vanutsteen.nl => nerds only A blog on rails, php, computing, my bass guitar and stuff

Troubles with OpenVPN on iOS

Posted by Leon Bogaert on in Linux

OpenVPN Connect app screenshot

Recently an official OpenVPN app for iOS was released. I immediately installed it on my iPhone to try it out.

I have OpenVPN 2.1.4 running on my OpenWrt router and the certificates are generated by easy-rsa.

I read the OpenVPN Connect documentation and started configuring the app. The easiest way is to use Itunes for transfering the required keys and certificated to your phone. However I have no pc’s running OS X or Windows to my disposal a the moment so that was not an option. Luckily the OpenVPN Connect app also supports importing the keys & certificates by opening them from the email app on iOS.

So I created a p12 file with help of the OpenSSL tools available on Ubuntu. I emailed them together with the .ovpn configuration file of my router to my phone. On the phone I opened both files and imported them in the OpenVPN app.

I started the app and tried to connect. That’s when the first error message appeared:

1
2
3
4
5
6
7
8
9
2013-01-22 20:05:10 ----- OpenVPN Start -----
2013-01-22 20:05:10 EVENT: CORE_ERROR PolarSSL: error parsing ca certificate : X509 - The certificate format is invalid, e.g. different type expected [ERR]
2013-01-22 20:05:10 Raw stats on disconnect:
2013-01-22 20:05:10 Performance stats on disconnect:
  CPU usage (microseconds): 11989
  Network bytes per CPU second: 0
  Tunnel bytes per CPU second: 0
2013-01-22 20:05:10 ----- OpenVPN Stop -----
2013-01-22 20:05:10 EVENT: DISCONNECT_PENDING

After some searching I ended up at this post where somebody has the same problem.

I believe the problem is described by this quote:

On iOS in particular, OpenVPN is NOT able to access the CA list included in PKCS#12 files that were imported into the iOS Keychain.

A suggestion is given how to circumvent this problem: add a ca directive in the .ovpn file.

1
ca ca.crt

Then I emailed the separate ca.crt to my iPhone and imported in the keychain on the phone, tried again and… a new error:

1
Missing/bad file : ca.crt : cannot open...

What I believe is happening: the OpenVPN Connect app is looking for a ca.crt file in it’s own sandbox but is not searching the keychain. Possibly a bug but I can’t say for sure.

Because I wanted to use this app I followed another suggestion to add the contents of the ca.crt file as inline content to your .ovpn file. The ca certificate should be be between two <ca> tags. I edited the file and mailed it again.

Now the iPhone OpenVPN app could read and parse the certificate authority certificate. All was well… except I got another error:

1
2
3
4
5
6
7
8
9
2013-01-30 11:22:35 ----- OpenVPN Start -----
2013-01-30 11:22:35 EVENT: CORE_ERROR option_error: tls-remote not supported [ERR]
2013-01-30 11:22:35 Raw stats on disconnect:
2013-01-30 11:22:35 Performance stats on disconnect:
CPU usage (microseconds): 37629
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
2013-01-30 11:22:35 ----- OpenVPN Stop -----
2013-01-30 11:22:35 EVENT: DISCONNECT_PENDING

And again Google came up with a post at the (excellent) OpenVPN forums. Apparently the option tls-remote is not supported in the 1.0 release of the app. In the upcomming 1.0.1 release it should work.

I believe if I would remote the tls-remote option from the .ovpn file I could finally use the app on my phone but by this time I had enough of it so I quit my attempts…

Comments