Set up a VPN on your iPhone with OpenVPN and Linux
[Update 2018] This article has been significantly updated since it was published in 2013.
In this article, I will show you how to set up an OpenVPN server built on Linux. Once this server is up and running, I will show you how to set up your iOS devices, such as iPhone or iPad so that they can connect to the new VPN server.
The goal of this effort is to encapsulate all your internet traffic through your VPN connection, so no matter where you are, no one can monitor what sites you visit and what you do. This is ideal if you have to visit the Internet through untrusted Internet sources such as public Wi-Fi.
Some typical scenarios would be:
- You’re running OpenVPN right on your Linux home router
- You are running an OpenVPN service on a device behind your home router using Portforwarding (such as a Raspberry Pi)
- You are running the OpenVPN service on a virtual private server hosted by one of the many cloud service providers
Your iOS devices will run on OpenVPN Connect, a free app found on the App Store.
Note on other platforms: Although this tutorial focuses on iOS devices, the new OpenVPN-based VPN server will support any client operating system, be it Windows, macOS, Android, or Linux. Configuring these other clients is beyond the scope of this article.
This tutorial is based on OpenVPN, which is an open source product. The company behind OpenVPN also offers VPN services for a monthly price. If you find that the effort involved in setting up your server is too much of a hassle, you can consider their service. Please note that I have never used this service and cannot guarantee it.
This is a brief overview of all the steps you’ll need to take in order to have a fully functional setup, including configuring clients:
- Linux server installation (out of domain)
- Install OpenVPN
- Set up the Certificate Authority
- Create server certificate
- OpenVPN Server Configuration
- Configure the firewall on your Linux server
- Create certificates for each customer (iPhone, iPad, etc.)
- Copy the client configuration to your devices
- Test your customers
How it works
OpenVPN is an SSL based VPN solution. SSL-based VPNs are very reliable because if you set them up correctly, you will never be blocked by any firewall as long as TCP port 443 can be reached. By default, OpenVPN uses UDP as a transport on port 1194, but you can switch to TCP port 443 to increase the chance of your traffic not being blocked at the cost of a little bit bandwidth usage.
Authentication is based on public/private key encryption. OpenVPN server is similar to HTTPS server. The biggest difference is that your device does not use the username/password combination for authentication, but rather a certificate. This certificate is stored in the client’s configuration file.
So before you can configure and start the OpenVPN service, you need to set up a Certificate Authority (CA). With a CA, you can generate the server certificate for your OpenVPN server and after that, you can generate all client certificates.
OpenVPN is available by default on most popular Linux distributions. All you need to install OpenVPN is apt-get install openvpn for any version of Debian or Ubuntu.
Or take a look here
I’ve never tried it, but you can try to have a look at the OpenVPN installer
This script seems to automate a lot of steps, like configuring the firewall, creating the certificate, etc.
It’s beyond the scope of this tutorial, but you should make sure to keep your OpenVPN software Until now, in case OpenVPN vulnerabilities are discovered in the future.
I’m building this tutorial on an old system, with less secure default configuration settings for both the CA as the OpenVPN server itself. The settings I use in this tutorial are based on the steps in this blog.
- AES256 for encryption
- 2048-bit key sizes are more than 1024-bit
- SHA256 on sha1 / md5
I did some performance tests and got about 40-50MB per iOS client. I think the bottleneck lies with my old HP Microserver N40L with a relatively weak CPU.
If you want to determine how much bandwidth a client is allowed to use, I recommend using this tutorial. I have tried it and it works perfectly.
Create a certification authority.
for Ununtu: Install the “easy-rsa” package and use the “make-cadir” command instead of the setup instructions below.
I assume you will setup your OpenVPN config in /etc/openvpn. Before you can set up the server configuration, you need to create a Certificate Authority. I used the /etc/openvpn/easy-rsa folder as the location for the CA.
mkdir / etc / openvpn / easy-rsa
We start by copying all these files to this new directory:
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0*/etc/openvpn/easy-rsa
Please note that depending on your flavor of Linux, these files can be found in another path.
Next, we insert the CD into the destination directory.
Now, open the ‘vars’ file with your favorite text editor. The following instructions are taken directly from Howto OpenVPN.
You should change all values to those that apply to you (obviously).
Export KEY_COUNTRY = “US” Export KEY_PROVINCE = Export “California” KEY_CITY = Export “San Francisco” KEY_ORG = Export “My Company” KEY_EMAIL = “email@example.com” Export KEY_CN = Export Server KEY_NAME = Export Server KEY_OU = Home
Change the KEY_SIZE parameter:
How long do you want your certificates to be valid (10 years?)
export CA_EXPIRE = 3650 export KEY_EXPIRE = 3650
Then I had to copy openssl-1.0.0.cnf to openssl.cnf because the ‘vars’ script complained that it couldn’t find the last file.
cp openssl-1.0.0.cnf openssl.cnf
notice I went through these steps on an older Linux install. I had to edit the file /etc/openvpn/easy-rsa/pkitool And change all iterations “sha1” to “sha256”.
