Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

OpenVPN server (debian,ubuntu,kali,raspberry pi) + IOS13 – IOS16 client

Update: this is still working on December 2023 with IOS16

apt install openvpn easy-rsa
cp -r /usr/share/easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa
vim vars

/etc/openvpn/vars content

export KEY_COUNTRY="Serbia"
export KEY_PROVINCE="RS"
export KEY_CITY="Belgrade"
export KEY_ORG="LinuxWin"
export KEY_EMAIL="admin@linuxwin.com"
export KEY_OU="OpenVPN"

Initialize PKI

./easyrsa init-pki

Build the CA without a password

./easyrsa build-ca nopass

Generate the server key

./easyrsa gen-req server nopass

Sign the server certificate

./easyrsa sign-req server server

Build a Diffie-Hellman key exchange

./easyrsa gen-dh

Generate a HMAC signature

openvpn --genkey --secret ta.key

Copy all the certificate and key to the /etc/openvpn

cp ta.key /etc/openvpn/
cp pki/ca.crt /etc/openvpn/
cp pki/private/server.key /etc/openvpn/
cp pki/issued/server.crt /etc/openvpn/
cp pki/dh.pem /etc/openvpn/

Generate Client certificate

./easyrsa gen-req client nopass

Sign Client certificate

./easyrsa sign-req client client

Copy client certificate and key to /etc/openvpn/client/

cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client.crt /etc/openvpn/client/
cp pki/private/client.key /etc/openvpn/client/

/etc/openvpn/server.conf file

port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key  # This file should be kept secret
dh /etc/openvpn/dh.pem
;dh none

server 192.168.10.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 208.67.220.222"
keepalive 10 120

;tls-auth ta.key 0 # This file is secret
tls-crypt /etc/openvpn/ta.key 0

auth SHA256
cipher AES-256-GCM

user nobody
group nogroup
persist-key
persist-tun

tun-mtu 1500

status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1

enable IP forwarding

vim /etc/sysctl.conf
###uncoment following line###
net.ipv4.ip_forward=1

###save and exit###
sysctl -p

### the other way is to do the same ###
echo 1 > /proc/sys/net/ipv4/ip_forward

Firewall rules

### for server behind NAT ###
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
### or just...###
iptables -t nat -A POSTROUTING -j MASQUERADE

### open udp port 1194 ###
iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT

### allow TUN interface ###
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT

To save rules to be loaded on boot install iptables-persistent

sudo apt install iptables-persistent

### current iptables rules will be saved to the
### /etc/iptables/rules.v4
### /etc/iptables/rules.v6

Start OpenVPN server service

systemctl start openvpn@server

### check status with..###
systemctl status openvpn@server

.ovpn config file for ios

client
dev tun                             
proto udp          ####tcp if you use tcp protocol
remote 192.168.100.55   ### your server ip address or domain
port 1194     ####1194 only if your vpn server's port is the default port     
resolv-retry infinite
nobind
persist-key
persist-tun

tun-mtu 1500
;link-mtu 1549
mssfix 1300

auth SHA256
;auth-user-pass
verb 5
;comp-lzo  ###(disable compression)
remote-cert-tls server
cipher AES-256-GCM

redirect-gateway def1
;remote-gateway 192.168.6.1
;dhcp-options DNS .8.8.8.8

;route 192.168.6.0 255.255.255.0 192.168.6.1


<ca>
ca.crt  ### copy content here ###
</ca>

<cert>
clinet.ctr  ### copy content here ###
</cert>

<key>
client.key ### copy content here ###
</key>

<tls-crypt>
ta.key   ### copy contet of ta.key here ###
</tls-crypt>

Import .ovpn config file to ios via itunes, mail, google drive, onedrive…

There is a little script I made to automate this last step, (generate config file with all certificates). OVPNconfig

And for make certifictes and config file for more users you can use this script: OVPNclient

seo reseller