OpenVPN Export for iOS should use .ovpn12 for certs and private key

whorfin

Have a look here:
https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/

The way things are currently set up, the private key and cert are saved in the iOS Networking/preferences.plist, and they will show up in plaintext if you ever send a sysdiagnose to Apple.

You may verify this for yourself by triggering a sysdiagnose on an iOS device which has imported a pfSense profile exported with the exporter "for iOS" into OpenVPN Connect. Grab the sysdiagnose file from the iOS device and unpack. Examine the ProfileContent nodes in

logs/Networking/com.apple.networkextension.plist
logs/Networking/preferences.plist

You will find the complete, plaintext content of the .ovpn file.
If it was in your .ovpn file, it's there.

By following the recommendations in the OpenVPN link above, only the ca is in the .ovpn file, while the cert and key stay secret in the keystore.

viktor_g

@whorfin
Redmine issue: https://redmine.pfsense.org/issues/10570

whorfin

@viktor_g Thank you for reporting that to Redmine.
The response there:
If Apple utilities are leaking private data to Apple, that seems like an Apple problem to me.
seems to miss the point. The OpenVPN docs recommend this for secure iOS export. Why is following the recommendations something to be resisted? At least make it an option, such as "secure key export"?

jimp

If you read the line above that, I said it could be done for the only Apple-specific export format which includes separate files for certificates: The viscosity bundle.

The other exports are not intended for Apple platforms or are inline formats which have no separate certificate files to rename.

It's still an Apple problem. It doesn't matter what OpenVPN recommends, they're working around a braindead move by Apple that leaks your personal data. If Apple decided to start including ovpn12 files, they'd be back in the same boat.

whorfin

@jimp I did read the line above that, but perhaps I should be more clear with my request, then. The only export labeled "iOS" is currently insecure.
"Please provide an OpenVPN Connect (iOS) export which follows OpenVPN recommendations to store client cert and private key in iOS Keychain"

I reported this behavior to Apple through enterprise support, and they ultimately responded with the OpenVPN link above. Keychain information ("user secrets") is never reported through sysdiagnose.

While I'm no Apple defender, if anything is brainded here, it's OpenVPN not putting private keys in the keystore by default.

jimp

The OpenVPN connect app for iOS doesn't even support a bundle with multiple files like described for Viscosity to import automatically. You'd have to manually import the .p12 file into iOS separately from the VPN configuration in multiple steps as described on that link.

We export the inline configuration because that's what the app accepts to import in one step. If it's insecure, the App shouldn't allow it or should offer to split it and import the keys securely. That's an App problem, not an export problem. We're helping you get the config into the App, that's all.

If you don't want to do it that way, don't do it that way, but lobby Apple to change their practices and the App designer to support more secure practices.

We could make an iOS "Bundle" but then the user would need to unzip it and copy all the files manually and do all the import steps individually to import the keys and the config. Seems like a lot of work for everyone (us, the users, etc) when the OS and App should be doing it better.