Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN for iOS - Finally Available!

    Scheduled Pinned Locked Moved OpenVPN
    52 Posts 17 Posters 43.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      catfish99
      last edited by

      Just came across the following that no doubt will be of interest to the PfSense community.

      –-

      OpenVPN for iOS http://blog.michael.kuron-germany.de/2013/01/openvpn-for-ios/
      Just wanted to let everyone know that the OpenVPN Connect client for iOS
      has just been released and is now available in the app store.

      This is an official Apple-sanctioned OpenVPN client developed by OpenVPN
      Technologies in collaboration with Apple.

      The client is based on the new C++ OpenVPN core that is also used in the
      OpenVPN Connect client for Android. The C++ core is a portable,
      lightweight class library for building OpenVPN clients and is 100%
      protocol-compatible with the 2.x branch.

      OpenVPN Connect is not based on the classic GPL OpenVPN software (supposedly GPL and App Store are not compatible), but supposed to be fully compatible with any OpenVPN server running version 2.1 or higher (including IPv6 support with servers running the recently-released version 2.3). Supposedly it can even be managed using the “Custom SSL” option in iPhone Configuration Utility.

      Two points I’d like to mention which might temporarily disappoint some people:

      • It currently requires client certificates (but the help promises that that’ll change soon).
      • Layer 2 tap interfaces are not supported. As I noted in my VPN API blog post, iOS provides a utun interface, which only does layer 3.

      Go check it out on the App Store or have a look at Gert Döring’s Google+ post.

      Gert Döring’s Google+ post
      https://plus.google.com/u/0/102486415329787631392/posts/faSspbtGkcW

      OpenVPN Connect (App Store) https://itunes.apple.com/us/app/openvpn-connect/id590379981
      OpenVPN Connect is the official full-featured iPhone/iPad client for the OpenVPN Access Server, Private Tunnel and OpenVPN Community, developed by OpenVPN Technologies, Inc.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Now if we can just nail down a config format that it likes and actually works, we can add it to the client export package.

        So far I've had so-so luck with getting it going. It doesn't like anything we current export, but with some manual adjustments it will connect, but then for some reason immediately disconnects itself.

        Short on time or I'd keep banging on it now. If anyone else has success, let us know what was done to get it working for you.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Pushed a fix to the package to make it work for Android and iOS…

          My disconnect issue was because I was still pushing an IPv6 route to the
          client even though I removed the IPv6 tunnel network (oops).

          I'll write up a howto tomorrow, but the short version is:

          Use the inline export in export pkg v 0.29 or later, either e-mail it to yourself or use the iTunes drag-n-drop method.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • A
            asterix
            last edited by

            Tested.. works !!

            Been waiting for this for a real long time. Family in middle east can now connect to my network with their iPhones and iPods.

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Yep, that might be the nail in the coffin for people holding out using PPTP and mobile IPsec on iOS…

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • S
                Slam
                last edited by

                Nice find!

                Works nicely with my site-2-site pki, as the export utility doesnt work for this type of setup, I took Jim's tips and imported the needed files with iTunes.

                You need 1) *client1.ca, 2) client1.cert, 3) client1.tls.auth and also 4) client1.conf

                For testing only I copied files from an existing ovpn client which is found in "/var/etc/openvpn".  I renamed the client1.conf to client1.ovpn and it worked fine once imported, the only thing I need to do now is create unique files for my iphone, otherwise Ill have duplicate ovpn client IP's (as is always the case when copying these files to use for multiple clients).

                • Not sure if this is need, maybe someone else can comment?.
                1 Reply Last reply Reply Quote 0
                • J
                  jasonlitka
                  last edited by

                  Boo…  No tap...

                  I can break anything.

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    The android client also doesn't have tap.

                    It's mostly due to the OS in both cases, not much the client can do about it.

                    Unrelated to that, but I added a howto for the iOS client here today:
                    http://doc.pfsense.org/index.php/OpenVPN_on_iOS

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • A
                      aleksandarm
                      last edited by

                      I had to slightly modify the exported configuration file. Replaced "option tcp-client", with "option tcp", and OpenVPN imported the configuration file. It is working flawlessly.

                      Thank you!

                      1 Reply Last reply Reply Quote 0
                      • J
                        jasonlitka
                        last edited by

                        @jimp:

                        The android client also doesn't have tap.

                        It's mostly due to the OS in both cases, not much the client can do about it.

                        Unrelated to that, but I added a howto for the iOS client here today:
                        http://doc.pfsense.org/index.php/OpenVPN_on_iOS

                        Figures…  All I want is to be able to watch my TiVo while away from home...  I know it's possible with a jailbreak.

                        Anyway, can you provide directions on what server options to use with an iOS device?  I setup OVPN on one of my boxes and it connects but I can't see any devices on the other side or get any Internet access (I enabled the option to force all traffic through the tunnel).

                        I can break anything.

                        1 Reply Last reply Reply Quote 0
                        • L
                          lyserge
                          last edited by

                          Hi, great news!

