OpenVPN Export for iOS should use .ovpn12 for certs and private key



  • Have a look here:
    https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/

    The way things are currently set up, the private key and cert are saved in the iOS Networking/preferences.plist, and they will show up in plaintext if you ever send a sysdiagnose to Apple.

    You may verify this for yourself by triggering a sysdiagnose on an iOS device which has imported a pfSense profile exported with the exporter "for iOS" into OpenVPN Connect. Grab the sysdiagnose file from the iOS device and unpack. Examine the ProfileContent nodes in

    logs/Networking/com.apple.networkextension.plist
    logs/Networking/preferences.plist
    

    You will find the complete, plaintext content of the .ovpn file.
    If it was in your .ovpn file, it's there.

    By following the recommendations in the OpenVPN link above, only the ca is in the .ovpn file, while the cert and key stay secret in the keystore.


Log in to reply