OpenVPN iPhone Client Configuration Steps

By |Last updated on |Home Networking|9 Comments

This tutorial explains the OpenVPN iPhone client configuration steps for remote connectivity to a Ubiquiti EdgeRouter OpenVPN server. Create the OpenVPN configuration profile (.ovpn), sync with iTunes and import the profile into OpenVPN Connect.

Project series index:

OpenVPN iPhone Client Configuration Steps

This tutorial was last updated on April 7, 2018 for the latest versions of OpenVPN Connect and Easy-RSA 2.0. See the project introduction for details.

The iPhone client configuration steps are summarized in the following excerpt from the OpenVPN configuration process diagram:

EdgeRouter OpenVPN - iPhone Client Configuration

EdgeRouter OpenVPN – iPhone Client Configuration

5. Configure OpenVPN Clients

The Public Key Infrastructure (PKI) was created using the easy-rsa 2 batch scripts included with OpenVPN on the Admin Desktop PC:

EdgeRouter Lite OpenVPN Server and Client Configuration Files

EdgeRouter Lite OpenVPN Server and Client Configuration Files

The various certificates and keys for the Certificate Authority (CA), EdgeRouter server, iPhone and Laptop clients are in the C:\OpenVPN-Server-Client-Build\easy-rsa\keys> folder on the Admin PC:

OpenVPN Easy RSA – Keys Folder Content CA TA Server and Clients

OpenVPN Easy RSA – Keys Folder Content CA TA Server and Clients

The OpenVPN configuration file (.ovpn) needs to be created, then merge the certs & keys and installed on the iPhone.

6  iPhone OpenVPN Client Configuration

Organize the files for each OpenVPN client by creating a folder for it’s set of certs and keys.

Create a new iPhone subfolder (C:\OpenVPN-Server-Client-Build\easy-rsa\keys\iPhone>) and copy the files:

from C:\OpenVPN-Server-Client-Build\easy-rsa\keys\

to C:\OpenVPN-Server-Client-Build\easy-rsa\keys\iPhone\

If you need to configure several smart phone clients, create a unique folder name for each such as “Bob_iPhone” and “Alex_iPhone” instead of a generic “iPhone”.

Note: The above links to the actual certificates and private keys used in this tutorial are provided to compare with the Bob_iPhone.opvn configuration file that will be created shortly. There’s no risk to by disclosing this information because I tore down and created a new PKI after verifying everything worked. (It has no value to a hacker.) A .txt file extension is added such that the files are not interpreted in a special way by the web browser and other applications on your computer.

Also the BobER3.dyndns.org host name is no longer valid. And if it is, someone else reserved it.

An OpenVPN client Profile which has an .ovpn file extension. It’s a text file that specifies the client configuration parameters. The configuration file used in the tutorial is Bob_iPhone.ovpn. It’s saved to the C:\OpenVPN-Server-Client-Build\easy-rsa\keys\iPhone\ folder. The folder now contains:

EdgeRouter OpenVPN Setup - iPhone OVPN Config

EdgeRouter OpenVPN Setup – iPhone OVPN Config

6.a  Create OpenVPN Profile: iPhone.ovpn

The easiest way to create an .ovpn configuration profile is modify mine: iPhone_OpenVPN_Configuration_Template.ovpn. Many thanks to GainfulShrimp on the Ubiquiti EdgeMax forum for posting his client configuration that I copied for my setup.

Because the iPhone doesn’t have folders and directories like a personal computer, it’s best to use the “Unified Format” with the certs and keys embedded in the .ovpn configuration file.

Edit your .opvn profile with a text editor.

The .ovpn file sections you’ll need to customize for your network are:

remote:

# Connect to the server at port 443 at yourdomainname.com (replace with your
# actual domain name, if you’ve setup dynamic (or static) DNS, or put your
# static external IP address if not)
remote BobER3.dyndns.org 443

verb:

# Use medium level verbosity for the logs. For debug purposes, increase this to
# a value between 6 – 11, where higher numbers give far more detail about what
# is happening. 3 is standard.
verb 8

Certificates & Keys:

# These files must be installed on the OpenVPN iPhone client.
# ca cacert.pem
# cert iPhone.pem
# key iPhone.key
# tls-auth ta.key 1

<ca>
contents of ca.crt
</ca>
<cert>
only the –BEGIN CERTIFICATE– to –END CERTIFICATE–
section of Bob_iPhone.crt

</cert>
<key>
contents of Bob_iPhone.key
</key>

# The following line defines the direction of TLS authentication, when using
# inline format for the key:
key-direction 1

<tls-auth>
contents of ta.crt
</tls-auth>

Note the key-direction must be 1 for all clients and 0 (zero) on the EdgeRouter server.

