Jump to:navigation, search
Wiki




























De.png
En.png
Fr.png

Integration of individual openVPN profiles in iOS


New:

New article


Last adaption: 12.2020


Preparation & Selection

There are multiple ways to import a configuration to your phone.

  • use a configuration folder with all necessary items.
  • use a .mobileconfig file imported into the OS as configuration profile.


Both ways are described below.

Configuration Folder

1. Create a new folder 2. The folder has to contain the following items:

  • Certificate Authority ca.crt
  • Client Certificate client.crt
  • Client Certificate Private Key client.key
  • Configuration File config.ovpn
  • (optional) Password file pass.txt

3. Compress the folder as .zip

  • The folder and files can be named freely, only the configuration file requires the extension .ovpn.
  • Templates

    Following you`ll find templates for all needed files.

    Certificate Authority ca.crt
    Template for Certificate Authority ca.crt
    -----BEGIN CERTIFICATE-----
    MIIEKTCCAxGgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBrjELMAkGA1UEBhMCREUx
    ...
    HqrtWy/eXrvxBk5cqsjMsiid7KYZqGxQeli9aQBByMXLD+W+5zV/EOZ3q0eXGUUY
    JFnpVtR5miRxSVYMqq8JlrdYMPcjKhcf3WSru/Shj/AA+dCIFEzp2EtIuK3K6Jtu
    lEAa+0y24V6nS/L9/g==
    -----END CERTIFICATE-----
    
    Client Certificate Private Key client.key
    Template for Client Certificate Private Key client.key
    -----BEGIN CERTIFICATE-----
    MIIDcTCCAlmgAwIBAgIQYPOoN8oxQJWEuJgFzrQbIDANBgkqhkiG9w0BAQsFADCB
    rjELMAkGA1UEBhMCREUxFjAUBgNVBAgMDU5pZWRlcnNhY2hzZW4xEjAQBgNVBAcM
    ...
    laXtTQtA4IdGFStIM0srNe81F611kvaJLu71J9ar4Qvndo2RzhkXt/4zVgsaDzhP
    Zq2NuIvXEHzO/tNjJZDVA/dgfOXd
    -----END CERTIFICATE-----
    
    Client Certificate Private Key client.key
    Template for Client Certificate Private Key client.key
    -----BEGIN PRIVATE KEY-----
    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCjZZtl4wlvv9Th
    ...
    CtpYImI8O795Bwn2HABjYufe3iDNrc418P5Sdem/dIOV4YvNTPTaS/kgCY7xMQ8N
    JNAkJ4lGIfi4AREvV7Y/pg4=
    -----END PRIVATE KEY-----
    
    Configuration file config.ovpn
    Template for configuration file config.ovpn
    
    remote {your.server.com} 443 tcp
    route {ip to route into tunnel} 255.255.255.255 vpn_gateway
    dhcp-option DNS 192.168.123.1
    
    dev tun
    cipher AES-128-CBC
    auth SHA256
    tun-mtu 1500
    persist-key
    
    Password file pass.txt (optional)
    Template for password file pass.txt (optional)
    username
    password
    
    Configuration Folder
    with iCloud
    • Opening of Finder on the Mac and copy the created .zip file into the iCloud folder.
    • In the Securepoint Mobile Security App: Open the menu Profiles and click on the "Plus" symbol
    • Select the .zip file in the iCloud folder
  • (The .zip file can be imported directly without unpacking it first.)
  • with Apple Configurator 2
    • Connecting the machine to a Mac with a cable
    • Opening the Apple Configurator 2
    • Moving the created .zip file with the mouse to the displayed device in Apple Configurator 2
    • Selecting the Securepoint VPN Client folder
    • In the Securepoint Mobile Security App: Opening of the menu Profiles and clicking on the "Plus" symbol
    • Selection of the .zip file in the Securepoint VPN Client folder
  • (The .zip file can be imported directly without unpacking it first.)

  • .mobileconfig file

    In the following template the placeholders {...} must be replaced with the individually relevant information. This file is then imported into the device.

