Ovpnmcgen.rb

OpenVPN iOS Configuration Profile Utility

Generates iOS configuration profiles (.mobileconfig) that configures OpenVPN for use with VPN-on-Demand that are not accessible through the Apple Configurator or the iPhone Configuration Utility.

---

OpenVPN Connect (iOS) v1.2.x:

• Breaking changes: enable the --v12compat switch.
• Bug/workaround: enable the --cert & --key switches as necessary.

Refer to known issues below for more details.

---

Although there are many possible VPN-on-Demand (VoD) triggers, this utility currently only implements SSIDMatch, InterfaceTypeMatch, and optionally URLStringProbe. For 'high' (default) security level, the following algorithm is executed upon network changes, in order:

• If wireless SSID matches any specified with --trusted-ssids, tear down the VPN connection and do not reconnect on demand.
• Else if wireless SSID matches any specified with --untrusted-ssids, unconditionally bring up the VPN connection on the next network attempt.
• Else if the primary network interface becomes Wifi (any SSID except those above), unconditionally bring up the VPN connection on the next network attempt.
• Else if the primary network interface becomes Cellular, leave any existing VPN connection up, but do not reconnect on demand.
• Else, leave any existing VPN connection up, but do not reconnect on demand.

Note: The other match triggers, such as DNSDomainMatch, DNSServerAddressMatch, and per-connection domain inspection (ActionParameters), are not implemented. I reckon some kind of DSL will need to be built to support them; pull-requests are welcome.

Installation

Install the production version from Rubygems.org:

$ gem install ovpnmcgen.rb

Local Development

Clone the source:

$ git clone https://github.com/iphoting/ovpnmcgen.rb

Build and install the gem:

$ cd ovpnmcgen.rb/
$ bundle install   # install dependencies
# Hack away...
$ rake install     # build and install gem

Usage

Usage: ovpnmcgen.rb generate [options] <user> <device>

  Options:
    -c, --config FILE    Specify path to config file. [Default: .ovpnmcgen.rb.yml]
    --cafile FILE        Path to OpenVPN CA file. (Required)
    --tafile FILE        Path to TLS-Auth Key file.
    --tlscryptfile FILE	 Path to TLS-Crypt Key file.
    --cert FILE          Path to Cert file.
    --key FILE           Path to Private Key file.
    --host HOSTNAME      Hostname of OpenVPN server. (Required)
    --proto PROTO        OpenVPN server protocol. [Default: udp]
    -p, --port PORT      OpenVPN server port. [Default: 1194]
    --p12file FILE       Path to user PKCS#12 file.
    --p12pass PASSWORD   Password to unlock PKCS#12 file.
    --[no-]vod           Enable or Disable VPN-On-Demand. 
                         When Disabled, sets `vpn-on-demand: 0`, so that OpenVPN Connect can control this profile. [Default: Enabled]
    --v12compat          Enable OpenVPN Connect 1.2.x compatibility. 
                         When Enabled, use updated `VPNSubType: net.openvpn.connect.app` 
                         (changed since OpenVPN Connect 1.2.x). [Default: Disabled]
    --security-level LEVEL Security level of VPN-On-Demand Behaviour: paranoid, high, medium. [Default: high]
    --vpn-uuid UUID      Override a VPN configuration payload UUID.
    --vpn-name NAME	     Override a VPN configuration payload name displayed under
                         Settings.app > General > VPN.
    --profile-uuid UUID  Override a Profile UUID.
    --cert-uuid UUID     Override a Certificate payload UUID.
    -t, --trusted-ssids SSIDS List of comma-separated trusted SSIDs.
    -u, --untrusted-ssids SSIDS List of comma-separated untrusted SSIDs.
    -d, --domains DOMAINS List of comma-separated domain names requiring VPN service.
    --domain-probe-url PROBE An HTTP(S) URL to probe, using a GET request. If no HTTP response code is received from the server, a VPN connection is established in response.
    --trusted-ssids-probe-url PROBE An HTTP(S) URL to probe, using a GET request. If no HTTP response code is received from the server, a VPN connection is established in response.
    --url-probe URL      This URL must return HTTP status 200, without redirection, before the VPN service will try establishing.
    --remotes REMOTES	 List of comma-separated alternate remotes: "<host> <port> <proto>".
    --idle-timer TIME    Disconnect from VPN when idle for a certain period of time (in seconds) scenarios. Requires disabling "Reconnect On Wakeup" on OpenVPN.app.
    --ovpnconfigfile FILE Path to OpenVPN client config file.
    -o, --output FILE    Output to file. [Default: stdout]

Configuration

Option flags can be set using environment variables or placed into a YAML formatted file. The default filename .ovpnmcgen.rb.yml will be searched for in ./, and then ~/.

