Opened 3 years ago

Closed 3 years ago

#988 closed Bug / Defect (duplicate)

iOS: .mobileconfig with .p12 Payload does not work

Reported by: agelwarg Owned by: Antonio
Priority: major Milestone:
Component: OpenVPN Connect Version: OpenVPN Connect for iOS v1.2.6
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

I'm not sure if this is expected behavior or a bug since the upgrade from 1.1.1 to 1.2.5 (and now 1.2.6). As discussed in the forums, prior to version 1.2.5, I had a VPN on Demand profile via .mobileconfig with a bundled pkcs12 which worked perfectly. With the changes Apple made to the keychain access, I understand why that no longer worked in 1.2.5. As a workaround, I placed the unencrypted key/cert inline to the profile itself. However, I am not clear if this is intended to be a temporary workaround or the final solution. In other words, should this work:

  1. Create/deploy .mobileconfig with:
    • VPN on Demand enabled
    • NO inline key/cert
    • NO pkcs12 bundled
  2. Separately add pkcs12 to OpenVPN connect specific keychain (i.e., via an ovpn12 file)
  3. Associate the separately added pkcs12 to the .mobileconfig deployed VPN config
  4. VPN on demand functional

I can do 1 and 2 above, but when VPN on Demand is enabled (via the .mobileconfig), even though I can "see" that a pkcs12 bundle is available when clicking "certs", it doesn't look like it's associated (as seen in screenshot 1). However, if VPN on Demand is disabled (via the .mobileconfig with "vpn-on-demand 0"), I can see that the cert is associated (screenshot 2).

Is this the expected behavior or are pkcs12 bundles expected to be usable for VPN on Demand?

Attachments (2)

screenshot 1.jpeg (155.1 KB) - added by agelwarg 3 years ago.
screenshot 1 (no associated cert)
screenshot 2.jpeg (174.7 KB) - added by agelwarg 3 years ago.
screenshot 2 (associated cert)

Download all attachments as: .zip

Change History (16)

Changed 3 years ago by agelwarg

Attachment: screenshot 1.jpeg added

screenshot 1 (no associated cert)

Changed 3 years ago by agelwarg

Attachment: screenshot 2.jpeg added

screenshot 2 (associated cert)

comment:1 Changed 3 years ago by Antonio

Due to restrictions on the new API, Certificate payloads in .mobileconfig files can't be used. This behaviour will be re-enabled as soon as Apple provides us with the right app permissions to access the iOS shared keychain.

For now, a possible workaround would be to use inline cert/key.

And you are right, when you use VoD, the certificate can't be selected from the app. Sorry, we're working on re-enabling this.

comment:2 Changed 3 years ago by yankee77

Ordex, I appreciate the fixes in the new version. I'm able to use this workaround for the time being. Just to be clear (and to save myself from tinkering with the settings), this specific issue regarding VoD/pkcs is not currently fixed as of 1.2.6?

comment:3 Changed 3 years ago by Antonio

Correct. We'll definitely put it as first item in the changelog once it gets fixed ;)

comment:4 Changed 3 years ago by Antonio

Owner: set to Antonio
Status: newaccepted

comment:5 Changed 3 years ago by CHRISLINDSAY

Hi Ordex,

I'm getting an issue when I'm trying to apply this work around to my mobileconfig file.

So I've taken away the embedded p12 certificate and I've extracted the cert and key from it to use inline. I extracted using an openssl command.

my indentifier is net.openvpn.connect.app

server has been changed to DEFAULT

User authentication is now Password

Password field is blank

However given the above I'm not entirely sure how I can now get VoD working as I thought you had to have certificate selected in this entry rather than password?

Also I've put the cert and key from the p12 cert inline into the custom data.

However my profile is failing to install now due to certs are invalid

"Certificates needed for vpn service are invlaid"

Heres my profile config cert section, any help on getting this to work would be much appreciated

<key>VPNSubType</key>
<string>net.openvpn.connect.app</string>
<key>VPNType</key>
<string>VPN</string>
<key>VendorConfig?</key>
<dict>

<key>ca</key>
<string>-----BEGIN CERTIFICATE-----\nMIIDRzCCAi+gAwIBAgIJAL8ccj7qEVIDMA0GCSqGSIb

.../SJ3\n-----END CERTIFICATE-----\n</string>

<key>cert</key>
<string>-----BEGIN CERTIFICATE-----\nMIIDYTCCAkmgAwIBAgIRAMY5wFBdmYDevhJuFYh4Fdww

