How to setup OpenVPN server for iPhone

root's picture

This is not a full tutorial but rather examples of working configuration files. Still, some commands will be mentioned but it is up to you to read properly OpenVPN documentation.
Server part was done on Debian. Probably the client configuration can be used for Android too. However, I have tested only iPhone here.

1. Install Openvpn. Details you can find here.

2. Create a directory in /etc/openvpn (in my example mobile-easy-rsa) and copy files as follows:

core:~# mkdir /etc/openvpn/mobile-easy-rsa/
core:~# cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0* /etc/openvpn/mobile-easy-rsa/
core:~# cd /etc/openvpn/mobile-easy-rsa/2.0/

3. Edit vars files according to your specifications. Pay special attention to the following:

export KEY_COUNTRY="US"
export KEY_PROVINCE="California"
export KEY_CITY="San Fransisco"
export KEY_ORG="My Company"
export KEY_EMAIL="my@mail.com"
export KEY_CN=server
export KEY_NAME=server
export KEY_OU=home

4. Create the server and Diffie-Helman certificates:

core:2.0# source ./vars
core:2.0# ./clean-all
core:2.0# ./build-ca
core:2.0# ./build-dh
core:2.0# ./build-key-server server

5. Create the client certificate (one for each client - in our example it will be only one):
core:2.0# ./build-key iPhone

At this point, all your needed keys should be in /etc/openvpn/mobile-easy-rsa/2.0/keys/.

6. Server configuration working example. You will have to modify port, server and certificates path accordind to your needs:

core:openvpn# cat mobile.conf
dev tun2
tls-server
dh [color=red]mobile-easy-rsa/2.0/keys/[/color]dh1024.pem
ca [color=red]mobile-easy-rsa/2.0/keys/[/color]ca.crt
cert [color=red]mobile-easy-rsa/2.0/keys/[/color]server.crt
key [color=red]mobile-easy-rsa/2.0/keys/[/color]server.key
server [color=red]10.10.10.0 255.255.255.248[/color]
comp-lzo
script-security 2
route-up "/sbin/ifconfig tun2 up"
port [color=red]1196[/color]
proto tcp-server
keepalive 30 120
client-config-dir mobile-custom
client-to-client
[color=blue]push "redirect-gateway def1"
domain-name-servers 10.10.10.1[/color]

The parameters in blue are needed if you want to drive all traffic on your client via VPN.

7. Restart the openvn server:

core:~# /etc/init.d/openvpn restart
Stopping virtual private network daemon: mobile.
Starting virtual private network daemon: mobile.

8. iPhone client configuration working example. Again, you will have to modify some parameters based on your specifications:

flmbp:~ $ cat config.ovpn
tls-client
remote [color=red]server_hostname_or_ip 1196[/color]
ca [color=red]ca.crt[/color]
cert [color=red]iPhone.crt[/color]
key [color=red]iPhone.key[/color]
comp-lzo
proto tcp

9. Install OpenVPN from App Store and copy the following configuration files via itunes (There are other ways to do this, iTunes is the easiest):
- configuration file from point 8: config.ovpn
- /etc/openvpn/mobile-easy-rsa/2.0/keys/iPhone.key
- /etc/openvpn/mobile-easy-rsa/2.0/keys/iPhone.crt
- /etc/openvpn/mobile-easy-rsa/2.0/keys/ca.crt

10. Start OpenVPN aplication and follow the instructions. It is quite easy.
END!

Thou shalt not steal!

If you want to use this information on your own website, please remember: by doing copy/paste entirely it is always stealing and you should be ashamed of yourself! Have at least the decency to create your own text and comments and run the commands on your own servers and provide your output, not what I did!

Or at least link back to this website.

Recent content