I’m using UltraEdit to copy & paste the CA certificate into the iPhone.ovpn here but any text editor is fine:

iPhone OpenVPN Profile Config File

iPhone OpenVPN Profile Config File

April 2018 Update:  OpenVPN Connect 1.2.9

The RSA Private Key PKCS format supported by OpenVPN Connect has changed from PKCS#8 to PKCS#5. The PKCS#8 private key format generated by Easy-RSA 2.0 looks like this:

—–BEGIN ENCRYPTED PRIVATE KEY—–
PzYj0J+ezYCgtZrN6Pb+E9tjY9vx1CvgHzzamNk92bEu6++5VOJHx8KxX4fn06m/i
<many more lines>
—–END ENCRYPTED PRIVATE KEY—–

Where the PKCS#5 format required by OpenVPN Connect 1.2.9 (and later versions) is:

—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,7D****************************2E

n3Qpl9FXC+A1HEI2RrwO8lJhAzUZ+v+bZcV1IoR7bnjqwIZpGH2aRc3KumpCRJXb
<many more lines>
—–END RSA PRIVATE KEY—–

The Easy-RSA PKCS#8 format will cause the following error when you try to connect your iPhone:

iPhone OpenVPN Client - CORE_ERROR mbed TLS error parsing config private key PK - Bad input parameters to function

iPhone OpenVPN Client – CORE_ERROR mbed TLS error parsing config private key PK – Bad input parameters to function

The error message in the OpenVPN Connect iPhone log is:

2018-04-05 18:20:27 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit built on Feb 22 2018 12:39:28
2018-04-05 18:20:27 Frame=512/2048/512 mssfix-ctrl=1250
2018-04-05 18:20:27 EVENT: CORE_ERROR mbed TLS: error parsing config private key : PK - Bad input parameters to function [ERR]

 

The solution is to encrypt RSA private key using the following command:

C:\OpenVPN-Server-Client-Build\easy-rsa\keys\Bob iPhone>openssl rsa -aes256 -in Bob_iphone.ovpn -out new_iphone.ovpn

Enter pass phrase for Bob_iphone.ovpn: <PEM passphrase, same one used to create iPhone private key>
writing RSA key
Enter PEM pass phrase: <PEM passphrase, same as before>
Verifying – Enter PEM pass phrase: <PEM passphrase, same as before>

The file new_iphone.ovpn is created and contains only the PKCS#5 encrypted private key:

C:\OpenVPN-Server-Client-Build\easy-rsa\keys\Bob iPhone>dir

Volume in drive C is OS
Volume Serial Number is 7A25-5D04

Directory of C:\OpenVPN-Server-Client-Build\easy-rsa\keys\Bob iPhone

04/07/2018  12:35 PM    <DIR>          .
04/07/2018  12:35 PM    <DIR>          ..
04/07/2018  11:05 AM             8,334 Bob_iPhone.crt
04/07/2018  11:04 AM             3,468 Bob_iPhone.key
04/07/2018  12:28 PM            11,976 Bob_iPhone.ovpn
04/07/2018  10:46 AM             2,528 ca.crt
04/07/2018  12:35 PM             3,380 new_iphone.ovpn
04/07/2018  11:12 AM               657 ta.key
 6 File(s)         30,343 bytes
 2 Dir(s)  402,053,730,304 bytes free

Update iPhone.ovpn with the PKCS#5 Format RSA Private Key

  • Edit the Bob_iPhone.ovpn configuration file.
  • Paste the newly created PKCS#5 private key from new_iphone.ovpn into the Bob_iPhone.ovpn file, replacing everything between <key> and </key>:
OpenVPN iPhone OVPN Config File - Replace PKCS#8 Private Key with PKCS#5 RSA Private Key Format

OpenVPN iPhone OVPN Config File – Replace PKCS#8 Private Key with PKCS#5 RSA Private Key Format

Save the file Bob_iPhone.ovpn.

6.b  Install OpenVPN Client App (iTunes Store)

Install OpenVPN Connect by OpenVPN Technologies from the Apple iTunes store.

6.c  Sync OpenVPN Profile with iPhone using iTunes: iPhone.ovpn

Connect the iPhone to your computer, open iTunes and click the device icon to select your iPhone.

  1. Click on Apps in the left panel in iTunes.
  2. Scroll down in the main panel until you see the File Sharing section.
    Click on OpenVPN.
  3. Drag and drop the iPhone.ovpn file from your computer to the OpenVPN Documents panel.

The steps are illustrated in this iTunes screen grab:

iTunes OpenVPN Configuration Profile Transfer to iPhone

iTunes OpenVPN Configuration Profile Transfer to iPhone

The .ovpn file is copied to your iPhone:

OpenVPN Client Profile Installed on Iphone

OpenVPN Client Profile Installed on Iphone

Click the Done button at the bottom of the iTunes screen and disconnect your iPhone from iTunes.

Aside: The UltraEdit (UE) icon is shown because I’ve made it the default app for .ovpn files on my PC.

6.d  Import Profile into OpenVPN Connect

Open the OpenVPN Connect app on the iPhone. A notice “New Profiles are Available…” is displayed with your OpenVPN profile.

Click the green circle with the plus sign to import the profile:

iPhone OpenVPN Setup – Import VPN Profile

iPhone OpenVPN Setup – Import VPN Profile

Disable WiFi on the iPhone so it’s not connected to WiFi on the EdgeRouter network. This will force the iPhone to use your wireless carrier’s LTE network to verify OpenVPN works over a remote Internet connection.

