Skip to main content

Using Mobileconfig Profiles

You can create OpenVPN profiles using the iPhone Configuration Utility (iPCU) and export them to a .mobileconfig file, which you can import into one or more iOS devices. Unfortunately, the process is cumbersome because you must manually enter the directives of the OpenVPN profile as key/value pairs into the iPCU.

How to create a .mobileconfig-based profile

  1. Open iPCU.

  2. Tap File.

  3. Select "New Configuration Profile".

  4. Edit the newly created Configuration Profile.

  5. Click General in the left pane.

  6. Fill out the fields such as Name, Identifier, Organization, etc.

  7. Click on VPN in the left pane.

    • A "Configure VPN" dialog box should appear in the main window.

  8. Click Configure.

  9. Fill out the VPN settings as described below:

    1. Connection Name should be set to a name that will identify this profile on the device.

    2. Connection Type should be set to Custom SSL.

    3. Identifier should be set to "net.openvpn.connect.app". (On older versions, this used to be net.openvpn.OpenVPN-Connect.vpnplugin.)

    4. Server must be set to "DEFAULT". The actual server hostname will be configured via OpenVPN remote directives in the Custom Data section.

    5. User Authentication should be set to Password, and the password field should be left blank.

Define parameters as custom data

You must define parameters normally given in the OpenVPN client configuration file using key/value pairs in the Custom Data section:

  • Define each OpenVPN directive as a key, with arguments specified as the value. As in the OpenVPN configuration file, arguments are space-delimited and may be quoted.

  • If the server requires them, key value pairs for remote, ca, cert, key, tls-auth, key-direction, auth-user-pass, comp-lzo, cipher, auth, ns-cert-type, and remote-cert-tls must be defined.

  • If your server doesn't require clients to authenticate with a client certificate and private key, you can omit key/value pairs for ca and cert, but be sure to add the key/value pair "setenv" : "CLIENT_CERT 0".

  • The client certificate and private key can be separately imported onto the iOS device using a PKCS#12 file, in which case you can omit key/value pairs for ca and cert.

  • If you are attaching a private key to the configuration using the key directive, consider encrypting the key with a password to protect it while in transit to the target iOS device.

  • You must add a special key/value pair "vpn-on-demand" : "0" so that OpenVPN can distinguish this profile from an iOS VPN-On-Demand profile.

  • Use "NOARGS" as the value for OpenVPN directives with no arguments.

  • If multiple instances of the same directive are present when entering the directive as a key, number the directives in the order they should be given to OpenVPN by appending .n to the directive, where n is an integer, such as remote.1 or remote.2.

  • An escaping model specifies the file content as a single-line value for multi-line directives such as ca, cert, key, and tls-auth, where the argument is a multi-line file. The procedure converts the multi-line data to a single line by replacing line breaks with "\n" (without the quotes). Note that because of this escaping model, you must use "\\" to pass the backslash itself.

  • For OpenVPN Access Server meta-directives such as "OVPN_ACCESS_SERVER_USERNAME", remove the OVPN_ACCESS_SERVER_ prefix, giving USERNAME as the directive.

Export to iOS device

Once you’ve defined the profile, you have two options for exporting it to an iOS device:

  1. If your device is currently tethered, click on its name in the left pane. Then, in the main window, click on the Configuration Profiles tab. You should see the name of your Configuration Profile and a button to install it on the device.

  2. You can also save the Configuration Profile as a .mobileconfig file and make it available to iOS clients via email or the web. To do this, select your Configuration Profile, go to the File menu, and select "Export...". An Export Configuration Profile dialog box will appear. Select a Security option — "Sign configuration profile" is a reasonable choice. Press the Export button and save the profile.

When an iOS device receives an OpenVPN .mobileconfig profile (via Mail attachment, Safari download, or pushed by iPCU), it raises a dialog box to facilitate its import. After import, the profile is visible in OpenVPN.

For a sample Provisioning Profile without .p12 payload, please visit this page.

Provisioning profile example: embedded key and cert (no .p12 payload)

You can create a provisioning profile without a .p12 payload. The key and cert are embedded in the VPN settings in the example below.

Example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>IPv4</key>
            <dict>
                <key>OverridePrimary</key>
                <integer>0</integer>
            </dict>
            <key>PayloadDescription</key>
            <string>Configures VPN settings</string>
            <key>PayloadDisplayName</key>
            <string>VPN</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.vpn.managed.C69FB197-D553-4A78-B024-CBCCFD7F731F</string>
            <key>PayloadType</key>
            <string>com.apple.vpn.managed</string>
            <key>PayloadUUID</key>
            <string>C69FB197-D553-4A78-B024-CBCCFD7F731F</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>Proxies</key>
            <dict>
                <key>HTTPEnable</key>
                <integer>0</integer>
                <key>HTTPSEnable</key>
                <integer>0</integer>
            </dict>
            <key>UserDefinedName</key>
            <string>test client</string>
            <key>VPN</key>
            <dict>
                <key>AuthName</key>
                <string>DEFAULT</string>
                <key>AuthenticationMethod</key>
                <string>Password</string>     <-------- NOTE: IMPORTANT WHEN NOT APPENDING A .P12 PAYLOAD
                <key>RemoteAddress</key>
                <string>DEFAULT</string>
            </dict>
            <key>VPNSubType</key>
            <string>net.openvpn.connect.app</string>    <--------- NOTE: CHANGED SINCE v1.2.5
            <key>VPNType</key>
            <string>VPN</string>
            <key>VendorConfig</key>
            <dict>
                <key>ca</key>
                <string>-----BEGIN CERTIFICATE-----\nxxxxxxxxx\n-----END CERTIFICATE-----\n</string>
                <key>cert</key>
                <string>-----BEGIN CERTIFICATE-----\nxxxxxxxxxx\n-----END CERTIFICATE-----\n</string>
                <key>cipher</key>
                <string>AES-256-CBC</string>
                <key>client</key>
                <string>NOARGS</string>
                <key>dhcp-option</key>
                <string>DNS 8.8.8.8</string>
                <key>key</key>
                <string>-----BEGIN PRIVATE KEY-----\nxxxxxxxxxx\n-----END PRIVATE KEY-----\n</string>
                <key>remote</key>
                <string>192.168.1.192 1194 udp</string>
                <key>vpn-on-demand</key>
                <string>0</string>
            </dict>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>client-LAN</string>
    <key>PayloadIdentifier</key>
    <string>myidentifier.01C011CB-5A34-486B-ACAC-699374A9D772</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>EF2888C0-F204-4B17-BF46-3FD16493C9B2</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>
In this section: