OpenVPN for iOS

Today, OpenVPN Technologies released OpenVPN Connect for iOS. Finally, we can use OpenVPN on all major platforms. I know many of my blog readers have been waiting for this: my article on the iOS VPN API is one of the most popular articles on my blog.

OpenVPN Connect is not based on the classic GPL OpenVPN software (supposedly GPL and App Store are not compatible), but supposed to be fully compatible with any OpenVPN server running version 2.1 or higher (including IPv6 support with servers running the recently-released version 2.3). Supposedly it can even be managed using the “Custom SSL” option in iPhone Configuration Utility.

Two points I’d like to mention which might temporarily disappoint some people:

  • It currently requires client certificates (but the help promises that that’ll change soon).
  • Layer 2 tap interfaces are not supported. As I noted in my VPN API blog post, iOS provides a utun interface, which only does layer 3.

Go check it out on the App Store or have a look at Gert Döring’s Google+ post.

Update December 2013: Version 1.0.2 (just released) finally works for me. 1.0.0 didn’t work without client certificates and 1.0.1 had some weird SSL library issue where it would reject my server certificate. In 1.0.2 I was  able to just drop my .ovpn file into iTunes and was up and running immediately, including IPv6 support.

10 thoughts on “OpenVPN for iOS

  1. Pingback: iOS 4.1: Undocumented VPN API, used by Cisco AnyConnect « Michael Kuron's Blog

  2. bahman ghahremani

    hi mr michael
    very thanks
    i have a poroblem to load a config
    i am using free openvpn servic(www.vpnbook)in pc and work it every tim
    but when import vpnbook congif to openvpn(for ios) config cant load and program show error when imoprt config
    please help me to change vpnbook config for ios openvpn client
    very thanks deat michael
    vpnbook config:
    client
    dev tun0
    proto udp
    remote 93.115.84.198 53 # – Server1
    remote 93.114.44.253 53 # – Server2
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca vpnbook.crt
    auth-user-pass
    comp-lzo
    verb 3
    cipher AES-128-CBC
    fast-io
    pull
    remote-random
    route-delay 2
    redirect-gateway
    auth-user-pass password.txt

    crt.
    —–BEGIN CERTIFICATE—–
    MIID4DCCA0mgAwIBAgIJALV6JKE4wYZdMA0GCSqGSIb3DQEBBQUAMIGnMQswCQYD
    VQQGEwJFVTELMAkGA1UECBMCUk8xEjAQBgNVBAcTCUJ1Y2hhcmVzdDEUMBIGA1UE
    ChMLVlBOQm9vay5jb20xETAPBgNVBAsTCGNoYW5nZW1lMRcwFQYDVQQDEw5ucy52
    cG5ib29rLmNvbTERMA8GA1UEKRMIY2hhbmdlbWUxIjAgBgkqhkiG9w0BCQEWE2Nv
    bnRhY3RAdnBuYm9vay5jb20wHhcNMTIwOTE4MTgzNzU0WhcNMjIwOTE2MTgzNzU0
    WjCBpzELMAkGA1UEBhMCRVUxCzAJBgNVBAgTAlJPMRIwEAYDVQQHEwlCdWNoYXJl
    c3QxFDASBgNVBAoTC1ZQTkJvb2suY29tMREwDwYDVQQLEwhjaGFuZ2VtZTEXMBUG
    A1UEAxMObnMudnBuYm9vay5jb20xETAPBgNVBCkTCGNoYW5nZW1lMSIwIAYJKoZI
    hvcNAQkBFhNjb250YWN0QHZwbmJvb2suY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
    ADCBiQKBgQC+iQL1903mrQbBoD1kC5c2HyI7+2TPiqY6K5NxChVB17qZ02m8SyCU
    /Ll6CebUi01X1dMFkvhSKIYz81k2NefsSFo+4afvBLjCN5FoOThSAw76vivu6Z37
    D2PKxOGX1WQ8J46aVh9bYQjbHFgYC3CdPkRplspBAq+dmFOwfsP7VQIDAQABo4IB
    EDCCAQwwHQYDVR0OBBYEFORvlp7o9xWYtdRzcN1cr5ty0dETMIHcBgNVHSMEgdQw
    gdGAFORvlp7o9xWYtdRzcN1cr5ty0dEToYGtpIGqMIGnMQswCQYDVQQGEwJFVTEL
    MAkGA1UECBMCUk8xEjAQBgNVBAcTCUJ1Y2hhcmVzdDEUMBIGA1UEChMLVlBOQm9v
    ay5jb20xETAPBgNVBAsTCGNoYW5nZW1lMRcwFQYDVQQDEw5ucy52cG5ib29rLmNv
    bTERMA8GA1UEKRMIY2hhbmdlbWUxIjAgBgkqhkiG9w0BCQEWE2NvbnRhY3RAdnBu
    Ym9vay5jb22CCQC1eiShOMGGXTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA
    A4GBAJP5k5R1bo5LKtGyBt84mHSZP5PHh5dQFIVegLJB51rvYGVzDoa8CC/CWv2l
    vJj7SQnusG4d/j+NMeSfnKQ+2j8GCMXSpV28EX1Da+aRLOVxhpzqsICO4EpoNZuL
    PYzDnMd4ztmP4mNfeX0R7dbuecvLmoajPz5fUfgUPSbbzJUv
    —–END CERTIFICATE—–

  3. Michael Kuron Post author

    Remove the line “auth-user-pass password.txt”, then it successfully imports. Now you’ll need to manually specify username and password in the app. You’ll also need to select a certificate (though with Vpnbook, it does not appear to matter who it’s signed by, so you can just use openssl to create a self-signed one if your iOS device does not already have some kind of certificate).

  4. bahman ghahremani

    hi mr michael
    sorry my english is bad
    i have other porblem too whith iphone wifi
    when i use openvpn udp 53 port in my pc it can baypass captive portal when my blanace is 0!!butt in iphone wifi connection fist go to captive oprtal auto and then dicconect wifi
    how can i disabling captive portal login in iOS 6?
    thanks

  5. Michael Kuron Post author

    As far as I know, since Apple introduced Captive Portal detection in iOS 3.0 there has been no way to disable it. However, this has nothing to do with what this blog post is about, so you might want to google around by yourself to see if somebody has found a way to disable it.

  6. Klaus

    Hi Michael,

    I have no problem to install the cert and to get the connection up. But if I then invoke a internal URL in the browser the connection produces a timeout. On the MacBook the same cert in Tunnelblick runs fine. Any idea?

    Klaus

  7. Anton

    Hello i need you help. My boss uses ipad and he wnts to use our network alltime. We have openvpn server. But when i sends my config to ipad it tolds me that “no certificates are present in the keychain”. What i had to do? SOrry for my english. Heres my config:

    dev tun
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    tls-client
    client
    resolv-retry infinite
    remote *.*.*.* 2212
    tls-remote “Server_CA”
    auth-user-pass
    pkcs12 inet-udp-2212.p12
    tls-auth inet-udp-2212-tls.key 1
    comp-lzo
    setenv CLIENT_CERT 0

  8. Paul Craven

    Is TAP support coming any time soon or is there a kernel drivers in iOS 7 for it?

  9. Michael Kuron Post author

    I haven’t seen anything about TAP. Thinking about it, Layer2 VPNs don’t make too much sense on mobile devices anyway because you’d be wasting precious bandwidth and battery life on useless broadcast packets. Still, it would be nice to have.

Leave a Reply

Your email address will not be published. Required fields are marked *