...8CNjAFzMMTcTkxI0=\n-----END CERTIFICATE-----\n</string>

<key>cipher</key>
<string>DES-EDE3-CBC</string>
<key>client</key>
<string>NOARGS</string>
<key>comp-lzo</key>
<string>NOARGS</string>
<key>key</key>
<string>-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIdK9wJfml1G0CAggA

MBQGCCqGSIb3DQMH
....qhFxaGNplrNfDDAHMUDWlbPy/k3bFcpGjWMWYnFHM7e9/K3gq/aC28No8eKWAO+T7/t8d3P9y+m0NvM86wnR2aMPvTYg5MxI9k=\n-----END ENCRYPTED PRIVATE KEY-----\n</string>

<key>key-direction</key>
<string>1</string>
<key>remote</key>
<string>REMOVED IP PORT</string>
<key>tls-auth</key>
<string>-----BEGIN OpenVPN Static key V1-----\n54a300c733a6760b32f326f2d4ebe86f3f21f10c4d589ee192853be0b0cbc5a79142fdcc9a1396626db1075708f58c166023eed5000ae21b2354e3e12726

....5a0db75c5298dc5699a9fcfa3956b\n-----END OpenVPN Static key V1-----\n</string>

<key>tls-client</key>
<string>NOARGS</string>
<key>verb</key>
<string>3</string>

</dict>

</dict>

</array>
<key>PayloadDescription?</key>
<string>Client VPN Profile</string>
<key>PayloadDisplayName?</key>
<string>Client_VPN</string>
<key>PayloadIdentifier?</key>
<string>com.xxx.client</string>
<key>PayloadOrganization?</key>
<string>XXX XXX</string>
<key>PayloadRemovalDisallowed?</key>
<false/>
<key>PayloadType?</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>REMOVED UUID</string>
<key>PayloadVersion?</key>
<integer>1</integer>

</dict>
</plist>

Last edited 3 years ago by CHRISLINDSAY (previous) (diff)

comment:6 in reply to:  5 Changed 3 years ago by Antonio

Replying to CHRISLINDSAY:

Hi Ordex,

I'm getting an issue when I'm trying to apply this work around to my mobileconfig file.

So I've taken away the embedded p12 certificate and I've extracted the cert and key from it to use inline. I extracted using an openssl command.

please check this FAQ: https://docs.openvpn.net/faqs/faq-regarding-openvpn-connect-ios/#Can_I_import_an_OpenVPN_profile_via_an_iOS_mobileconfig_file

every line break has to be escaped as \n, so that the entire key material is on a single line.

If you still have troubles, please ask for help on the forum. Thanks

comment:7 Changed 3 years ago by CHRISLINDSAY

The above ca and tls-auth all worked prior to upgrading to 1.2.6

Are you saying I need to go through my mobileconfig file again and escape each line break with
n ?

comment:8 in reply to:  7 Changed 3 years ago by Antonio

Replying to CHRISLINDSAY:

The above ca and tls-auth all worked prior to upgrading to 1.2.6

Are you saying I need to go through my mobileconfig file again and escape each line break with
n ?

honestly your config is mangled, I can't really be sure about its format now. But yes, each line break in the key material has to be a \n. Please open a thread on the forum if this is still unclear and continue the discussion there. Might be helpful for others too.

Last edited 3 years ago by Antonio (previous) (diff)

comment:9 Changed 3 years ago by CHRISLINDSAY

Its mangled looking as ive had to cut parts of it out as they are sensitive.

According to the FAQ page it references double slash n

Ill try this, thanks

comment:10 in reply to:  5 Changed 3 years ago by yankee77

Replying to CHRISLINDSAY:

Hi Ordex,

I'm getting an issue when I'm trying to apply this work around to my mobileconfig file.

So I've taken away the embedded p12 certificate and I've extracted the cert and key from it to use inline. I extracted using an openssl command.

my indentifier is net.openvpn.connect.app

server has been changed to DEFAULT

User authentication is now Password

Password field is blank

However given the above I'm not entirely sure how I can now get VoD working as I thought you had to have certificate selected in this entry rather than password?

Also I've put the cert and key from the p12 cert inline into the custom data.

