Jump to:navigation, search
Wiki

Individual openVPN profiles

From Securepoint Wiki
















































De.png
En.png
Fr.png

Integration of individual openVPN profiles in iOS


New:

New article


Last adaption: 12.2020


Preparation & Selection

There are multiple ways to import a configuration to your phone.

  • use a configuration folder with all necessary items.
  • use a .mobileconfig file imported into the OS as configuration profile.


Both ways are described below.

Configuration Folder

1. Create a new folder 2. The folder has to contain the following items:

  • Certificate Authority ca.crt
  • Client Certificate client.crt
  • Client Certificate Private Key client.key
  • Configuration File config.ovpn
  • (optional) Password file pass.txt

3. Compress the folder as .zip

  • The folder and files can be named freely, only the configuration file requires the extension .ovpn.

    • Templates

    Following you`ll find templates for all needed files.

    Certificate Authority ca.crt
    Template for Certificate Authority ca.crt 
    -----BEGIN CERTIFICATE-----
MIIEKTCCAxGgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBrjELMAkGA1UEBhMCREUx
...
HqrtWy/eXrvxBk5cqsjMsiid7KYZqGxQeli9aQBByMXLD+W+5zV/EOZ3q0eXGUUY
JFnpVtR5miRxSVYMqq8JlrdYMPcjKhcf3WSru/Shj/AA+dCIFEzp2EtIuK3K6Jtu
lEAa+0y24V6nS/L9/g==
-----END CERTIFICATE-----
    Client Certificate Private Key client.key
    Template for Client Certificate Private Key client.key 
    -----BEGIN CERTIFICATE-----
MIIDcTCCAlmgAwIBAgIQYPOoN8oxQJWEuJgFzrQbIDANBgkqhkiG9w0BAQsFADCB
rjELMAkGA1UEBhMCREUxFjAUBgNVBAgMDU5pZWRlcnNhY2hzZW4xEjAQBgNVBAcM
...
laXtTQtA4IdGFStIM0srNe81F611kvaJLu71J9ar4Qvndo2RzhkXt/4zVgsaDzhP
Zq2NuIvXEHzO/tNjJZDVA/dgfOXd
-----END CERTIFICATE-----
    Client Certificate Private Key client.key
    Template for Client Certificate Private Key client.key 
    -----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCjZZtl4wlvv9Th
...
CtpYImI8O795Bwn2HABjYufe3iDNrc418P5Sdem/dIOV4YvNTPTaS/kgCY7xMQ8N
JNAkJ4lGIfi4AREvV7Y/pg4=
-----END PRIVATE KEY-----
    Configuration file config.ovpn
    Template for configuration file config.ovpn 
    
remote {your.server.com} 443 tcp
route {ip to route into tunnel} 255.255.255.255 vpn_gateway
dhcp-option DNS 192.168.123.1

dev tun
cipher AES-128-CBC
auth SHA256
tun-mtu 1500
persist-key
    Password file pass.txt (optional)
    Template for password file pass.txt (optional) 
    username
password
    Configuration Folder
    with iCloud
    • Opening of Finder on the Mac and copy the created .zip file into the iCloud folder.
    • In the Securepoint Mobile Security App: Open the menu Profiles and click on the "Plus" symbol
    • Select the .zip file in the iCloud folder
  • (The .zip file can be imported directly without unpacking it first.)
    • with Apple Configurator 2
    • Connecting the machine to a Mac with a cable
    • Opening the Apple Configurator 2
    • Moving the created .zip file with the mouse to the displayed device in Apple Configurator 2
    • Selecting the Securepoint VPN Client folder
    • In the Securepoint Mobile Security App: Opening of the menu Profiles and clicking on the "Plus" symbol
    • Selection of the .zip file in the Securepoint VPN Client folder
  • (The .zip file can be imported directly without unpacking it first.)

    • .mobileconfig file

    In the following template the placeholders {...} must be replaced with the individually relevant information. This file is then imported into the device.

