 -in Bob_iphone.ovpn -out new_iphone.ovpn
Enter pass phrase for Bob_iphone.ovpn: <PEM passphrase, same one used to create iPhone private key>
writing RSA key
Enter PEM pass phrase: <PEM passphrase, same as before>
Verifying – Enter PEM pass phrase: <PEM passphrase, same as before>
The file new_iphone.ovpn is created and contains only the PKCS#5 encrypted private key:
C:\OpenVPN-Server-Client-Build\easy-rsa\keys\Bob iPhone>dir Volume in drive C is OS Volume Serial Number is 7A25-5D04 Directory of C:\OpenVPN-Server-Client-Build\easy-rsa\keys\Bob iPhone 04/07/2018 12:35 PM <DIR> . 04/07/2018 12:35 PM <DIR> .. 04/07/2018 11:05 AM 8,334 Bob_iPhone.crt 04/07/2018 11:04 AM 3,468 Bob_iPhone.key 04/07/2018 12:28 PM 11,976 Bob_iPhone.ovpn 04/07/2018 10:46 AM 2,528 ca.crt 04/07/2018 12:35 PM 3,380 new_iphone.ovpn 04/07/2018 11:12 AM 657 ta.key 6 File(s) 30,343 bytes 2 Dir(s) 402,053,730,304 bytes free
Update iPhone.ovpn with the PKCS#5 Format RSA Private Key
- Edit the Bob_iPhone.ovpn configuration file.
- Paste the newly created PKCS#5 private key from new_iphone.ovpn into the Bob_iPhone.ovpn file, replacing everything between <key> and </key>:
Save the file Bob_iPhone.ovpn.
6.b Install OpenVPN Client App (iTunes Store)
6.c Sync OpenVPN Profile with iPhone using iTunes: iPhone.ovpn
Connect the iPhone to your computer, open iTunes and click the device icon to select your iPhone.
- Click on Apps in the left panel in iTunes.
- Scroll down in the main panel until you see the File Sharing section.
Click on OpenVPN.
- Drag and drop the iPhone.ovpn file from your computer to the OpenVPN Documents panel.
The steps are illustrated in this iTunes screen grab:
The .ovpn file is copied to your iPhone:
Click the Done button at the bottom of the iTunes screen and disconnect your iPhone from iTunes.
Aside: The UltraEdit (UE) icon is shown because I’ve made it the default app for .ovpn files on my PC.
6.d Import Profile into OpenVPN Connect
Open the OpenVPN Connect app on the iPhone. A notice “New Profiles are Available…” is displayed with your OpenVPN profile.
Click the green circle with the plus sign to import the profile:
Disable WiFi on the iPhone so it’s not connected to WiFi on the EdgeRouter network. This will force the iPhone to use your wireless carrier’s LTE network to verify OpenVPN works over a remote Internet connection.
Enter the Private Key Password (a.k.a. PEM pass phrase) if you configured one, an optionally tap the Save button to save the password. OpenVPN Connect stores PEM phass phrase in the iOS Keychain which is protected by iPhone device password. The iPhone password in this tutorial “opensaysme2”:
Tap the button below Disconnected to connect to the EdgeRouter OpenVPN server. The OpenVPN Connect app displays the connection statistics:
Tap anywhere on the “Connected” row to view the session logs which are very useful for debugging.
The VPN icon at the top of the screen confirms OpenVPN is connected:
At this point I can access the EdgeRouter GUI, security cameras and home automation controller from the iPhone.
This tutorial is concluded in OpenVPN Windows 10 Client Configuration Steps.
Copyright © 2018 HandymanHowTo.com Reproduction strictly prohibited.