IPCop has a built-in OpenVPN server. There is a iOS client available. This should be nice to combine, but actually, it's pretty hard to generate a compatible certificate. I'll walk you through it.
The following information concerns IPCop 2.x, but 1.x with Zerina should be very similar, spare some easily guessed paths.
- A properly configured IPCop machine/OpenVPN host (meaning, already working with roadwarrior PC clients)
- A certificate for the iDevice you want to configure
- SSH access to the IPCop box
Without this and some very basic knowledge, you won't succeed.
So I got tired of doing this manually and created a script to generate the cert. Copy it to a location and filename of your choice on the firewall, chmod u+x your_filename, and then change the lines as needed: IP, comp-lzo (remove the line if you don't use compression), and MTU. The script generates .ovpn files in the current directory from the proper certificates. This script works for 2048 bit certs, older/other certs need other head/tail numbers.
IPCop generates a .p12 (PKCS #12) certificate/key combination file and a separate .ovpn configuration file. The iOS client needs the private certificate, CA certificate, and private key integrated into a single settings file.
First, go grab the YourCert.p12 file (located in /var/ipcop/openvpn/certs) and copy it to somewhere where it won't disturb anything, such as /root/newcert/.
Then, go to that directory and enter the following commands:
openssl pkcs12 -in YourCert.p12 -out new.cert.pem -clcerts -nokeys
openssl pkcs12 -in YourCert.p12 -out new.key.pem -nocerts -nodes
Grab the data from the various files and put them into a single file. Places are indicated below. The quoted text is tested as iOS compatible and should be your complete .ovpn file (with your data inserted of course):
tls-client
client
dev tun
proto udp
remote your.domain.or.ip.here 1194
resolv-retry infinite
nobind
persist-key
tun-mtu 1500
cipher BF-CBC
comp-lzo
verb 3
ns-cert-type server
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
GIBBERISH FROM THE FILE /var/ipcop/ca/cacert.pem HERE
Can also be found in web interface,
VPNs/CA/show info for "Root certificate" (i button)
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
GIBBERISH FROM new.cert.pem GENERATED ABOVE HERE
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
GIBBERISH FROM new.key.pem GENERATED ABOVE HERE
-----END PRIVATE KEY-----
</key>
Then, import the .ovpn file in iTunes under the OpenVPN Connect application (upload as a file). Import in the app and we're finished! |