    Template

    <dict>
   <key>PayloadContent</key>
   <array>
     <dict>
       <key>IPv4</key>
       <dict>
         <key>OverridePrimary</key>
         <integer>0</integer>
       </dict>
       <key>PayloadDescription</key>
       <string>Configures VPN settings</string>
       <key>PayloadDisplayName</key>
       <string>VPN</string>
       <key>PayloadIdentifier</key>
       <string>com.apple.vpn.managed.5313ec66-a3c0-422c-932d-ef4d4ebb3b18</string>
       <key>PayloadType</key>
       <string>com.apple.vpn.managed</string>
       <key>PayloadUUID</key>
       <string>5313ec66-a3c0-422c-932d-ef4d4ebb3b18</string>
       <key>PayloadVersion</key>
       <integer>1</integer>
       <key>Proxies</key>
       <dict>
         <key>HTTPEnable</key>
         <integer>0</integer>
         <key>HTTPSEnable</key>
         <integer>0</integer>
       </dict>
       <key>UserDefinedName</key>
       <string>{Insert any identifier}</string>
       <key>VPN</key>
       <dict>
         <key>AuthenticationMethod</key>
         <string>Certificate</string>
         <key>PayloadCertificateUUID</key>
         <string>5e2de92b-4b5f-4bfd-8074-47bad6c64183</string>
         <key>DisconnectOnIdle</key>
         <integer>0</integer>
         <key>OnDemandEnabled</key>
         <integer>1</integer>
         <key>OnDemandRules</key>
         <array>
           <dict>
             <key>Action</key>
             <string>Connect</string>
           </dict>
         </array>
         <key>RemoteAddress</key>
         <string>DEFAULT</string>
       </dict>
       <key>VPNSubType</key>
       <string>de.securepoint.ms.agent</string>
       <key>VPNType</key>
       <string>VPN</string>
       <key>VendorConfig</key>
       <dict id="vendorConfig">
         <key>auth-user-pass</key>
         <string>{username}\n{{c|{password}|r]]</string>
         <key>ca</key>
         <string>-----BEGIN CERTIFICATE-----\n{MIIEKTCCAxGgAwIBAgIBAD.... The CA certificate which signed the VPN server Certificate ....0y24V6nS/L9/g==}\n-----END CERTIFICATE-----\n</string>
         <key>remote.1</key>
         <string>{VPN server hostname} {VPN server port}</string> 
         <key>proto.1</key>
         <string>{VPN server protocol (udp or tcp)}</string>
         <key>redirect-gateway</key>
         <string>def1</string>
         <key>dev</key>
         <string>tun</string>
         <key>cipher</key>
         <string>AES-128-CBC</string>
         <key>auth</key>
         <string>SHA256</string>
         <key>tun-mtu</key>
         <string>1500</string>
       </dict>
     </dict>
     <dict>
       <key>PayloadCertificateFileName</key>
       <string>Client Certificate</string>
       <key>PayloadContent</key>
       <data>{MIIPsQIBAzCCD... Client Certificate in PKCS12 format ...pLfEEheyrqcCAwGGoA==}</data>
       <key>PayloadDisplayName</key>
       <string>Client Certificate</string>
       <key>PayloadIdentifier</key>
       <string>Client Certificate</string>
       <key>PayloadType</key>
       <string>com.apple.security.pkcs12</string>
       <key>PayloadUUID</key>
       <string>5e2de92b-4b5f-4bfd-8074-47bad6c64183</string>
       <key>PayloadVersion</key>
       <integer>1</integer>
       <key>Password</key>
       <string>{Password to access the PKCS12 container}</string>
       <key>PayloadDescription</key>
       <string>Adds a PKCS12-formatted certificate</string>
     </dict>
   </array>
   <key>PayloadDisplayName</key>
   <string>{Identifier in IOS settings for the certificate}</string>
   <key>PayloadIdentifier</key>
   <string>vpn.configuration</string>
   <key>PayloadType</key>
   <string>Configuration</string>
   <key>PayloadUUID</key>
   <string>a4d7f358-f9a3-42e2-8083-5b26cccab6e2</string>
   <key>PayloadVersion</key>
   <integer>1</integer>
 </dict>
</plist>

    How to import a .mobileconfig file

    with iCloud
    • Opening of Finder on the Mac and copy the created .mobileconfig file into the iCloud folder.
    • Opening of the iCloud folder on the device and importing of the .mobileconfig file.
    with Apple Configurator 2
    • Connecting the machine to a Mac with a cable
    • Moving the created .mobileconfig file with the mouse to the displayed device in Apple Configurator 2
    • The configuration is implemented automatically
    with an MDM Server
    • This process differs depending on the MDM manufacturer. The corresponding documentation has to be checked.
    Retrieved from "https://wiki.securepoint.de/index.php?title=MS/onboarding/ios/vpnconfig&oldid=77199"