Note: Only for YAML configuration files and environment variables, flags with hyphens (-) are replaced with underscores (_), i.e. --trusted-ssids safe should be trusted_ssids: safe.

Sample:

untrusted_ssids: [dangerous1, dangerous2]
trusted_ssids: [trust]
host: vpn.example.com
cafile: /etc/openvpn/ca.crt
tafile: /etc/openvpn/ta.key
url_probe: https://vpn.example.com/canVPN.php

Security Levels

There are three different security levels to choose from, 'paranoid', 'high' (default), and 'medium'. The algorithm illustrated above is for 'high'.

For 'paranoid' security level, the following algorithm is executed upon network changes, in order:

• If wireless SSID matches any specified with --trusted-ssids, tear down the VPN connection and do not reconnect on demand.
• Else if wireless SSID matches any specified with --untrusted-ssids, unconditionally bring up the VPN connection on the next network attempt.
• Else if the primary network interface becomes Wifi (any SSID except those above), unconditionally bring up the VPN connection on the next network attempt.
• Else if the primary network interface becomes Cellular, unconditionally bring up the VPN connection on the next network attempt.
• Else, leave any existing VPN connection up, but do not reconnect on demand.

For 'medium' security level, the following algorithm is executed upon network changes, in order:

• If wireless SSID matches any specified with --trusted-ssids, tear down the VPN connection and do not reconnect on demand.
• Else if wireless SSID matches any specified with --untrusted-ssids, unconditionally bring up the VPN connection on the next network attempt.
• Else if the primary network interface becomes Wifi (any SSID except those above), leave any existing VPN connection up, but do not reconnect on demand.
• Else if the primary network interface becomes Cellular, leave any existing VPN connection up, but do not reconnect on demand.
• Else, leave any existing VPN connection up, but do not reconnect on demand.

URL Probe

Apple provides a URLStringProbe test condition where a VPN connection will only be established, if and only if a specified URL is successfully fetched (returning a 200 HTTP status code) without redirection.

This feature can be enabled for statistical and maintenance-protection reasons. Otherwise, it can also workaround a circular limitation with unsecured wireless captive portals. See Known Issues below for further elaboration.

By enabling this option, you will need to reliably and quickly respond with HTTP status code 200 at the URL string supplied.

Domain Matching

To require an iOS device to bring up the VPN when example.com is requested is not so easy, especially if it is has a publicly accessible DNS resolution.

Apple provides an EvaluateConnection and ActionParameters configuration options with the view that certain domains will have DNS resolution failures, and hence, require the VPN to be up. In most corporate cases with internal-facing hostnames, it works well. See the --domains option.

However, if there are certain sensitive public sites (or blocked sites) that you decide that a VPN should be brought up instead, you will need to additionally specify a RequiredURLStringProbe that returns a non-200 response. See the --domain-probe-url option.

Examples

Typical Usage

$ ovpnmcgen.rb gen --v12compat \
--trusted-ssids home \
--host vpn.example.com \
--cafile path/to/ca.pem \
--tafile path/to/ta.key \
--url-probe http://vpn.example.com/status \
--p12file path/to/john-ipad.p12 \
--p12pass p12passphrase \
john ipad

Output:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadDescription</key>
			<string>Configures VPN settings, including authentication.</string>
			<key>PayloadDisplayName</key>
			<string>VPN (vpn.example.com/VoD)</string>
			<key>PayloadIdentifier</key>
			<string>com.example.vpn.john-ipad.vpnconfig</string>
			<key>PayloadOrganization</key>
			<string>vpn.example.com</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>...</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>UserDefinedName</key>
			<string>vpn.example.com/VoD</string>
			<key>VPN</key>
			<dict>
				<key>AuthenticationMethod</key>
				<string>Certificate</string>
				<key>OnDemandEnabled</key>
				<integer>1</integer>
				<key>OnDemandRules</key>
				<array>
					<dict>
						<key>Action</key>
						<string>Disconnect</string>
						<key>SSIDMatch</key>
						<array>