Recently an official OpenVPN app for iOS was released. I immediately installed it on my iPhone to try it out.
I have OpenVPN 2.1.4 running on my OpenWrt router and the certificates are generated by easy-rsa.
I read the OpenVPN Connect documentation and started configuring the app. The easiest way is to use Itunes for transfering the required keys and certificated to your phone. However I have no pc’s running OS X or Windows to my disposal a the moment so that was not an option. Luckily the OpenVPN Connect app also supports importing the keys & certificates by opening them from the email app on iOS.
So I created a p12 file with help of the OpenSSL tools available on Ubuntu. I emailed them together with the .ovpn configuration file of my router to my phone. On the phone I opened both files and imported them in the OpenVPN app.
I started the app and tried to connect. That’s when the first error message appeared:
1 2 3 4 5 6 7 8 9
2013-01-22 20:05:10 ----- OpenVPN Start ----- 2013-01-22 20:05:10 EVENT: CORE_ERROR PolarSSL: error parsing ca certificate : X509 - The certificate format is invalid, e.g. different type expected [ERR] 2013-01-22 20:05:10 Raw stats on disconnect: 2013-01-22 20:05:10 Performance stats on disconnect: CPU usage (microseconds): 11989 Network bytes per CPU second: 0 Tunnel bytes per CPU second: 0 2013-01-22 20:05:10 ----- OpenVPN Stop ----- 2013-01-22 20:05:10 EVENT: DISCONNECT_PENDING
After some searching I ended up at this post where somebody has the same problem.
I believe the problem is described by this quote:
On iOS in particular, OpenVPN is NOT able to access the CA list included in PKCS#12 files that were imported into the iOS Keychain.
A suggestion is given how to circumvent this problem: add a ca directive in the
Then I emailed the separate
ca.crt to my iPhone and imported in the keychain on the phone, tried again and… a new error:
Missing/bad file : ca.crt : cannot open...
What I believe is happening: the OpenVPN Connect app is looking for a
ca.crt file in it’s own sandbox but is not searching the keychain. Possibly a bug but I can’t say for sure.
Because I wanted to use this app I followed another suggestion to add the contents of the
ca.crt file as inline content to your
.ovpn file. The ca certificate should be be between two
<ca> tags. I edited the file and mailed it again.
Now the iPhone OpenVPN app could read and parse the certificate authority certificate. All was well… except I got another error:
1 2 3 4 5 6 7 8 9
2013-01-30 11:22:35 ----- OpenVPN Start ----- 2013-01-30 11:22:35 EVENT: CORE_ERROR option_error: tls-remote not supported [ERR] 2013-01-30 11:22:35 Raw stats on disconnect: 2013-01-30 11:22:35 Performance stats on disconnect: CPU usage (microseconds): 37629 Network bytes per CPU second: 0 Tunnel bytes per CPU second: 0 2013-01-30 11:22:35 ----- OpenVPN Stop ----- 2013-01-30 11:22:35 EVENT: DISCONNECT_PENDING
And again Google came up with a post at the (excellent) OpenVPN forums. Apparently the option
tls-remote is not supported in the 1.0 release of the app. In the upcomming 1.0.1 release it should work.
I believe if I would remote the
tls-remote option from the .ovpn file I could finally use the app on my phone but by this time I had enough of it so I quit my attempts…