OpenVPN - export .crt and .key files

Comments

16 comments

  • Avatar
    Andy brown

    I believe that always on VPN is only supported on supervised iOS devices and is limited to IKEv2.  There is no app based customisation support.

    0
    Comment actions Permalink
  • Avatar
    Ray Austin

    Thanks Andy... I do have a supervised iOS device... that's why the link I provided was intriguing and I thought I'd try it.  It seems to suggest that you can create an OpenVPN profile that's on-demand.  But maybe I'm missing something.

    Does anyone know if there is a chance that Firewalla would build in an IKEv2 server?  That would be fantastic for parents trying to lock down child iPhones.  I don't know the pros and cons.  I'm assuming more system resources?

    I also thought about a docker IKEv2?  Is that possible?  If so, is anyone running one successfully?  I know nothing about containers etc. but if it would work as I'd like, I would be willing to learn or ask for help with it.

    0
    Comment actions Permalink
  • Avatar
    Andy brown

    I know enough to be dangerous..😁

     the link you Posted is very interesting, but I don’t think it will work the way you want it to work.  
    it basically turns on the VPN when away from the house, but to me I think it can still be turned off manually.

     It looks an interesting script, i may have a go myself.

    0
    Comment actions Permalink
  • Avatar
    James Willhoite

    Use Wireguard. I have that set up on my daughters phone. Wireguard has the on demand feature. When she is in my wifi it turns off. The moment she leave my wifi it turns on. Love that feature.

    1
    Comment actions Permalink
  • Avatar
    James Willhoite

    I’ve installed IKEv2 on my Gold, but everything is configured through ssh and no UI available.

    0
    Comment actions Permalink
  • Avatar
    Ray Austin

    Ok, so I've played around all day, and I have an ipsec vpn server running in a docker container with ikev2.  I have exported the .mobileconfig file and was able to successfully install the profile to the supervised iPhone.  However, now I'm confused about how to forward the incoming traffic on UDP ports 500 and 4500 to the container.  It looks like the container bridge gateway is 172.17.0.1.  Do I just create a rule to forward those ports to that IP?  If so, is that all I need to do?

    0
    Comment actions Permalink
  • Avatar
    Andy brown

    Have a look at these page.

    https://www.derman.com/blogs/Begin-Configuration-Profile-Setup

    https://www.derman.com/blogs/iPhone-OpenVPN-Setup

    https://www.derman.com/blogs/iPhone-IPSec-VPN-Setup-With-Certs#CreateP12

    Reading through the pages as a lot refers to creating self assigned certificates in pfSense and using the inbuilt export tool.  But by creating your own .crt and .key files by splitting the .ovpn file you should be able to generate the all important .p12 file I think.  I don't believe you can do it in firewalla as there is no crt or key file, its all contained in one file.

    I would generate the file using a terminal window in OSX on your mac then navigate to where you have saved the files.  

    P12 generation:

    openssl pkcs12 -export -in <user-certificate>.crt -inkey <user-key>.key -out user-cert.p12

     

    Hope this helps.

    Update: I see you have moved onto Docker.  The above is now probably not needed....

     

    Andy

     

    0
    Comment actions Permalink
  • Avatar
    Andy brown

    I may be wrong…again😄. But doesn’t your VPN configuration file contain your public IP address to connect to Firewalla then the network address tunnel for the 172 network so your clients get an IP.  Shouldn’t need any port forwarding if this is the case.  

    0
    Comment actions Permalink
  • Avatar
    Ray Austin

    Andy, I appreciate the look at the openVPN setup.  I would love for that solution to work because it'd be simpler for me because the server side would be taken care of in the FWG interface, which is awesome.  I might revisit sometime but I'm such a novice that I get stuck troubleshooting at each step that doesn't seem to work.

    I am using my ddns address as the public IP for the VPN (the one provided by the FWG)... but the FWG doesn't show the docker 172 network.  So I'm trying to figure out how to tell the FWG to forward port 500 and 4500 to the docker container 172.  Does that make more sense?  Maybe I'm off base again.  But I'm learning!

    0
    Comment actions Permalink
  • Avatar
    James Willhoite

    I have StrongSwan installed at boot time in my FWG. I wrote a script that installs it every time it reboots. I put a slimed down version on GitHub. Will need some tweaking to fit your needs but I use this to VPN into work.

