Changes

From SME Server
Jump to navigationJump to search
5,546 bytes added ,  14:41, 23 November 2014
→‎iOS: Configuration for OpenVPN Connect app on iOS
Line 337: Line 337:     
====iOS====
 
====iOS====
 +
{{WIP box}}
 +
if you plan to connect to Open vpn you can either jailbreak and use GuizmoVPN.
   −
if you plan to connect to Open vpn you can either jailbreak and use GuizmoVPN.
+
You can connect using the free [https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8 OpenVPN Connect] app.  Unfortunately, configuring this app for your connection is a somewhat involved process.  It will require making changes to the server configuration, creating a PKCS#12 file manually for the client, creating a .ovpn configuration file, installing the CA and client certificates on your iOS device, and finally importing the .ovpn configuration file into your device.
 +
 
 +
=====Changes to server configuration=====
 +
The iOS client requires a small change to your OpenVPN server configuration which can be made with a small template fragment, using the following commands:
   −
Otherwise you could use the newly available OpenVPN app. However it does not have any tun driver and it needs a server configuration to work :
   
  mkdir -p /etc/e-smith/templates-custom/etc/openvpn/bridge/openvpn.conf/
 
  mkdir -p /etc/e-smith/templates-custom/etc/openvpn/bridge/openvpn.conf/
 
  echo 'push "topology subnet"' >/etc/e-smith/templates-custom/etc/openvpn/bridge/openvpn.conf/66topology
 
  echo 'push "topology subnet"' >/etc/e-smith/templates-custom/etc/openvpn/bridge/openvpn.conf/66topology
 
  expand-template /etc/openvpn/bridge/openvpn.conf
 
  expand-template /etc/openvpn/bridge/openvpn.conf
  service openvpn-bridge restart
+
  sv t /service/openvpn-bridge
 +
 
 +
=====Create a PKCS#12 file for the client=====
 +
A PKCS#12 file is used to bundle the client's private key with its associated certificates, and will be used to install an identity on your iOS device.  [[PHPki|PHPki]] has the ability to generate these files for download, but does not password-protect them.  Instead, you will use PHPki to download a PEM bundle.  Log into the server-manager, go to Certificate Management, then to Manage Certificates, and click the download icon to the right of the client certificate you want to use.  On the next screen, in the file type dropdown, choose PEM Bundle w/Root.  Save this file to a convenient location and open it with your favorite text editor.  It will look like this:
 +
 
 +
-----BEGIN PRIVATE KEY-----
 +
MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDhKd2tv7D6lnzs
 +
...
 +
P9sSy5mmpaI3o+vRt6fXYCvL37g=
 +
-----END PRIVATE KEY-----
 +
-----BEGIN CERTIFICATE-----
 +
MIIGuzCCBKOgAwIBAgIDEAACMA0GCSqGSIb3DQEBBQUAMIHLMQswCQYDVQQGEwJV
 +
...
 +
ex7wHUDqk6zpdeygiuK8fYAbbeb7/9EGopKOPI8J+PPyaJ96ljqDK6FphY3Jt0k=
 +
-----END CERTIFICATE-----
 +
-----BEGIN CERTIFICATE-----
 +
MIIHWjCCBUKgAwIBAgIJAPM30y+H/VCKMA0GCSqGSIb3DQEBBQUAMIHLMQswCQYD
 +
...
 +
Wx8wzFUHXwxOlYGsDRK9r/NTlPyiKwV9Z/kxVFSrFR7/FwCu8Ty4dSmsENk7xEzh
 +
wAhb0RNq1QLkr/0K6KQ=
 +
-----END CERTIFICATE-----
 +
 
 +
The first block is the client's private key, the second block is the client's certificate, and the third block is the CA certificate.  You'll need to split these out into three files.  Name them, for the sake of clarity, user.key, user.crt, and ca.crt.  Save these three files in a location that's accessible to your SME server.  Then you can actually create the PKCS#12 file using this command:
 +
$ openssl pkcs12 -export -in user.crt -inkey user.key -certfile ca.crt -name MyClient -out client.p12
 +
 
 +
You may replace MyClient with whatever client name you wish.  In processing this, openssl will ask for a password; you must enter one.  When the system returns to the shell prompt, your client.p12 file will be ready to use.
 +
 
 +
=====Create .ovpn configuration file=====
 +
The .ovpn configuration file tells the OpenVPN Connect client how to connect to your server.  Begin by logging into the server-manager and going to OpenVPN-Bridge on the left sidebar.  Click the button marked "Display a functional client configuration file."  Copy the text that's shown into your favorite text editor and save it as client.ovpn.  You'll then need to make some changes.
 +
 
 +
First, on the third line, change "dev tap" to "dev tun".  This is required for iOS compatibility.  Second, comment out or remove the line that says "pkcs12 user.p12".  Third, if you want your client to be able to connect without entering a password, comment out or remove the line that says "auth-user-pass".  Finally, add the CA certificate to the end of the file, like this:
 +
 
 +
  <ca>
 +
  -----BEGIN CERTIFICATE-----
 +
  MIIHWjCCBUKgAwIBAgIJAPM30y+H/VCKMA0GCSqGSIb3DQEBBQUAMIHLMQswCQYD
 +
  VQQGEwJVUzEXMBUGA1UECBMOU291dGggQ2Fyb2xpbmExEzARBgNVBAcTCkhhcnRz
 +
  ...
 +
  Wx8wzFUHXwxOlYGsDRK9r/NTlPyiKwV9Z/kxVFSrFR7/FwCu8Ty4dSmsENk7xEzh
 +
  wAhb0RNq1QLkr/0K6KQ=
 +
  -----END CERTIFICATE-----
 +
  </ca>
 +
 
 +
Save this file.
 +
 
 +
=====Install CA and client certificates on your iOS device=====
 +
Email the ca.crt and client.p12 files to an account that your iOS device can reach using the built-in Mail app.  Using the Mail app, open the message and tap on the ca.crt file to open it.  The device will take you through the steps of installing the file, and once it is installed, will return you to the message.  Then tap on the client.p12 file and follow the prompts to install it, including entering the password.  Again, once it is installed, you'll be returned to the email message.
 +
 
 +
=====Importing .ovpn file and configuring connection=====
 +
To configure the OpenVPN Connect app, you'll need to copy the .ovpn file to your device using iTunes.  Open iTunes, select your device, and choose Apps from the left sidebar.  In the right-hand frame, scroll down to the heading "The apps listed below can transfer documents between your iPhone and this computer".  Under that heading, scroll down in the apps list and click on OpenVPN.  Drag and drop the .ovpn file to the right-hand frame, under the heading "OpenVPN Documents."
 +
[[File:Itunes_transfer_ovpn.png]]
 +
 
 +
This will take a moment to sync.  Once that is completed, open the OpenVPN Connect app on your device.  It will inform you that there's a new profile available for import.  On that screen, tap the green + button.
 +
[[File:Openvpn_newprofile.png]]
 +
 
 +
The app will open the profile and indicate that it isn't associated with an identity by showing "None selected".  Tap where it says "None selected" to choose an identity profile.
 +
[[File:Openvpn_importprofile.png]]
 +
 
 +
Next, the app will list your available identity profiles.  Choose the one you want to associate with this OpenVPN connection.
 +
[[File:Openvpn_chooseidentity.png]]
 +
 
 +
Configuration is now complete.  You can connect to your OpenVPN server using the slider on the screen.
    
=== Advanced configuration ===
 
=== Advanced configuration ===
147

edits

Navigation menu