Enter the Private Key Password (a.k.a. PEM pass phrase) if you configured one, an optionally tap the Save button to save the password. OpenVPN Connect stores PEM phass phrase in the iOS Keychain which is protected by iPhone device password. The iPhone password in this tutorial “opensaysme2”:

iPhone OpenVPN Setup – Client Private Key Password

iPhone OpenVPN Setup – Client Private Key Password

Tap the button below Disconnected to connect to the EdgeRouter OpenVPN server. The OpenVPN Connect app displays the connection statistics:

iPhone OpenVPN Setup – Connected to EdgeRouter Lite VPN Server

iPhone OpenVPN Setup – Connected to EdgeRouter Lite VPN Server

Tap anywhere on the “Connected” row to view the session logs which are very useful for debugging.

The VPN icon at the top of the screen confirms OpenVPN is connected:

iPhone VPN Connected Icon

iPhone VPN Connected Icon

At this point I can access the EdgeRouter GUI, security cameras and home automation controller from the iPhone.

This tutorial is concluded in OpenVPN Windows 10 Client Configuration Steps.

Thanks,

Bob

Copyright © 2018 HandymanHowTo.com   Reproduction strictly prohibited.

9 Comments

  1. dP21 January 16, 2018 at 9:31 pm - Reply

    Thank you for the great posts. I used these vs. some of the posts on the Ubiquiti forums which never really worked out.

    I did run into one issue for my iOS client. Specifically it appears that OpenVPN encryption doesn’t support RSA (which the Easy RSA scripts use). Instead you need to convert to 3DES. This is explained in this GitHub post: https://github.com/pivpn/pivpn/issues/171#issuecomment-270792631

    After converting my iOS certificates to 3DES I was in business.

    Again, thanks for the great post(s) and look forward to some of your other handyman posts!

    • Bob Jackson January 16, 2018 at 10:19 pm - Reply

      I have an iPhone 6 running iOS 11.2.2 and OpenVPN 1.2.5 build 1 (iOS 64-bit) and use OpenVPN everyday without issues. The iPhone setup worked for me exactly as described in the tutorial without converting certificates to 3DES. However, I was running iOS 10.x when I wrote the tutorial in May 2017. Maybe something changed with iOS 11? What’s your Apple client and iOS version?

      Thanks for the tip and the GitHub solution!

      • dP21 January 18, 2018 at 11:29 am - Reply

        I was running iPhone X and iOS 11.2.2 with OpenVPN (now running 1.2.6 build 4 – iOS 64-bit). Not sure what build of OpenVPN I *was* running since it has been updated a few times the last few days.

  2. jig July 9, 2018 at 7:45 am - Reply

    Above, you use openssl to what seems like encrypt the entire ovpn:

    “openssl rsa -aes256 -in Bob_iphone.ovpn -out new_iphone.ovpn”

    should it instead be:

    “openssl rsa -aes256 -in Bob_iphone.key -out new_iphone.key”

    and then put that into the portion of the ovpn?

    point being, i’m having trouble getting this working. it all seems to be a tls handshake error.

  3. Lajo September 13, 2018 at 3:06 pm - Reply

    Hi!

    I get an SSL error both when trying to use the IPhone and Windows 10 OpenVPN client.
    It looks like this:
    Sep 13 20:39:05 ubnt openvpn[5174]: 95.195.222.123:59705 TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

    I followed your guide exactly so I am not sure what is wrong.

    • Bob Jackson September 13, 2018 at 4:13 pm - Reply

      > SSL3_GET_CLIENT_HELLO:no shared cipher
      You have a cipher mismatch. Which cipher have you configured?

      As explained in the EdgeRouter OpenVPN tutorial introduction in the “Platform Environment” section:

      “Note the EdgeRouter OpenVPN and OpenSSL versions are much older compared to the Windows 10 and Apple iOS clients. The outdated EdgeRouter OpenVPN v2.3.2 doesn’t support TLS v1.2 and stronger ciphers such as TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 nor the Elliptic Curve suites.”

      Note that SHA256 ciphers are not supported by the EdgeRouter at this time.

      BTW – I’m running the latest iOS OpenVPN Connect v3.0.1(770) on my iPhone with no issues.

  4. Scotty October 10, 2018 at 11:14 pm - Reply

    Bob,

    I’ve got the laptop client working perfectly, but OpenVPN Connect on my iPhone isn’t working – my server is showing the “TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher” error. The .ovpn settings look identical to those that work for viscosity, and viscosity could connect just fine with the iPhone credentials (including the “updated” .key file). Any idea what I could be missing?

    Thanks!
    -Scotty

    • Bob Jackson October 11, 2018 at 2:02 pm - Reply

      The FAQ regarding OpenVPN Connect iOS says:

      “BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
      This is usually remedied by going to the OpenVPN Preferences menu and selecting “Force AES-CBC ciphersuites”.
      Also, makes sure you are not using EC certificates as they are not yet supported.”

      The OpenVPN Connect v3.0.2(894) settings on my iPhone running iOS 12.0.1 has:
      * AES-CBC cipher algorithm – checked (enabled) by default.

      Thanks,
      Bob

Leave A Comment