    Template

    <dict>
       <key>PayloadContent</key>
       <array>
         <dict>
           <key>IPv4</key>
           <dict>
             <key>OverridePrimary</key>
             <integer>0</integer>
           </dict>
           <key>PayloadDescription</key>
           <string>Configures VPN settings</string>
           <key>PayloadDisplayName</key>
           <string>VPN</string>
           <key>PayloadIdentifier</key>
           <string>com.apple.vpn.managed.5313ec66-a3c0-422c-932d-ef4d4ebb3b18</string>
           <key>PayloadType</key>
           <string>com.apple.vpn.managed</string>
           <key>PayloadUUID</key>
           <string>5313ec66-a3c0-422c-932d-ef4d4ebb3b18</string>
           <key>PayloadVersion</key>
           <integer>1</integer>
           <key>Proxies</key>
           <dict>
             <key>HTTPEnable</key>
             <integer>0</integer>
             <key>HTTPSEnable</key>
             <integer>0</integer>
           </dict>
           <key>UserDefinedName</key>
           <string>{Insert any identifier}</string>
           <key>VPN</key>
           <dict>
             <key>AuthenticationMethod</key>
             <string>Certificate</string>
             <key>PayloadCertificateUUID</key>
             <string>5e2de92b-4b5f-4bfd-8074-47bad6c64183</string>
             <key>DisconnectOnIdle</key>
             <integer>0</integer>
             <key>OnDemandEnabled</key>
             <integer>1</integer>
             <key>OnDemandRules</key>
             <array>
               <dict>
                 <key>Action</key>
                 <string>Connect</string>
               </dict>
             </array>
             <key>RemoteAddress</key>
             <string>DEFAULT</string>
           </dict>
           <key>VPNSubType</key>
           <string>de.securepoint.ms.agent</string>
           <key>VPNType</key>
           <string>VPN</string>
           <key>VendorConfig</key>
           <dict id="vendorConfig">
             <key>auth-user-pass</key>
             <string>{username}\n{{c|{password}|r]]</string>
             <key>ca</key>
             <string>-----BEGIN CERTIFICATE-----\n{MIIEKTCCAxGgAwIBAgIBAD.... The CA certificate which signed the VPN server Certificate ....0y24V6nS/L9/g==}\n-----END CERTIFICATE-----\n</string>
             <key>remote.1</key>
             <string>{VPN server hostname} {VPN server port}</string> 
             <key>proto.1</key>
             <string>{VPN server protocol (udp or tcp)}</string>
             <key>redirect-gateway</key>
             <string>def1</string>
             <key>dev</key>
             <string>tun</string>
             <key>cipher</key>
             <string>AES-128-CBC</string>
             <key>auth</key>
             <string>SHA256</string>
             <key>tun-mtu</key>
             <string>1500</string>
           </dict>
         </dict>
         <dict>
           <key>PayloadCertificateFileName</key>
           <string>Client Certificate</string>
           <key>PayloadContent</key>
           <data>{MIIPsQIBAzCCD... Client Certificate in PKCS12 format ...pLfEEheyrqcCAwGGoA==}</data>
           <key>PayloadDisplayName</key>
           <string>Client Certificate</string>
           <key>PayloadIdentifier</key>
           <string>Client Certificate</string>
           <key>PayloadType</key>
           <string>com.apple.security.pkcs12</string>
           <key>PayloadUUID</key>
           <string>5e2de92b-4b5f-4bfd-8074-47bad6c64183</string>
           <key>PayloadVersion</key>
           <integer>1</integer>
           <key>Password</key>
           <string>{Password to access the PKCS12 container}</string>
           <key>PayloadDescription</key>
           <string>Adds a PKCS12-formatted certificate</string>
         </dict>
       </array>
       <key>PayloadDisplayName</key>
       <string>{Identifier in IOS settings for the certificate}</string>
       <key>PayloadIdentifier</key>
       <string>vpn.configuration</string>
       <key>PayloadType</key>
       <string>Configuration</string>
       <key>PayloadUUID</key>
       <string>a4d7f358-f9a3-42e2-8083-5b26cccab6e2</string>
       <key>PayloadVersion</key>
       <integer>1</integer>
     </dict>
    </plist>
    

    How to import a .mobileconfig file

    with iCloud
    • Opening of Finder on the Mac and copy the created .mobileconfig file into the iCloud folder.
    • Opening of the iCloud folder on the device and importing of the .mobileconfig file.
    with Apple Configurator 2
    • Connecting the machine to a Mac with a cable
    • Moving the created .mobileconfig file with the mouse to the displayed device in Apple Configurator 2
    • The configuration is implemented automatically
    with an MDM Server
    • This process differs depending on the MDM manufacturer. The corresponding documentation has to be checked.