Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Export for iOS should use .ovpn12 for certs and private key

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      whorfin
      last edited by whorfin

      Have a look here:
      https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/

      The way things are currently set up, the private key and cert are saved in the iOS Networking/preferences.plist, and they will show up in plaintext if you ever send a sysdiagnose to Apple.

      You may verify this for yourself by triggering a sysdiagnose on an iOS device which has imported a pfSense profile exported with the exporter "for iOS" into OpenVPN Connect. Grab the sysdiagnose file from the iOS device and unpack. Examine the ProfileContent nodes in

      logs/Networking/com.apple.networkextension.plist
      logs/Networking/preferences.plist
      

      You will find the complete, plaintext content of the .ovpn file.
      If it was in your .ovpn file, it's there.

      By following the recommendations in the OpenVPN link above, only the ca is in the .ovpn file, while the cert and key stay secret in the keystore.

      viktor_gV 1 Reply Last reply Reply Quote 0
      • viktor_gV
        viktor_g Netgate @whorfin
        last edited by

        @whorfin
        Redmine issue: https://redmine.pfsense.org/issues/10570

        W 1 Reply Last reply Reply Quote 0
        • W
          whorfin @viktor_g
          last edited by

          @viktor_g Thank you for reporting that to Redmine.
          The response there:
          If Apple utilities are leaking private data to Apple, that seems like an Apple problem to me.
          seems to miss the point. The OpenVPN docs recommend this for secure iOS export. Why is following the recommendations something to be resisted? At least make it an option, such as "secure key export"?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            If you read the line above that, I said it could be done for the only Apple-specific export format which includes separate files for certificates: The viscosity bundle.

            The other exports are not intended for Apple platforms or are inline formats which have no separate certificate files to rename.

            It's still an Apple problem. It doesn't matter what OpenVPN recommends, they're working around a braindead move by Apple that leaks your personal data. If Apple decided to start including ovpn12 files, they'd be back in the same boat.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            W 1 Reply Last reply Reply Quote 0
            • W
              whorfin @jimp
              last edited by

              @jimp I did read the line above that, but perhaps I should be more clear with my request, then. The only export labeled "iOS" is currently insecure.
              "Please provide an OpenVPN Connect (iOS) export which follows OpenVPN recommendations to store client cert and private key in iOS Keychain"

              I reported this behavior to Apple through enterprise support, and they ultimately responded with the OpenVPN link above. Keychain information ("user secrets") is never reported through sysdiagnose.

              While I'm no Apple defender, if anything is brainded here, it's OpenVPN not putting private keys in the keystore by default.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                The OpenVPN connect app for iOS doesn't even support a bundle with multiple files like described for Viscosity to import automatically. You'd have to manually import the .p12 file into iOS separately from the VPN configuration in multiple steps as described on that link.

                We export the inline configuration because that's what the app accepts to import in one step. If it's insecure, the App shouldn't allow it or should offer to split it and import the keys securely. That's an App problem, not an export problem. We're helping you get the config into the App, that's all.

                If you don't want to do it that way, don't do it that way, but lobby Apple to change their practices and the App designer to support more secure practices.

                We could make an iOS "Bundle" but then the user would need to unzip it and copy all the files manually and do all the import steps individually to import the keys and the config. Seems like a lot of work for everyone (us, the users, etc) when the OS and App should be doing it better.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.