                          It was easy to set-up and the connections are stable. Tried with two iOS devices with Netflix and internet radio for a couple of hours  8)

                          I just had to check the logs and I see the following error every time a user connect (it works, but I'm curious why and if this is a real error in my config):

                          Jan 19 14:11:22 openvpn[17791]: username/xx.xx.217.243:60904 send_push_reply(): safe_cap=960
                          Jan 19 14:11:21 openvpn[17791]: username/xx.xx.217.243:60904 MULTI_sva: pool returned IPv4=xx.xx.xx.6, IPv6=::x
                          Jan 19 14:11:21 openvpn[17791]: xx.xx.217.243:60904 [username] Peer Connection Initiated with [AF_INET]xx.xx.217.243:60904
                          Jan 19 14:11:20 openvpn: user username authenticated
                          Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
                          Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #43 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
                          Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
                          Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #43 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
                          Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
                          Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #43 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
                          Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
                          Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #43 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
                          Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
                          Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #42 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
                          Jan 19 14:11:05 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
                          Jan 19 14:11:05 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
                          Jan 19 14:11:05 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
                          Jan 19 14:11:05 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
                          Jan 19 14:11:05 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
                          Jan 19 14:11:05 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
                          Jan 19 14:10:59 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
                          Jan 19 14:10:59 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
                          Jan 19 14:10:58 openvpn[17791]: xx.xx.217.243:60904 LZO compression initialized
                          Jan 19 14:10:58 openvpn[17791]: xx.xx.217.243:60904 Re-using SSL/TLS context

                          I have put the 'mute-replay-warnings' in my config's but those messages stays…

                          pfSense 2.0.3 nanoBSD (i386) on Soekris net5501

                          1 Reply Last reply Reply Quote 0
                          • G
                            georgeman
                            last edited by

                            It works flawlessly for me. I also succeded in importing the cert and key into the iOS keychain without issues. You have to use the command line to create a .p12 password protected file containing both the certificate and the private key, then import it onto iOS via the Mail app. Then you have to edit the inline config that pfSense exported and remove the "cert" and "key" sections, but leave the "ca" section. When you import this "certless" .ovpn file, the client will ask for an installed certificate and voila!!

                            It's all explained on the "help" option within the app  ;)

                            It would be great to add these 2 items to the OpenVPN Client Export package:

                            • Ability to export the "certless" and "keyless" OpenVPN inline config
                            • Ability to export the password protected .p12 file

                            Cheers!!

                            EDIT: in fact, the help says that you should be able to embed the CA cert onto the .p12 file as well using the "-certfile" option, but it didn't work for me. The app complained about the CA cert being in the incorrect format. So I left it on the .ovpn file. Perhaps anyone got it right?

                            If it ain't broke, you haven't tampered enough with it

                            1 Reply Last reply Reply Quote 0
                            • J
                              jdetmold
                              last edited by

                              Works great for me. But is there any way to send all data through OpenVPN on iPhone?

                              1 Reply Last reply Reply Quote 0
                              • G
                                georgeman
                                last edited by

                                @jdetmold:

                                Works great for me. But is there any way to send all data through OpenVPN on iPhone?

                                Yup! Just add the following to the config file before importing:

                                redirect-gateway
                                

                                If it ain't broke, you haven't tampered enough with it

                                1 Reply Last reply Reply Quote 0
                                • J
                                  jdetmold
                                  last edited by

                                  @georgeman:

                                  @jdetmold:

                                  Works great for me. But is there any way to send all data through OpenVPN on iPhone?

                                  Yup! Just add the following to the config file before importing:

                                  redirect-gateway
                                  

                                  thanks a lot!

                                  1 Reply Last reply Reply Quote 0
                                  • AhnHELA
                                    AhnHEL
                                    last edited by

                                    @lyserge:

                                    I have put the 'mute-replay-warnings' in my config's but those messages stays…

                                    Lyserge, have you tried "verb 1" in your config?

                                    AhnHEL (Angel)

                                    1 Reply Last reply Reply Quote 0
                                    • jimpJ
                                      jimp Rebel Alliance Developer Netgate
                                      last edited by

                                      The number one suspect for repeated replay warnings is a mismatched clock between the two nodes.

                                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                      Need help fast? Netgate Global Support!

                                      Do not Chat/PM for help!

                                      1 Reply Last reply Reply Quote 0
                                      • L
                                        lyserge
                                        last edited by

                                        @jimp:

                                        The number one suspect for repeated replay warnings is a mismatched clock between the two nodes.

                                        Should I also check the time/date in the BIOS of my Soekris net5501 (with crypto card) ?  :-\

                                        pfSense and my laptop is configured with time.euro.apple.com and is in sync with my iPhone 4 (tried to manually set the time, reboot etc).

                                        Every connection has very similar logs, the connection time is always 21 seconds and bad packet ID #3 and #43 is shown every time in the serverlogs.

                                        Running OpenVPN server on UDP/443. CA and server/user certs is 2048 bits (RSA+SHA1)

                                        pfSense WebConfigurator running on custom port…

                                        pfSense 2.0.3 nanoBSD (i386) on Soekris net5501

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by

                                          This freaking ROCKS!!!!  I have been waiting for this for a while..  Works great - bing bang zoom.  I just used dropbox to get my inline config to my ipad.

                                          Seem its does not support tcp though?  I tried my tcp config and it gave error about proto tcp.  But works like a champ using udp.

                                          Thanks!!!!  And great doc as well, I would add the dropbox option as way to get your .opvn file to your device – oh I can edit docs, might have to add that.  Again thanks this is SWEET!

                                          Now just have to see if can get the ipv6 over openvpn working.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • jimpJ
                                            jimp Rebel Alliance Developer Netgate
                                            last edited by

                                            It does support TCP but read back a few posts for the edit to make so it works.

                                            I will have to make separate inline export options for iOS and "everything else" since this client seems to have a lot of quirks with what it accepts, and there's no need to nerf the other platforms because this one hasn't (yet) caught up.

                                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                            Need help fast? Netgate Global Support!

                                            Do not Chat/PM for help!

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.