Now we “source” the var and run two additional commands that actually generate the certificate authority. Note the point by ./vars.
. ./vars ./clean-all ./build-ca ./build-dh
You will have to confirm or change the values if necessary.
Now we have a CA and we can create new certificates that will be signed by that CA.
warning: Be very careful with all keyfiles, they should remain private.
I recommend executing these commands:
chown -R root: root /etc/openvpn chmod -R 700/etc/openvpn
By default, OpenVPN runs as root. With these commands, only the root user will be able to access the keys. If you are not running OpenVPN as root, you must select the appropriate user for the first command. See also this article.
Create server certificate
We create the server certificate:
It’s up to you to come up with an alternative to “server”. This is the name of the file under which the main files and certificates are stored.
All created files can be found in the directory “/etc/openvpn/easy-rsa/keys”. This is just a flat folder with server and client keys.
Create an optional TLS-AUTH certificate
This step is optional but doesn’t require much effort and seems to add an extra layer of security at no significant cost. In this step, we create an additional secret key that is shared with both the server and clients.
The following steps are based on this article (use -tls-auth).
cd / etc / openvpn / easy-rsa / keys openvpn –genkey –cret ta.key
When we will create the server configuration, we will point to this key file.
Create a client certificate
Now that we have a server certificate, we are going to create a certificate for our iPhone (or any other iOS device).
Answer questions with default settings. Don’t forget to answer these questions:
Signing the certificate? [y/n]: y 1 of 1 Certificate Requests Certified, Commit? [y/n]y
Now we have everything in place to start creating an OpenVPN configuration. We must create a configuration for the server and the client. These configurations are based on examples which can be found in /usr/share/doc/openvpn/examples/.
Server configuration example
This is my server configuration and it works. It is stored in /etc/openvpn/openvpn.conf
dev tun2 tls-server cipher AES-256-CBC auth SHA256 remote-cert-tls client dh easy-rsa / keys / dh2048pem ca easy-rsa / keys / ca.crt cert easy-rsa / keys / server.crt key easy- rsa / keys / server.key tls-auth easy-rsa / keys / ta.key server 10.0.0.0 255.255.255.0 log /var/log/openvpn.log script-security 2 route-up “/sbin/ifconfig tun2 up” Port 443 proto tcp-server push “redirect-gateway def1 bypass-dhcp” push “dhcp-option DNS 184.108.40.206”
I think you should be able to use this config as is. Depending on your local IP addresses within your own network, you may have to change a file server Section.
I am using TCP-port 443 as this destination port is almost never blocked because blocking this port would cut off most of the internet connection. (The downside is that I can no longer host any secure website at this IP address).
OpenVPN will provide your client with an IP address within the address range configured in the Server section.
Change any parameters if needed and then start or restart the OpenVPN service:
Make sure the server is running properly at /var/log/openvpn.log
If you want to use your VPN to surf the internet, we still need to configure the basic firewall setting.
I’m assuming you already have some kind of IPtables based firewall running. Configuring a Linux firewall is beyond the scope of this article. I will only discuss the changes that you may need to make in order for OpenVPN to function properly.
You will need to accept traffic to TCP port 443 on the interface connected to the Internet.
iptables -A INPUT -p tcp -m tcp –dport 443 -j accept
If your OpenVPN server is behind a router/firewall, you need to configure port forwarding on that router/firewall. How to do this is beyond the scope of this article, as it varies for different devices.
Assuming you will be using, say, a 10.0.0.0/24 network for VPN clients like your iPhone, you should also create a NAT rule so that VPN clients can use a Linux server’s IP address to access the Internet.
iptables -t nat -A POSTROUTING -s “10.0.0.0/24” -o “eth0” -j MASQUERADE
Please note that you must change eth0 with the name of the appropriate interface that connects to the Internet. Change the range of IP addresses according to your own situation. It should not conflict with your existing network.
iptables -A FORWARD -p tcp -s 10.0.0.0/24 -d 0.0.0.0/0 -j accept
Please note that I have not tested these rules, because I have a different setup. But this should be enough. And make sure you enable redirection as follows:
echo 1> /proc/sys/net/ipv4/ip_forward
Example of client configuration
Most OpenVPN clients can automatically import files with the .ovpn file extension. A typical configuration file is something like “iphone.ovpn”.
warning: The .ovpn files will contain the certificate that your iPhone/iPad uses to authenticate to your OpenVPN server. Be very careful where you store this file. Anyone who is able to obtain a copy of this file will be able to connect to your VPN server.
This is an example config file, but we won’t create it manually, it’s a lot of work.
What you will notice from this example is that the .ovpn file contains both the client configuration and all the required certificates:
- CA root certificate
- Server certificate for server validation
- Customer’s own certificate
- TLS-AUTH Certification (Optional Additional Security Measure)
Create a client configuration file (.ovpn) using a script
You can create the client config file manually but that takes a lot of work. Since you need to append all certificates to a single file, this also contains the configuration settings.
So we will use a script to setup the client configuration.
First we are going…