OpenVPN - export .crt and .key files
I am not great with Linux and have basic networking knowledge... just to be clear up front. :)
I am trying to create an iOS on demand VPN connection from my son's iPhone to the Firewalla Gold. Because Wireguard and OpenVPN are not native iOS VPN's, I can't seem to find a quick and easy way, even through Apple Configurator, to create a persistent connection to my Firewalla that my son can't simply turn off.
So, I'm trying it the hard way using the instructions here: https://www.codingmerc.com/blog/ios-vpn-on-demand-profile-with-openvpn/
I have a working OpenVPN profile created and have the profile file downloaded.
However, when I SSH to the Firewalla using Putty, and execute the command to build a bundle with the credentials needed to log in (openVPN.crt, openVPN.key and server.crt) I get an error that openVPN.key can't be found. Again, I have only basic knowledge of Linux, and I've dug around a little but don't know where to locate those files.
I'm assuming that the openVPN.crt and other files needed are somewhere on the FWG? If so, can someone point me to the directory?
Also, if anyone has a better solution to be able to "lock" an iPhone to always running through the FWG VPN server, I'm open to any suggestions. Because of iOS not allowing restricting the VPN settings (either supervised or through native child settings) all he has to do is disable the VPN toggle and defeat my whole reason for getting a FWG in the first place. Has Firewalla ever thought about including a IKEv2 VPN server? I think that would allow a configuration profile to lock it, right?
Any help would be greatly appreciated!
-
Thanks Andy... I do have a supervised iOS device... that's why the link I provided was intriguing and I thought I'd try it. It seems to suggest that you can create an OpenVPN profile that's on-demand. But maybe I'm missing something.
Does anyone know if there is a chance that Firewalla would build in an IKEv2 server? That would be fantastic for parents trying to lock down child iPhones. I don't know the pros and cons. I'm assuming more system resources?
I also thought about a docker IKEv2? Is that possible? If so, is anyone running one successfully? I know nothing about containers etc. but if it would work as I'd like, I would be willing to learn or ask for help with it.
-
I know enough to be dangerous..😁
the link you Posted is very interesting, but I don’t think it will work the way you want it to work.
it basically turns on the VPN when away from the house, but to me I think it can still be turned off manually.It looks an interesting script, i may have a go myself.
-
Ok, so I've played around all day, and I have an ipsec vpn server running in a docker container with ikev2. I have exported the .mobileconfig file and was able to successfully install the profile to the supervised iPhone. However, now I'm confused about how to forward the incoming traffic on UDP ports 500 and 4500 to the container. It looks like the container bridge gateway is 172.17.0.1. Do I just create a rule to forward those ports to that IP? If so, is that all I need to do?
-
Have a look at these page.
https://www.derman.com/blogs/Begin-Configuration-Profile-Setup
https://www.derman.com/blogs/iPhone-OpenVPN-Setup
https://www.derman.com/blogs/iPhone-IPSec-VPN-Setup-With-Certs#CreateP12
Reading through the pages as a lot refers to creating self assigned certificates in pfSense and using the inbuilt export tool. But by creating your own .crt and .key files by splitting the .ovpn file you should be able to generate the all important .p12 file I think. I don't believe you can do it in firewalla as there is no crt or key file, its all contained in one file.
I would generate the file using a terminal window in OSX on your mac then navigate to where you have saved the files.
P12 generation:
openssl pkcs12 -export -in <user-certificate>.crt -inkey <user-key>.key -out user-cert.p12
Hope this helps.
Update: I see you have moved onto Docker. The above is now probably not needed....
Andy
-
Andy, I appreciate the look at the openVPN setup. I would love for that solution to work because it'd be simpler for me because the server side would be taken care of in the FWG interface, which is awesome. I might revisit sometime but I'm such a novice that I get stuck troubleshooting at each step that doesn't seem to work.
I am using my ddns address as the public IP for the VPN (the one provided by the FWG)... but the FWG doesn't show the docker 172 network. So I'm trying to figure out how to tell the FWG to forward port 500 and 4500 to the docker container 172. Does that make more sense? Maybe I'm off base again. But I'm learning!
-
I have StrongSwan installed at boot time in my FWG. I wrote a script that installs it every time it reboots. I put a slimed down version on GitHub. Will need some tweaking to fit your needs but I use this to VPN into work.
Take a look
https://github.com/jameswillhoite/Firewalla-Scripts/tree/main/StrongSwan
-
Thanks James... I'll definitely look at that once I get it working. I might be confused, but don't I have to tell the FWG to forward ports 500 and 4500 to the container that the VPN server is running in? The container isn't showing in FWG as a network or a device, so there's no way to route that VPN traffic. Right?
A "docker ps" command shows a container ID with ports 0.0.0.0:500->500/udp, 0.0.0.0:4500->4500/udp
All I know at this point is that when I try to connect the VPN on the iPhone with the profile, I get "The VPN server did not respond." The server address is my xxxxxxxxxx.d.firewalla.org ddns domain. I don't have to specify a port on the server address, right?
-
James,
I'd love to use Wireguard or OpenVPN, but there isn't a way to lock a non-native VPN in iOS. So, yes, your daughter's phone connects to the VPN as soon as she leaves your wifi, but all she has to do is toggle the VPN off. There's nothing to prevent them from circumventing... right?
-
Once you do get this up and working, I've made a interesting discovery .... I was able to enable the DHCP for IKEv2 and I can block/allow/pause internet THROUGH the Firewalla UI.
inside the folder /etc/strongswan.d/charon is a file dhcp.conf. Edit that file and set the following
dhcp {
force_server_address = yes
identity_lease = yes
load = yes
server = 192.168.179.255
}I created a new VLAN on the firewalla which assigned it the subnet 192.168.179.0/24 for which the ike will ask for a IP address in that subnet. the "identity_lease" property will create a hash for a MAC address which Firewalla uses to block traffic and identify it. It popped up in my quarantine section and blocked all internet. I was able to block google.com through the Firewalla UI. The only thing that does not work is network flows. I cannot see where the device is going because it is not actually flowing through the VLAN port I assigned.
-
Andy,
I think so:
{
"Name": "mynetwork",
"Id": "1d314b6f5c5783e0fd9476055069d2f4ecd7caa7b4e0e7bd441bd84034c5ae7f",
"Created": "2022-01-05T19:54:39.39416929-05:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "172.19.0.0/16",
"Gateway": "172.19.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {},
"Labels": {}
}But I'm still having no luck connecting. Should I be able to see the docker container or network interface in Firewalla? I've tried to see if the FWG is blocking the attempted VPN connection, but I don't see anything.
I did put in a feature request on the forum for a 3rd VPN option of IKEv2. It would be so great if they would implement that within the app just like the Wireguard and OpenVPN, where you could see the network info etc.
I'm just not familiar enough with linux and docker, and although I'm good at following directions, I'm quite lost when it comes to tweaking directions for one thing to work with another.
Please sign in to leave a comment.
Comments
16 comments