This tutorial explains the OpenVPN iPhone client configuration steps for remote connectivity to a Ubiquiti EdgeRouter OpenVPN server. Create the OpenVPN configuration profile (.ovpn), sync with iTunes and import the profile into OpenVPN Connect.

Project series index:

OpenVPN iPhone Client Configuration Steps

The iPhone client configuration steps are summarized in the following excerpt from the OpenVPN configuration process diagram:

EdgeRouter OpenVPN - iPhone Client Configuration

EdgeRouter OpenVPN – iPhone Client Configuration

5. Configure OpenVPN Clients

The Public Key Infrastructure (PKI) was created using the easy-rsa 2 batch scripts included with OpenVPN on the Admin Desktop PC:

EdgeRouter Lite OpenVPN Server and Client Configuration Files

EdgeRouter Lite OpenVPN Server and Client Configuration Files

The various certificates and keys for the Certificate Authority (CA), EdgeRouter server, iPhone and Laptop clients are in the C:\OpenVPN-Server-Client-Build\easy-rsa\keys> folder on the Admin PC:

OpenVPN Easy RSA - Keys Folder Content CA TA Server and Clients

OpenVPN Easy RSA – Keys Folder Content CA TA Server and Clients

The OpenVPN configuration file (.ovpn) needs to be created, then merge the certs & keys and installed on the iPhone.

6  iPhone OpenVPN Client Configuration

Organize the files for each OpenVPN client by creating a folder for it’s set of certs and keys.

Create a new iPhone subfolder (C:\OpenVPN-Server-Client-Build\easy-rsa\keys\iPhone>) and copy the files:

from C:\OpenVPN-Server-Client-Build\easy-rsa\keys\

to C:\OpenVPN-Server-Client-Build\easy-rsa\keys\iPhone\

If you need to configure several smart phone clients, create a unique folder name for each such as “Bob_iPhone” and “Alex_iPhone” instead of a generic “iPhone”.

Note: The above links to the actual certificates and private keys used in this tutorial are provided to compare with the Bob_iPhone.opvn configuration file that will be created shortly. There’s no risk to by disclosing this information because I tore down and created a new PKI after verifying everything worked. (It has no value to a hacker.) A .txt file extension is added such that the files are not interpreted in a special way by the web browser and other applications on your computer.

Also the BobER3.dyndns.org host name is no longer valid. And if it is, someone else reserved it.

An OpenVPN client Profile which has an .ovpn file extension. It’s a text file that specifies the client configuration parameters. The configuration file used in the tutorial is Bob_iPhone.ovpn. It’s saved to the C:\OpenVPN-Server-Client-Build\easy-rsa\keys\iPhone\ folder. The folder now contains:

iPhone OpenVPN Folder Listing

iPhone OpenVPN Folder Listing

6.a  Create OpenVPN Profile: iPhone.ovpn

The easiest way to create an .ovpn configuration profile is modify mine: iPhone_OpenVPN_Configuration_Template.ovpn. Many thanks to GainfulShrimp on the Ubiquiti EdgeMax forum for posting his client configuration that I copied for my setup.

Because the iPhone doesn’t have folders and directories like a personal computer, it’s best to use the “Unified Format” with the certs and keys embedded in the .ovpn configuration file.

Edit your .opvn profile with a text editor.

The .ovpn file sections you’ll need to customize for your network are:

remote:

# Connect to the server at port 443 at yourdomainname.com (replace with your
# actual domain name, if you’ve setup dynamic (or static) DNS, or put your
# static external IP address if not)
remote BobER3.dyndns.org 443

verb:

# Use medium level verbosity for the logs. For debug purposes, increase this to
# a value between 6 – 11, where higher numbers give far more detail about what
# is happening. 3 is standard.
verb 8

Certificates & Keys:

# These files must be installed on the OpenVPN iPhone client.
# ca cacert.pem
# cert iPhone.pem
# key iPhone.key
# tls-auth ta.key 1

<ca>
contents of ca.crt
</ca>
<cert>
only the –BEGIN CERTIFICATE– to –END CERTIFICATE–
section of Bob_iPhone.crt

</cert>
<key>
contents of Bob_iPhone.key
</key>

# The following line defines the direction of TLS authentication, when using
# inline format for the key:
key-direction 1

<tls-auth>
contents of ta.crt
</tls-auth>

Note the key-direction must be 1 for all clients and 0 (zero) on the EdgeRouter server.

I’m using UltraEdit to copy & paste the CA certificate into the iPhone.ovpn here but any text editor is fine:

iPhone OpenVPN Profile Config File

iPhone OpenVPN Profile Config File

6.b  Install OpenVPN Client App (iTunes Store)

Install OpenVPN Connect by OpenVPN Technologies from the Apple iTunes store.

6.c  Sync OpenVPN Profile with iPhone using iTunes: iPhone.ovpn

Connect the iPhone to your computer, open iTunes and click the device icon to select your iPhone.

  1. Click on Apps in the left panel in iTunes.
  2. Scroll down in the main panel until you see the File Sharing section.
    Click on OpenVPN.
  3. Drag and drop the iPhone.ovpn file from your computer to the OpenVPN Documents panel.

The steps are illustrated in this iTunes screen grab:

iTunes OpenVPN Configuration Profile Transfer to iPhone

iTunes OpenVPN Configuration Profile Transfer to iPhone

The .ovpn file is copied to your iPhone:

OpenVPN Client Profile Installed on Iphone

OpenVPN Client Profile Installed on Iphone

Click the Done button at the bottom of the iTunes screen and disconnect your iPhone from iTunes.

Aside: The UltraEdit (UE) icon is shown because I’ve made it the default app for .ovpn files on my PC.

6.d  Import Profile into OpenVPN Connect

Open the OpenVPN Connect app on the iPhone. A notice “New Profiles are Available…” is displayed with your OpenVPN profile.

Click the green circle with the plus sign to import the profile:

iPhone OpenVPN Setup - Import VPN Profile

iPhone OpenVPN Setup – Import VPN Profile

Disable iPhone WiFi if it’s connected to WiFi on the EdgeRouter network. This will force the iPhone to use your wireless carrier’s LTE network to verify OpenVPN works over a remote Internet connection.

Enter the Private Key Password (a.k.a. PEM pass phrase) if you configured one, an optionally tap the Save button to save the password. OpenVPN Connect stores PEM phass phrase in the iOS Keychain which is protected by iPhone device password. The iPhone password in this tutorial “opensaysme2”:

iPhone OpenVPN Setup - Client Private Key Password

iPhone OpenVPN Setup – Client Private Key Password

Tap the button below Disconnected to connect to the EdgeRouter OpenVPN server. The OpenVPN Connect app displays the connection statistics:

iPhone OpenVPN Setup - Connected to EdgeRouter Lite VPN Server

iPhone OpenVPN Setup – Connected to EdgeRouter Lite VPN Server

Tap anywhere on the “Connected” row to view the session logs which are very useful for debugging.

At this point I can access the EdgeRouter GUI, my security cameras (IP Cam Viewer Pro works great) and home automation controller from the iPhone.

This tutorial is concluded in OpenVPN Windows 10 Client Configuration Steps.

Thanks,

Bob

Copyright © 2017 HandymanHowTo.com   Reproduction strictly prohibited.