OpenVPN server (debian,ubuntu,kali,raspberry pi) + IOS13 – IOS16 client

Update: this is still working on December 2023 with IOS16

apt install openvpn easy-rsa
cp -r /usr/share/easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa
vim vars

/etc/openvpn/vars content

export KEY_COUNTRY="Serbia"
export KEY_CITY="Belgrade"
export KEY_ORG="LinuxWin"
export KEY_EMAIL="[email protected]"
export KEY_OU="OpenVPN"

Initialize PKI

./easyrsa init-pki

Build the CA without a password

./easyrsa build-ca nopass

Generate the server key

./easyrsa gen-req server nopass

Sign the server certificate

./easyrsa sign-req server server

Build a Diffie-Hellman key exchange

./easyrsa gen-dh

Generate a HMAC signature

openvpn --genkey --secret ta.key

Copy all the certificate and key to the /etc/openvpn

cp ta.key /etc/openvpn/
cp pki/ca.crt /etc/openvpn/
cp pki/private/server.key /etc/openvpn/
cp pki/issued/server.crt /etc/openvpn/
cp pki/dh.pem /etc/openvpn/

Generate Client certificate

./easyrsa gen-req client nopass

Sign Client certificate

./easyrsa sign-req client client

Copy client certificate and key to /etc/openvpn/client/

cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client.crt /etc/openvpn/client/
cp pki/private/client.key /etc/openvpn/client/

/etc/openvpn/server.conf file

port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key  # This file should be kept secret
dh /etc/openvpn/dh.pem
;dh none

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS"
push "dhcp-option DNS"
keepalive 10 120

;tls-auth ta.key 0 # This file is secret
tls-crypt /etc/openvpn/ta.key 0

auth SHA256
cipher AES-256-GCM

user nobody
group nogroup

tun-mtu 1500

status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1

enable IP forwarding

vim /etc/sysctl.conf
###uncoment following line###

###save and exit###
sysctl -p

### the other way is to do the same ###
echo 1 > /proc/sys/net/ipv4/ip_forward

Firewall rules

### for server behind NAT ###
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
### or just...###
iptables -t nat -A POSTROUTING -j MASQUERADE

### open udp port 1194 ###
iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT

### allow TUN interface ###
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT

To save rules to be loaded on boot install iptables-persistent

sudo apt install iptables-persistent

### current iptables rules will be saved to the
### /etc/iptables/rules.v4
### /etc/iptables/rules.v6

Start OpenVPN server service

systemctl start openvpn@server

### check status with..###
systemctl status openvpn@server

.ovpn config file for ios

dev tun                             
proto udp          ####tcp if you use tcp protocol
remote   ### your server ip address or domain
port 1194     ####1194 only if your vpn server's port is the default port     
resolv-retry infinite

tun-mtu 1500
;link-mtu 1549
mssfix 1300

auth SHA256
verb 5
;comp-lzo  ###(disable compression)
remote-cert-tls server
cipher AES-256-GCM

redirect-gateway def1
;dhcp-options DNS .


ca.crt  ### copy content here ###

clinet.ctr  ### copy content here ###

client.key ### copy content here ###

ta.key   ### copy contet of ta.key here ###

Import .ovpn config file to ios via itunes, mail, google drive, onedrive…

There is a little script I made to automate this last step, (generate config file with all certificates). OVPNconfig

And for make certifictes and config file for more users you can use this script: OVPNclient

seo reseller