Click for text version
Magnus Wedberg / home

How to use iDevices and OpenVPN with your IPCop
IPCop has a built-in OpenVPN server. There is a iOS client available. This should be nice to combine, but actually, it's pretty hard to generate a compatible certificate. I'll walk you through it.

The following information concerns IPCop 2.x, but 1.x with Zerina should be very similar, spare some easily guessed paths.

What you need

  • A properly configured IPCop machine/OpenVPN host (meaning, already working with roadwarrior PC clients)
  • A certificate for the iDevice you want to configure
  • SSH access to the IPCop box

Without this and some very basic knowledge, you won't succeed.

2016 update: a script to do it for you
So I got tired of doing this manually and created a script to generate the cert. Copy it to a location and filename of your choice on the firewall, chmod u+x your_filename, and then change the lines as needed: IP, comp-lzo (remove the line if you don't use compression), and MTU. The script generates .ovpn files in the current directory from the proper certificates. This script works for 2048 bit certs, older/other certs need other head/tail numbers.

The problem
IPCop generates a .p12 (PKCS #12) certificate/key combination file and a separate .ovpn configuration file. The iOS client needs the private certificate, CA certificate, and private key integrated into a single settings file.

Its solution
First, go grab the YourCert.p12 file (located in /var/ipcop/openvpn/certs) and copy it to somewhere where it won't disturb anything, such as /root/newcert/.

Then, go to that directory and enter the following commands:

openssl pkcs12 -in YourCert.p12 -out new.cert.pem -clcerts -nokeys openssl pkcs12 -in YourCert.p12 -out new.key.pem -nocerts -nodes

Grab the data from the various files and put them into a single file. Places are indicated below. The quoted text is tested as iOS compatible and should be your complete .ovpn file (with your data inserted of course):

tls-client client dev tun proto udp remote your.domain.or.ip.here 1194 resolv-retry infinite nobind persist-key tun-mtu 1500 cipher BF-CBC comp-lzo verb 3 ns-cert-type server key-direction 1 <ca> -----BEGIN CERTIFICATE----- GIBBERISH FROM THE FILE /var/ipcop/ca/cacert.pem HERE Can also be found in web interface, VPNs/CA/show info for "Root certificate" (i button) -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- GIBBERISH FROM new.cert.pem GENERATED ABOVE HERE -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- GIBBERISH FROM new.key.pem GENERATED ABOVE HERE -----END PRIVATE KEY----- </key>

Then, import the .ovpn file in iTunes under the OpenVPN Connect application (upload as a file). Import in the app and we're finished!


photos articles services about