OpenVPN for iOS - Finally Available!
-
Just came across the following that no doubt will be of interest to the PfSense community.
–-
OpenVPN for iOS http://blog.michael.kuron-germany.de/2013/01/openvpn-for-ios/
Just wanted to let everyone know that the OpenVPN Connect client for iOS
has just been released and is now available in the app store.This is an official Apple-sanctioned OpenVPN client developed by OpenVPN
Technologies in collaboration with Apple.The client is based on the new C++ OpenVPN core that is also used in the
OpenVPN Connect client for Android. The C++ core is a portable,
lightweight class library for building OpenVPN clients and is 100%
protocol-compatible with the 2.x branch.OpenVPN Connect is not based on the classic GPL OpenVPN software (supposedly GPL and App Store are not compatible), but supposed to be fully compatible with any OpenVPN server running version 2.1 or higher (including IPv6 support with servers running the recently-released version 2.3). Supposedly it can even be managed using the “Custom SSL” option in iPhone Configuration Utility.
Two points I’d like to mention which might temporarily disappoint some people:
• It currently requires client certificates (but the help promises that that’ll change soon).
• Layer 2 tap interfaces are not supported. As I noted in my VPN API blog post, iOS provides a utun interface, which only does layer 3.Go check it out on the App Store or have a look at Gert Döring’s Google+ post.
Gert Döring’s Google+ post
https://plus.google.com/u/0/102486415329787631392/posts/faSspbtGkcWOpenVPN Connect (App Store) https://itunes.apple.com/us/app/openvpn-connect/id590379981
OpenVPN Connect is the official full-featured iPhone/iPad client for the OpenVPN Access Server, Private Tunnel and OpenVPN Community, developed by OpenVPN Technologies, Inc. -
Now if we can just nail down a config format that it likes and actually works, we can add it to the client export package.
So far I've had so-so luck with getting it going. It doesn't like anything we current export, but with some manual adjustments it will connect, but then for some reason immediately disconnects itself.
Short on time or I'd keep banging on it now. If anyone else has success, let us know what was done to get it working for you.
-
Pushed a fix to the package to make it work for Android and iOS…
My disconnect issue was because I was still pushing an IPv6 route to the
client even though I removed the IPv6 tunnel network (oops).I'll write up a howto tomorrow, but the short version is:
Use the inline export in export pkg v 0.29 or later, either e-mail it to yourself or use the iTunes drag-n-drop method.
-
Tested.. works !!
Been waiting for this for a real long time. Family in middle east can now connect to my network with their iPhones and iPods.
-
Yep, that might be the nail in the coffin for people holding out using PPTP and mobile IPsec on iOS…
-
Nice find!
Works nicely with my site-2-site pki, as the export utility doesnt work for this type of setup, I took Jim's tips and imported the needed files with iTunes.
You need 1) *client1.ca, 2) client1.cert, 3) client1.tls.auth and also 4) client1.conf
For testing only I copied files from an existing ovpn client which is found in "/var/etc/openvpn". I renamed the client1.conf to client1.ovpn and it worked fine once imported, the only thing I need to do now is create unique files for my iphone, otherwise Ill have duplicate ovpn client IP's (as is always the case when copying these files to use for multiple clients).
- Not sure if this is need, maybe someone else can comment?.
-
Boo… No tap...
-
The android client also doesn't have tap.
It's mostly due to the OS in both cases, not much the client can do about it.
Unrelated to that, but I added a howto for the iOS client here today:
http://doc.pfsense.org/index.php/OpenVPN_on_iOS -
I had to slightly modify the exported configuration file. Replaced "option tcp-client", with "option tcp", and OpenVPN imported the configuration file. It is working flawlessly.
Thank you!
-
The android client also doesn't have tap.
It's mostly due to the OS in both cases, not much the client can do about it.
Unrelated to that, but I added a howto for the iOS client here today:
http://doc.pfsense.org/index.php/OpenVPN_on_iOSFigures… All I want is to be able to watch my TiVo while away from home... I know it's possible with a jailbreak.
Anyway, can you provide directions on what server options to use with an iOS device? I setup OVPN on one of my boxes and it connects but I can't see any devices on the other side or get any Internet access (I enabled the option to force all traffic through the tunnel).
-
Hi, great news!
