Setup openVPN client on iOS devices with client certificate and private key

Yesterday I needed to start some benchmarks and I was far away from the server I use to do them. Then I decided to setup my iPhone (yes, I’m an iPhone addicted user) to access the internal network of the laboratory and connect to the server with a remote terminal. After some trials I succeeded, so I am writing this post to help someone else (and also to remember it myself!)

So before introducing my experience, I want to explain a bit what is VPN and why I needed it

What is a VPN?

A VPN (the acronym stands for Virtual Private Network) allows users to transmit data across a shared public network as if their devices were connected directly to the private network. In practice, VPN allows to extends a private networks onto a public network.

Hence, when your device is connected using a VPN, it can benefit from all the functionalities exposed by your private network. For instance, if you have some devices which don’t have a public IP, you can connect to them using the private one. Furthermore, as in my case, if the network of your institution gives you access to research material, you can download as if you were connected from your institution.

VPN working-mechanism in a nutshell

Usually, the VPN is created by establishing a virtual point-to-point connection from a client (the VPN client, namely the device which is outside of the network) and a server (the VPN server, the server which expose the service). All the traffic sent by the VPN client is encapsulated (and most of the times encrypted) and sent to the server. The service remove the encapsulation and send the traffic on behalf of the client.

OpenVPN

OpenVPN is a community based project that aimed to build an open (free and open source) implementation of a whole VPN stack.

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

OpenVPN allows peers to authenticate each other using pre-shared secret keys, certificates or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signatures and certificate authority.

It uses the OpenSSL encryption library extensively, as well as the TLS protocol, and contains many security and control features. It uses a custom security protocol[11] that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls.

Setup Open VPN on your device

What you tipically need are three files:

openvpn settings
ca cert
private key file

If you don’t have a PKCS#12 file, you can convert your certificate and key files into PKCS#12 form using this opensslcommand (where cert, key, and ca are your client certificate, client key, and root CA files).

openssl pkcs12 -export -in cert -inkey key -certfile ca -name MyClient -out client.ovpn12

openssl pkcs12 -export -in vpn.cert -inkey vpn.key -certfile retis-ca.crt -name gab-retis -out client.ovpn12

Links:

https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/
https://help.endian.com/hc/it/articles/360008350974-How-to-configure-iOS-OpenVPN-client-with-certificate-authentication
https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-apple-ios/
https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/
https://openvpn.net/for/remote-access/