March 2015 Archives

iPhone VPN (Virtual Private Network)

It's become quite clear that using public Wi-Fi is getting increasingly dangerous. New attacks are constantly being created. The best solution for this is to use a Virtual Private Network, VPN, which eliminates most of the risks. Using a VPN prevents sniffing unencrypted connections, DNS redirection, tracking cookie insertion, and more exotic attacks like the export-grade SSL MITM attack.

The VPN support built into iOS is quite good. When configured using keys and certificates stored in the keychain it's quite secure. And it automatically activates, reconnecting when you wake from sleep or switch between Wi-Fi and 3G/4G/LTE. It only takes a second or two to reconnect, and I don't notice a speed difference in use.

By far the easiest way to handle the server side is to just sign up for a VPN service. Quick and easy, though you generally have to pay a monthly fee.

This post is for the tiny sliver of the population that is security paranoid, has server(s) at their disposal, and is averse to spending money. This solution is free, if you have a server to install it on. You can theoretically install the server at your home, though if you have an asymmetric Internet connection your phone browsing will be limited to less than your home upload speed. And you'll probably have to deal with dynamic IP address issues. This post mainly focuses on installing on an Internet connected server, in my case a fractional shared Linux virtual private server, which has more than enough power for this use.

While the underlying VPN implementation is part of iOS, I couldn't figure out how to configure it to use OpenVPN directly. Fortunately, it's easy using the free OpenVPN Connect app. Just install that from the App Store and the rest is pretty easy. 

The main thing is to follow these instructions to set up the server side OpenVPN under Linux. The instructions are good.

There are more instructions here, but the ones above should be sufficient.

Follow the instructions in the first link to create a client certificate. I called mine iphone6. Then issue this command in /etc/openvpn/easy-rsa/keys. Replace "iphone6" with whatever you called your client certificate. And repeat this for as many clients as you want to connect. Always create separate key/certificate pairs for each device!

openssl pkcs12 -export -in iphone6.crt -inkey iphone6.key -certfile ca.crt -name iphone6 -out iphone6.p12

Assign a strong export password for safety. You'll be asked for it again when you import into the keychain, but not every time you use the VPN, so use a long and strong password because you only need to type it 3 times, ever.

You'll need to email this to yourself, so you can open it on your phone. When you click on the attachment, it will prompt you to install the key and certificate, which you should do. This is why you need to protect it with a strong password!

You may be able to use iTunes Sync to transfer this file. I was unable to transfer it using DropBox. Well, I was able to transfer it, but I couldn't get it open and import automatically so that doesn't help.

Here are some FAQs for the OpenVPN Connect iOS app:

The other thing you need to do is create the .ovpn configuration file. Since I imported the key and certificate right into the iOS keychain using a .p12 file, above, I don't need to include them in the ovpn file. Sending around unencrypted keys in the ovpn file isn't very secure!

Here is the file I created, iphone6.ovpn:

dev tun
proto udp
remote 1194
ns-cert-type server
**** replace this block with your ca.crt! ****
Don't just copy and paste this! You need to put your ca.crt from /etc/openvpn/ca.crt, or you won't be able to connect. Also, change the remote to your server's hostname or IP address. Even though I added the CA to the .p12 file I wasn't able to connect unless I put this in the .ovpn file. Also, this is low-risk because the ca.crt is intended to be public knowledge to validate the certificates. 

Just email this file to yourself and open it on the iPhone. It should ask if you want to open it with OpenVPN Connect and you should. And that's it! You can do this step with Dropbox, if you prefer.

You should be able to connect now.

If it fails, check the server logs in /var/log/syslog. 

Also, once you've successfully connected you can toggle the VPN on and off using Settings - VPN, just a click away. (For some reason you can't always turn it back on there, but Settings - General - VPN or the OpenVPN Connect app seem to always work.)

If you use a public Wi-Fi hotspot that requires that you agree to terms and conditions on a web page first, you'll probably have to turn off the VPN, open a web browser to any page, agree, then you should be able to turn the VPN back on. It's a small price to pay for security!

There is no way to have it automatically deactivate the VPN when, for example, you're at home. While that sounds enticing, if that sort of thing was even possible it probably opens up an opportunity for a targeted man-in-the-middle attack where a public Wi-Fi hotspot could pretend to be your home Wi-Fi. Anyway, with no noticeable performance penalty, I'm not worried about the overhead.

I've been using it for several days now and it works great!

About this Archive

This page is an archive of entries from March 2015 listed from newest to oldest.

January 2015 is the previous archive.

Find recent content on the main index or look in the archives to find all content.