VPN and iPhone

[visuel]

After importing the .ovpn and the ca.crt files from the Qnap-openvpn-server into the openvpn-app, I am asked to select a certificate. But when trying to select one, it says "No certificates are present in the Keychain".

Do I need to add other certificates somewhere on my iPhone?

Edit:
Never mind, I managed to install openvpn on my wrt54gl router and to generate the necessary ca, cert, key and ovpn files.
Once imported on the iPhone by means of the OpenVPN connect app everything works like a charm.

[grobylev]

Indeed. I suggest to post your question in the OpenVPN forum:
https://forums.openvpn.net/topic11954.html
https://forums.openvpn.net/topic11905.html

[amnm]

Thanks grobylev for letting us know about OpenVPN for iOS.

I still cannot use OpenVPN to connect from my iPhone to my QNAP because of the certificate issue mentioned above. Hopefully there will be a solution for this problem soon.

I still feel that a secure VPN solution that is natively supported by both iPhone and QNAP, without the need for a third party application, will be a better solution.

[schumaku]

Key requirement here would be a more sophisticated certificate management system on the NAS, allowing to deal with private and public certificate authorities (CA), managing intermediate certificates. Importing these certificate chains should be a no-brainer - regardless of the OS ... iOS, Android, Windows [whatever], integrate in the NAS-created OpenVPN config packages, or finally for the L2TP/IPSec many are keen for, with user authentication by user certificates, MS-CHAPV2 Password, machine authentication by machine certificates, and shared secret.

Lack of chicken, no eggs available I'm afraid. Or was it the other way round?

[mgums]

Same problem with TS-119P+.
I assume this is a QNAP problem, not OpenVPN?
And if so, will it be fixed in the next release?

Thx, Marco

After importing the .ovpn and the ca.crt files from the Qnap-openvpn-server into the openvpn-app, I am asked to select a certificate. But when trying to select one, it says "No certificates are present in the Keychain".

Do I need to add other certificates somewhere on my iPhone?

[schumaku]

Well - because the NAS factory certificate it's a self-signed, standalone certificate - no key chain, ... by default. And iOS and/or the OpenVPN does not allow to import such certificates - or something is wrong with the format, or whatever.

[grobylev]

With the upcoming IOS client update (v1.0.1) you'll have the option to add

Code: Select all

setenv CLIENT_CERT 0

to your .ovpn file which should solve the issue with the client cerificate.

However I hope that in the next QNAP fw (v4) there will be an updated openssl and cerificate management system, as just Schumaku mentioned.

[maximuss]

With the upcoming IOS client update (v1.0.1) you'll have the option to add

Code: Select all

setenv CLIENT_CERT 0

to your .ovpn file which should solve the issue with the client cerificate.

However I hope that in the next QNAP fw (v4) there will be an updated openssl and cerificate management system, as just Schumaku mentioned.

I have this openvpn.ovpn

client
dev tun
script-security 3
proto udp
remote <myipaddress> 3 1194
resolv-retry infinite
nobind
ca ca.crt
auth-user-pass
reneg-sec 0
cipher AES-128-CBC
comp-lzo

where must I add the line you suggest exactly for use openvpn app correctly with Apple Iphone?
Is only one row = setenv CLIENT_CERT 0 ?

bye Max
my qnap= 219p

[amnm]

where must I add the line you suggest exactly for use openvpn app correctly with Apple Iphone?
Is only one row = setenv CLIENT_CERT 0 ?

I think it can be added at any place. But this line will only be supported in V1.0.1 which hasn't been released yet.

[wuffles]

Trial and error and some help from openvpn forums and I have it working.

First thing someone suggested doing was incorporating dummy keys into the .ovpn file, then there's a couple of other options that need to be in there for it work. Don't ask me why, not on my pay grade, but it works for me at any rate. I dragged the ca.crt & .ovpn files through iTunes onto my phone and added it via the OpenVPN app.

Here's my .ovpn file more or less:

Code: Select all

client
dev tun
script-security 3
proto udp
remote  hostname  portno # obviously change this to your own
resolv-retry infinite
nobind
ca ca.crt
auth-user-pass
cipher AES-128-CBC
comp-lzo