    Take a look

    https://github.com/jameswillhoite/Firewalla-Scripts/tree/main/StrongSwan

    0
    Comment actions Permalink
  • Avatar
    Ray Austin

    Thanks James... I'll definitely look at that once I get it working.  I might be confused, but don't I have to tell the FWG to forward ports 500 and 4500 to the container that the VPN server is running in?  The container isn't showing in FWG as a network or a device, so there's no way to route that VPN traffic.  Right?

    A "docker ps" command shows a container ID with ports 0.0.0.0:500->500/udp, 0.0.0.0:4500->4500/udp

    All I know at this point is that when I try to connect the VPN on the iPhone with the profile, I get "The VPN server did not respond."  The server address is my xxxxxxxxxx.d.firewalla.org ddns domain.  I don't have to specify a port on the server address, right? 

     

     

    0
    Comment actions Permalink
  • Avatar
    Ray Austin

    James,

    I'd love to use Wireguard or OpenVPN, but there isn't a way to lock a non-native VPN in iOS.  So, yes, your daughter's phone connects to the VPN as soon as she leaves your wifi, but all she has to do is toggle the VPN off.  There's nothing to prevent them from circumventing... right?

    0
    Comment actions Permalink
  • Avatar
    James Willhoite

    That is right. I know at one point you could lock the VPN with a mobile config, can you install Wireguard and then lock the changes to VPN?

     

     

    EDIT: I looked this morning that there is not a way to lock the VPN profiles like I originally thought

    0
    Comment actions Permalink
  • Avatar
    Andy brown

    Have you declared your new docker Network not just the IP address.

    for example:

    networks:
    default:
    driver: bridge
    ipam:
    config:
    # your chosen docker network here
    - subnet: 172.16.0.0/24 

    0
    Comment actions Permalink
  • Avatar
    James Willhoite

    Once you do get this up and working, I've made a interesting discovery .... I was able to enable the DHCP for IKEv2 and I can block/allow/pause internet THROUGH the Firewalla UI. 

    inside the folder /etc/strongswan.d/charon is a file dhcp.conf. Edit that file and set the following

    dhcp {
      force_server_address = yes
      identity_lease = yes
      load = yes
      server = 192.168.179.255
    }

    I created a new VLAN on the firewalla which assigned it the subnet 192.168.179.0/24 for which the ike will ask for a IP address in that subnet. the "identity_lease" property will create a hash for a MAC address which Firewalla uses to block traffic and identify it. It popped up in my quarantine section and blocked all internet. I was able to block google.com through the Firewalla UI. The only thing that does not work is network flows. I cannot see where the device is going because it is not actually flowing through the VLAN port I assigned.

    0
    Comment actions Permalink
  • Avatar
    Ray Austin

    Andy,

    I think so:

    {
    "Name": "mynetwork",
    "Id": "1d314b6f5c5783e0fd9476055069d2f4ecd7caa7b4e0e7bd441bd84034c5ae7f",
    "Created": "2022-01-05T19:54:39.39416929-05:00",
    "Scope": "local",
    "Driver": "bridge",
    "EnableIPv6": false,
    "IPAM": {
    "Driver": "default",
    "Options": {},
    "Config": [
    {
    "Subnet": "172.19.0.0/16",
    "Gateway": "172.19.0.1"
    }
    ]
    },
    "Internal": false,
    "Attachable": false,
    "Ingress": false,
    "ConfigFrom": {
    "Network": ""
    },
    "ConfigOnly": false,
    "Containers": {},
    "Options": {},
    "Labels": {}
    }

    But I'm still having no luck connecting.  Should I be able to see the docker container or network interface in Firewalla?  I've tried to see if the FWG is blocking the attempted VPN connection, but I don't see anything.

    I did put in a feature request on the forum for a 3rd VPN option of IKEv2.  It would be so great if they would implement that within the app just like the Wireguard and OpenVPN, where you could see the network info etc.

    I'm just not familiar enough with linux and docker, and although I'm good at following directions, I'm quite lost when it comes to tweaking directions for one thing to work with another.

    0
    Comment actions Permalink

Please sign in to leave a comment.