OpenVPN server (debian,ubuntu,kali,raspberry pi) + IOS13 – IOS16 client
Update: this is still working on December 2023 with IOS16
apt install openvpn easy-rsa
cp -r /usr/share/easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa
vim vars
/etc/openvpn/vars content
export KEY_COUNTRY="Serbia"
export KEY_PROVINCE="RS"
export KEY_CITY="Belgrade"
export KEY_ORG="LinuxWin"
export KEY_EMAIL="[email protected]"
export KEY_OU="OpenVPN"
Initialize PKI
./easyrsa init-pki
Build the CA without a password
./easyrsa build-ca nopass
Generate the server key
./easyrsa gen-req server nopass
Sign the server certificate
./easyrsa sign-req server server
Build a Diffie-Hellman key exchange
./easyrsa gen-dh
Generate a HMAC signature
openvpn --genkey --secret ta.key
Copy all the certificate and key to the /etc/openvpn
cp ta.key /etc/openvpn/
cp pki/ca.crt /etc/openvpn/
cp pki/private/server.key /etc/openvpn/
cp pki/issued/server.crt /etc/openvpn/
cp pki/dh.pem /etc/openvpn/
Generate Client certificate
./easyrsa gen-req client nopass
Sign Client certificate
./easyrsa sign-req client client
Copy client certificate and key to /etc/openvpn/client/
cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client.crt /etc/openvpn/client/
cp pki/private/client.key /etc/openvpn/client/
/etc/openvpn/server.conf file
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
dh /etc/openvpn/dh.pem
;dh none
server 192.168.10.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 208.67.220.222"
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
tls-crypt /etc/openvpn/ta.key 0
auth SHA256
cipher AES-256-GCM
user nobody
group nogroup
persist-key
persist-tun
tun-mtu 1500
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
enable IP forwarding
vim /etc/sysctl.conf
###uncoment following line###
net.ipv4.ip_forward=1
###save and exit###
sysctl -p
### the other way is to do the same ###
echo 1 > /proc/sys/net/ipv4/ip_forward
Firewall rules
### for server behind NAT ###
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
### or just...###
iptables -t nat -A POSTROUTING -j MASQUERADE
### open udp port 1194 ###
iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
### allow TUN interface ###
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
To save rules to be loaded on boot install iptables-persistent
sudo apt install iptables-persistent
### current iptables rules will be saved to the
### /etc/iptables/rules.v4
### /etc/iptables/rules.v6
Start OpenVPN server service
systemctl start openvpn@server
### check status with..###
systemctl status openvpn@server
.ovpn config file for ios
client
dev tun
proto udp ####tcp if you use tcp protocol
remote 192.168.100.55 ### your server ip address or domain
port 1194 ####1194 only if your vpn server's port is the default port
resolv-retry infinite
nobind
persist-key
persist-tun
tun-mtu 1500
;link-mtu 1549
mssfix 1300
auth SHA256
;auth-user-pass
verb 5
;comp-lzo ###(disable compression)
remote-cert-tls server
cipher AES-256-GCM
redirect-gateway def1
;remote-gateway 192.168.6.1
;dhcp-options DNS .8.8.8.8
;route 192.168.6.0 255.255.255.0 192.168.6.1
<ca>
ca.crt ### copy content here ###
</ca>
<cert>
clinet.ctr ### copy content here ###
</cert>
<key>
client.key ### copy content here ###
</key>
<tls-crypt>
ta.key ### copy contet of ta.key here ###
</tls-crypt>
Import .ovpn config file to ios via itunes, mail, google drive, onedrive…
There is a little script I made to automate this last step, (generate config file with all certificates). OVPNconfig
And for make certifictes and config file for more users you can use this script: OVPNclient
OpenVPN server on Mikrotik with IOS13 client
Mikrotik OS6.47
Generate a Self-Signed CA certificate
/certificate add name=mt.ca common-name=mt.ca key-usage=key-cert-sign,crl-sign trusted=yes
/certificate sign mt.ca
Generate a certificate for the vpn server (mikrotik router), sign it and trust it.
/certificate add name=ovpn.server common-name=ovpn.server
/certificate sign ovpn.server ca=mt.ca
/certificate set trusted=yes ovpn.server
Generate a certificate for the vpn client (ipad or phone) and sign it.
/certificate add name=iosvpn.client common-name=iosvpn.client
/certificate sign iosvpn.client ca=mt.ca
/certificate set trusted=yes iosvpn.client
Export CA certificate
/certificate export-certificate mt.ca
Export client certificate to pcks12 file type (required for ios)
/certificate export-certificate iosvpn.client export-passphrase=12345678 type=pkcs12
Exported client key pair is now in files with the filename cert_export_iosvpn.client.p12
Import it to OpenVPN connect with iTunes
cert_export_mt.ca.crt
Content of this file has to be placed at the end of .ovpn config file
.ovpn configuration file for IOS
client
dev tun
proto tcp #### Mikrotik uses TCP only
remote mynetname.net ### or IP address
port 1194 ####If you use defult port
resolv-retry infinite
nobind
persist-key
persist-tun
tun-mtu 1492
mssfix 1400
auth SHA1
auth-user-pass
verb 5
;comp-lzo ###(disable compression)
remote-cert-tls server
cipher AES-256-CBC
redirect-gateway def1 ### ios wont work without this
;remote-gateway 192.168.6.1
;dhcp-options DNS .8.8.8.8
;route 192.168.6.0 255.255.255.0 192.168.6.1
<ca>
-----BEGIN CERTIFICATE-----
### CONTENT OF mt.ca.crt FILE ###
-----END CERTIFICATE-----
</ca>
Save as iosclient.ovpn and import to OpenVPN connect on ios
Mikrotik OpenVPM server config
/ip/pool
/ppp/profile
/ppp/secrets
/ppp
Open TCP port 1194 on firewall
/ip firewall filter add action=accept chain=input comment="allow OpenVPN" disabled=no dst-port=1194 protocol=tcp