## Added bits to make it work - be aware of another instance of reneg-sec above this line

pkcs12 client_iphone.p12
reneg-sec 3600
pull # may not be required

<cert>
-----BEGIN CERTIFICATE-----
MIIB1jCCAT+gAwIBAgIEAmLSTjANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpP
cGVuVlBOIENBMB4XDTEzMDExNzAyMTExMloXDTIzMDEyMjAyMTExMlowKDEmMCQG
A1UEAxQdZnJyaWN0aW9uQGdtYWlsLmNvbV9BVVRPTE9HSU4wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBALVEXIZYYu1Inmejuo4Si6Eo5AguTX5sg1pGbLkJSTR4
BXQsy6ocUnZ9py8htYkipkUUhjY7zDu+wJlUtWnVCwCYtewYfEc/+azH7+7eU6ue
T2K2IKdik1KWhdtNbaNphVvSlgdyKiuZDTCedptgWyiL50N7FMcUUMjjXYh/hftB
AgMBAAGjIDAeMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgeAMA0GCSqGSIb3
DQEBBQUAA4GBABhVzSYXHlQEPNaKGmx9hMwwnNKcHgD9cCmC9lX/KR2Y+vT/QGxK
7sYlJInb/xmpa5TUQYc1nzDs9JBps1mCtZbYNNDpYnKINAKSDsM+KOQaSYQ2FhHk
bmBZk/K96P7VntzYI5S02+hOWnvjq5Wk4gOt1+L18+R/XujuxGbwnHW2
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALVEXIZYYu1Inmej
uo4Si6Eo5AguTX5sg1pGbLkJSTR4BXQsy6ocUnZ9py8htYkipkUUhjY7zDu+wJlU
tWnVCwCYtewYfEc/+azH7+7eU6ueT2K2IKdik1KWhdtNbaNphVvSlgdyKiuZDTCe
dptgWyiL50N7FMcUUMjjXYh/hftBAgMBAAECgYEAsNjgOEYVRhEaUlzfzmpzhakC
SKT8AALYaAPbYO+ZVzJdh8mIbg+xuF7A9G+7z+5ZL35lrpXKnONuvmlxkK5ESwvV
Q7EOQYCZCqa8xf3li3GUBLwcwXKtOUr3AYXhdbOh2viQdisD4Ky7H6/Nd3yMc3bu
R4pErmWeHei+l6dIwAECQQDqljNxi9babmHiei6lHaznCMg5+jfAyDXgHvO/afFr
1bDQVDTDK+64kax4E9pvDZC6B/HGse9hOUGWXTjb0WZBAkEAxdAw/14iJIUcE5sz
HDy2R0RmbUQYFjrNgBCi5tnmr1Ay1zHAs1VEF+Rg5IOtCBO50I9jm4WCSwCtN6zF
FoFVAQJAUGfBJDcZIm9ZL6ZPXJrqS5oP/wdLmtFE3hfd1gr7C8oHu7BREWB6h1qu
8c1kPlI4+/qDHWaZtQpJ977mIToJwQJAMcgUHKAm/YPWLgT31tpckRDgqgzh9u4z
e1A0ft5FlMcdFFT8BuWlblHWJIwSxp6YO6lqSuBNiuyPqxw6uVAxAQJAWGxOgn2I
fGkWLLw4WMpkFHmwDVTQVwhTpmMP8rWGYEdYX+k9HeOJyVMrJKg2ZPXOPtybrw8T
PUZE7FgzVNxypQ==
-----END PRIVATE KEY-----
</key>

[Tamadite]

I got my QNAP openVPN server to work with my iPhone (openVPN client). More info in... https://forums.openvpn.net/topic11991.html
Obviously, it required forwarding ports on my router.

[NeoGeek83]

I just got my Android phone working with the setenv CLIENT_CERT 0 trick. Thanks grobytlev!

Here's the process I came up with(works on my 7" Kindle HD and Galaxy S3 so far):

To quickly connect your Android phone to a OpenVpn enabled QNAP.
1) Follow the instructions at http://www.qnap.com/index.php?lang=en&sn=4353
2) You have to modify the downloaded file to work. Start by extracting the zip
3) Copy the entire contents of the ca.crt and replace the ca ca.crt line in openvpn.ovpn with:
<ca>
ca.crt file contents
</ca>

4) To the end of the file, add a line with (there isn't a user cert for this VPN, just the username/password):
setenv CLIENT_CERT 0

5) Check that the destination host is correct. You should probably setup dynamic DNS at this point if your network doesn't have a static WAN IP. I am using no-ip as it is support by qnap and is free.
remote myhomenetwork.no-ip.biz 1194

6) Save and load the openvpn.opvn config file on the phone someplace you can find it.
7) Install OpenVPN Connect by OpenVPN, available at https://play.google.com/store/apps/deta ... nvpn&hl=en
Open the App up, select Menu->Import-> Import Profile from SD card
9) Select the openvpn.opvn file you placed on the phone in step 5
10) It should import successfully. Try to connect, accepting the trust dialog.
11) That's it, you should be connected now. If not, make sure you didn't make a typo in your config file.

[lbwarped]

This wasn't working for me until I found this post, with this helpful step (worked for me on Android):

goto Settings/OpenVPN and enable Force AES-CBC Ciphersuite setting, otherwise you will just sit and spin when OpenVPN client tries to connect.

[jaindj]

This wasn't working for me until I found this post, with this helpful step (worked for me on Android):

goto Settings/OpenVPN and enable Force AES-CBC Ciphersuite setting, otherwise you will just sit and spin when OpenVPN client tries to connect.

I had been trying for hours. Did everything but didn;t work. Force AES did the trick. THANK YOU!

[natonic77]

This wasn't working for me until I found this post, with this helpful step (worked for me on Android):

goto Settings/OpenVPN and enable Force AES-CBC Ciphersuite setting, otherwise you will just sit and spin when OpenVPN client tries to connect.

I had been trying for hours. Did everything but didn;t work. Force AES did the trick. THANK YOU!

Sure would be nice if the Helpdesk post that quoted this process included this step - it includes everything else and then leaves iPhone users hanging on the AES issue. Anyone know how to get a comment or mod added to that page (https://helpdesk.qnap.com/index.php?/De ... ile-device)? I have an account, but saw no way to comment.