It was easy to set-up and the connections are stable. Tried with two iOS devices with Netflix and internet radio for a couple of hours 8)
I just had to check the logs and I see the following error every time a user connect (it works, but I'm curious why and if this is a real error in my config):
Jan 19 14:11:22 openvpn[17791]: username/xx.xx.217.243:60904 send_push_reply(): safe_cap=960
Jan 19 14:11:21 openvpn[17791]: username/xx.xx.217.243:60904 MULTI_sva: pool returned IPv4=xx.xx.xx.6, IPv6=::x
Jan 19 14:11:21 openvpn[17791]: xx.xx.217.243:60904 [username] Peer Connection Initiated with [AF_INET]xx.xx.217.243:60904
Jan 19 14:11:20 openvpn: user username authenticated
Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #43 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #43 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #43 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #43 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
Jan 19 14:11:19 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #42 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
Jan 19 14:11:05 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
Jan 19 14:11:05 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
Jan 19 14:11:05 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
Jan 19 14:11:05 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
Jan 19 14:11:05 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
Jan 19 14:11:05 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
Jan 19 14:10:59 openvpn[17791]: xx.xx.217.243:60904 TLS Error: incoming packet authentication failed from [AF_INET]xx.xx.217.243:60904
Jan 19 14:10:59 openvpn[17791]: xx.xx.217.243:60904 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1358601056) Sat Jan 19 14:10:56 2013 ]
Jan 19 14:10:58 openvpn[17791]: xx.xx.217.243:60904 LZO compression initialized
Jan 19 14:10:58 openvpn[17791]: xx.xx.217.243:60904 Re-using SSL/TLS contextI have put the 'mute-replay-warnings' in my config's but those messages stays…
-
It works flawlessly for me. I also succeded in importing the cert and key into the iOS keychain without issues. You have to use the command line to create a .p12 password protected file containing both the certificate and the private key, then import it onto iOS via the Mail app. Then you have to edit the inline config that pfSense exported and remove the "cert" and "key" sections, but leave the "ca" section. When you import this "certless" .ovpn file, the client will ask for an installed certificate and voila!!
It's all explained on the "help" option within the app ;)
It would be great to add these 2 items to the OpenVPN Client Export package:
- Ability to export the "certless" and "keyless" OpenVPN inline config
- Ability to export the password protected .p12 file
Cheers!!
EDIT: in fact, the help says that you should be able to embed the CA cert onto the .p12 file as well using the "-certfile" option, but it didn't work for me. The app complained about the CA cert being in the incorrect format. So I left it on the .ovpn file. Perhaps anyone got it right?
-
Works great for me. But is there any way to send all data through OpenVPN on iPhone?
-
Works great for me. But is there any way to send all data through OpenVPN on iPhone?
Yup! Just add the following to the config file before importing:
redirect-gateway
-
Works great for me. But is there any way to send all data through OpenVPN on iPhone?
Yup! Just add the following to the config file before importing:
redirect-gateway
thanks a lot!
-
I have put the 'mute-replay-warnings' in my config's but those messages stays…
Lyserge, have you tried "verb 1" in your config?
-
The number one suspect for repeated replay warnings is a mismatched clock between the two nodes.
-
The number one suspect for repeated replay warnings is a mismatched clock between the two nodes.
Should I also check the time/date in the BIOS of my Soekris net5501 (with crypto card) ? :-\
pfSense and my laptop is configured with time.euro.apple.com and is in sync with my iPhone 4 (tried to manually set the time, reboot etc).
Every connection has very similar logs, the connection time is always 21 seconds and bad packet ID #3 and #43 is shown every time in the serverlogs.
Running OpenVPN server on UDP/443. CA and server/user certs is 2048 bits (RSA+SHA1)
pfSense WebConfigurator running on custom port…
-
This freaking ROCKS!!!! I have been waiting for this for a while.. Works great - bing bang zoom. I just used dropbox to get my inline config to my ipad.
Seem its does not support tcp though? I tried my tcp config and it gave error about proto tcp. But works like a champ using udp.
Thanks!!!! And great doc as well, I would add the dropbox option as way to get your .opvn file to your device – oh I can edit docs, might have to add that. Again thanks this is SWEET!
Now just have to see if can get the ipv6 over openvpn working.
-
It does support TCP but read back a few posts for the edit to make so it works.
I will have to make separate inline export options for iOS and "everything else" since this client seems to have a lot of quirks with what it accepts, and there's no need to nerf the other platforms because this one hasn't (yet) caught up.