However my profile is failing to install now due to certs are invalid

"Certificates needed for vpn service are invlaid"

Heres my profile config cert section, any help on getting this to work would be much appreciated

<key>VPNSubType</key>
<string>net.openvpn.connect.app</string>
<key>VPNType</key>
<string>VPN</string>
<key>VendorConfig?</key>
<dict>

<key>ca</key>
<string>-----BEGIN CERTIFICATE-----\nMIIDRzCCAi+gAwIBAgIJAL8ccj7qEVIDMA0GCSqGSIb

.../SJ3\n-----END CERTIFICATE-----\n</string>

<key>cert</key>
<string>-----BEGIN CERTIFICATE-----\nMIIDYTCCAkmgAwIBAgIRAMY5wFBdmYDevhJuFYh4Fdww

...8CNjAFzMMTcTkxI0=\n-----END CERTIFICATE-----\n</string>

<key>cipher</key>
<string>DES-EDE3-CBC</string>
<key>client</key>
<string>NOARGS</string>
<key>comp-lzo</key>
<string>NOARGS</string>
<key>key</key>
<string>-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIdK9wJfml1G0CAggA

MBQGCCqGSIb3DQMH
....qhFxaGNplrNfDDAHMUDWlbPy/k3bFcpGjWMWYnFHM7e9/K3gq/aC28No8eKWAO+T7/t8d3P9y+m0NvM86wnR2aMPvTYg5MxI9k=\n-----END ENCRYPTED PRIVATE KEY-----\n</string>

<key>key-direction</key>
<string>1</string>
<key>remote</key>
<string>REMOVED IP PORT</string>
<key>tls-auth</key>
<string>-----BEGIN OpenVPN Static key V1-----\n54a300c733a6760b32f326f2d4ebe86f3f21f10c4d589ee192853be0b0cbc5a79142fdcc9a1396626db1075708f58c166023eed5000ae21b2354e3e12726

....5a0db75c5298dc5699a9fcfa3956b\n-----END OpenVPN Static key V1-----\n</string>

<key>tls-client</key>
<string>NOARGS</string>
<key>verb</key>
<string>3</string>

</dict>

</dict>

</array>
<key>PayloadDescription?</key>
<string>Client VPN Profile</string>
<key>PayloadDisplayName?</key>
<string>Client_VPN</string>
<key>PayloadIdentifier?</key>
<string>com.xxx.client</string>
<key>PayloadOrganization?</key>
<string>XXX XXX</string>
<key>PayloadRemovalDisallowed?</key>
<false/>
<key>PayloadType?</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>REMOVED UUID</string>
<key>PayloadVersion?</key>
<integer>1</integer>

</dict>
</plist>

I'm interested in this as well. When I said before that I had implemented a workaround, I was using what the ios connect app calls an "autologin profile" which is not able to utilize the on demand feature. I tried what you're doing as well (meticulously checking the \n) but still couldn't get it to work. Essentially, I've only gotten it to work on imported openvpn config files with inline cert and key, but not when the exact same information is contained in a mobileconfig file. I'm going to start a thread in the forums and see if anyone has been able to get the mobileconfig to work and post a sample configuration.

comment:11 Changed 3 years ago by CHRISLINDSAY

FAQ page mentions using a double slash n rather than just \n

Im trying \ \n now

Last edited 3 years ago by CHRISLINDSAY (previous) (diff)

comment:12 Changed 3 years ago by Antonio

Summary: iOS: VPN on Demand with .mobileconfig does not workiOS: .mobileconfig with .p12 Payload does not work

comment:13 in reply to:  5 Changed 3 years ago by agelwarg

Hi CHRISLINDSAY

It looks like you're placing an ENCRYPTED private key inline. Try using an unencrypted key (i.e., remove the passphrase). For your reference, if you have the encrypted key in a file named ENCRYPTED_KEY_FILE, then you could remove the passphrase with the following command:

openssl rsa -in ENCRYPTED_KEY_FILE

If you want to produce the full string that you can simply cut & paste right into the configuration, you can use a one liner like this:

echo $(openssl rsa -in ENCRYPTED_KEY_FILE | sed -e 's/$/!!/g') | sed -e 's/!! */\\n/g'

Replying to CHRISLINDSAY:

<key>key</key>
<string>-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIdK9wJfml1G0CAggA

MBQGCCqGSIb3DQMH
....qhFxaGNplrNfDDAHMUDWlbPy/k3bFcpGjWMWYnFHM7e9/K3gq/aC28No8eKWAO+T7/t8d3P9y+m0NvM86wnR2aMPvTYg5MxI9k=\n-----END ENCRYPTED PRIVATE KEY-----\n</string>

comment:14 Changed 3 years ago by Antonio

Resolution: duplicate
Status: acceptedclosed

Closing this ticket as this is a duplicate of #985

Note: See TracTickets for help on using tickets.