OpenVPN - iOS 6 - VPN on demand with Custom SSL and IPCU
I am using OpenVPN on pfsense to get access for my mobile devices. In the past I only had notebooks which connected to the VPN but now there are some users who have iphones 4S with iOS 6.1.3. I installed "OpenVPN Connect" from the itunes store which is the suggested one by the OpenVPN Export Utility. The connection is working very easy with the iOS inline configuration.
So my problem is (poorly) not related to pfsense but I am asking here because I hope to get some feedback and solutions from the community ;-)
On an iPad2 I had for testing I have the problem that the VPN disconnects when the display turns off ans the connection is closed. The problem with that is that the users are connected to the E-Mail servers and without VPN no emails and calendars can be pushed.
I am no expert with iOS so probably someone else can tell me how to solve that problem.
I put "keepalive 5 30" to the OpenVPN config on client side but still no luck.
I appreciate any ideas, tips and suggestions.
Don't think you can do that on iPhone
But you probably want to ask the devs there. Just don't know if the iOS API will actually let you, this will drain battery fast I would say.
Unfortunately I had no luck with OpenVPN and cellular connection. I though this would be online everytime because of incoming phone calls and so on but it seems to close the VPN connection. :(
I found some posts on the internet on which they say that apple disabled "VPN on demand" on newer versions of iOS or newley shiped devices.
I found out that there is an iPhone Configuration Utility (IPCU) which can be directly downloaded on the apple webpage which allows the to create and set profiles on an iPhone.
Setting such a profile works but I had problems to get "Custom SSL with VPN on demand" to get working with my pfsense OpenVPN server. The intention is that I setup the domains from my intranet as the e-mail server and when the e-mail app tries to connect to this URL the VPN connection will start. Instead of using "Push Mail" I would try to use automatic check by the mail app every 15min - hopefully the vPN will start when "VPN on demand" is configured correctly.
Perhaps someone can help me to configure this with the help of the following tutorial:
This is my iOS inline config from the pfsense export utility:
persist-tun persist-key cipher AES-256-CBC tls-client client remote xx.yy.xx.yy 443 tcp comp-lzo nobind keepalive 5 30 <ca>-----BEGIN CERTIFICATE----- ..... -----END CERTIFICATE----- <key>-----BEGIN RSA PRIVATE KEY----- ..... -----END RSA PRIVATE KEY-----</key> <tls-auth># # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- .... -----END OpenVPN Static key V1-----</tls-auth> key-direction 1</ca>
Thank you for your help!
–-- edit ----
I got it. My iPhone starts the OpenVPN connection to my pfsense OpenVPN server. The config I posted above is the one the OpenVPN Export utlity created. Follow the instructions on the URL I posted above - they are correct. I just had to modify some parameters on the config to get it working (Custom options with "key" and "Value":
Export the CA.crt to your computer and replace every newline with \n to make it one line. (As described on the URL above)
You need a password protected .p12 of the client certificate which contains .key and .crt. pfsense itself cannot do that from GUI. I exported the .crt and .key to pfsense /tmp. Then I ran the command on the webpage ( openssl pkcs12 -export -in client1.crt -inkey client1.key -out client1.p12 ) and set a password. I imported that new password protected .p12 into the IPCU.
On the .ovpn config I exported from pfsense there is a part "tls-auth". I created this key in the custom options of IPCU and as value I did the same as for the "ca". everything in one line and every newline as \n
ca –---BEGIN CERTIFICATE-----\nABCDEF112312.........\n-----END CERTIFICATE-----
tls-auth –---BEGIN OpenVPN Static key V1-----\nABCDEF112312.........\n-----END OpenVPN Static key V1-----
Push-Mail seems not to work with OpenVPN - probably because the VPN connection is in standby and will only be established if the iPhone app starts to check the E-Mails every 15min and so is using "VPN on demand".
Will do some more tests with bigger delays to make sure iPhone awakes froms sleep with VPN and hopefully same will happen when disconnection the iphone from the USB data cable which I still have connected to view what is happening on my iphone in the IPCU cosole.