Informationen
Last Change: 18.04.2018
Notes:
How to use the Securepoint Mobile Security App with your individual VPN Server
There are multiple ways to import a configuration to your phone.
- use a .tblk folder with all necessary items.
- use a .mobileconfig file imported into the OS as configuration profile.
Both ways are described below.
How to set up a .tblk folder
- Create a folder @example.tblk@
- The folder has to contain the following items:
- ca.crt
- client.crt
- client.key
- config.ovpn
- (optional) pass.txt
You can name the folder as you like, but it is important to keep these filenames inside the folder.
Templates
Following you`ll find templates for all needed files.
Template for ca.crt
-----BEGIN CERTIFICATE----- MIIEKTCCAxGgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBrjELMAkGA1UEBhMCREUx ... HqrtWy/eXrvxBk5cqsjMsiid7KYZqGxQeli9aQBByMXLD+W+5zV/EOZ3q0eXGUUY JFnpVtR5miRxSVYMqq8JlrdYMPcjKhcf3WSru/Shj/AA+dCIFEzp2EtIuK3K6Jtu lEAa+0y24V6nS/L9/g== -----END CERTIFICATE-----
Template for client.crt
-----BEGIN CERTIFICATE----- MIIDcTCCAlmgAwIBAgIQYPOoN8oxQJWEuJgFzrQbIDANBgkqhkiG9w0BAQsFADCB rjELMAkGA1UEBhMCREUxFjAUBgNVBAgMDU5pZWRlcnNhY2hzZW4xEjAQBgNVBAcM ... laXtTQtA4IdGFStIM0srNe81F611kvaJLu71J9ar4Qvndo2RzhkXt/4zVgsaDzhP Zq2NuIvXEHzO/tNjJZDVA/dgfOXd -----END CERTIFICATE-----
Template for client.key
-----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCjZZtl4wlvv9Th ... CtpYImI8O795Bwn2HABjYufe3iDNrc418P5Sdem/dIOV4YvNTPTaS/kgCY7xMQ8N JNAkJ4lGIfi4AREvV7Y/pg4= -----END PRIVATE KEY-----
Template for config.ovpn
remote your.server.com 443 tcp
route {ip to exclude from vpn} 255.255.255.255 net_gateway
dhcp-option DNS 192.168.123.1
dev tun
cipher AES-128-CBC
auth SHA256
tun-mtu 1500
persist-key
Template for pass.txt
username password
How to import a .tblk folder
- Open Finder on your Mac and copy the .tblk folder to your iCloud folder.
- The .tblk extension is important, because the device has to recognize the folder as a single file (package)
- If you use the iCloud web app, it automatically creates a .zip from the folder. This will not work
- If you send yourself the folder per E-Mail, make sure your client does not create a .zip from the folder. (i.e. the GMail web app does this)
- Inside Securepoint Mobile Security open the VPN Status Page and click "Add config"
- Go back to the menu and select "Profile Management"
- Select the profile and click "start VPN"
How to setup a .mobileconfig
Use the following template and replace all occurrences of {...} with the relevant information of your VPN setup.
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>0</integer>
</dict>
<key>PayloadDescription</key>
<string>Configures VPN settings</string>
<key>PayloadDisplayName</key>
<string>VPN</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.5313ec66-a3c0-422c-932d-ef4d4ebb3b18</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>5313ec66-a3c0-422c-932d-ef4d4ebb3b18</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Proxies</key>
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
</dict>
<key>UserDefinedName</key>
<string>{Insert any identifier}</string>
<key>VPN</key>
<dict>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>PayloadCertificateUUID</key>
<string>5e2de92b-4b5f-4bfd-8074-47bad6c64183</string>
<key>DisconnectOnIdle</key>
<integer>0</integer>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Connect</string>
</dict>
</array>
<key>RemoteAddress</key>
<string>DEFAULT</string>
</dict>
<key>VPNSubType</key>
<string>de.securepoint.ms.agent</string>
<key>VPNType</key>
<string>VPN</string>
<key>VendorConfig</key>
<dict id="vendorConfig">
<key>auth-user-pass</key>
<string>{username}\n{password}</string>
<key>ca</key>
<string>-----BEGIN CERTIFICATE-----\nMIIEKTCCAxGgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBrjELMAkGA1....{ The CA certificate which signed the VPN server Certificate }....hj/AA+dCIFEzp2EtIuK3K6Jtu\nlEAa+0y24V6nS/L9/g==\n-----END CERTIFICATE-----\n</string>
<key>remote.1</key>
<string>{VPN server hostname} {VPN server port}</string>
<key>proto.1</key>
<string>{VPN server protocol (udp or tcp)}</string>
<key>redirect-gateway</key>
<string>def1</string>
<key>dev</key>
<string>tun</string>
<key>cipher</key>
<string>AES-128-CBC</string>
<key>auth</key>
<string>SHA256</string>
<key>tun-mtu</key>
<string>1500</string>
</dict>
</dict>
<dict>
<key>PayloadCertificateFileName</key>
<string>Client Certificate</string>
<key>PayloadContent</key>
<data>MIIPsQIBAzCCD2oGCSqGSIb3DQEHAaCCD1sE{ Client Certificate in PKCS12 format }BgUrDgMCGgUABBSHgcVUxAYiLs91uoElN78YtI0rIwQU3/s72Orxrvp86coUpLfEEheyrqcCAwGGoA==</data>
<key>PayloadDisplayName</key>
<string>Client Certificate</string>
<key>PayloadIdentifier</key>
<string>Client Certificate</string>
<key>PayloadType</key>
<string>com.apple.security.pkcs12</string>
<key>PayloadUUID</key>
<string>5e2de92b-4b5f-4bfd-8074-47bad6c64183</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Password</key>
<string>{Password to access the PKCS12 container}</string>
<key>PayloadDescription</key>
<string>Adds a PKCS12-formatted certificate</string>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>{Identifier in IOS settings for the certificate}</string>
<key>PayloadIdentifier</key>
<string>vpn.configuration</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>a4d7f358-f9a3-42e2-8083-5b26cccab6e2</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
How to import a .mobileconfig
- Deploy it with an MDM server
- You can add one to your device using the Apple Configurator2
- Download it using iCloud
- If you downloaded it via iCloud, you have to select it in your files browser and import it into the system