Vacation time ahead, and the iPad in the house (who ever had the idea of buying one?) needs a proper VPN connection, in order to be able to access Netflix in Germany.
On Android it's fairly easy: install the app, drop CA cert, private cert, and key on the device, add everything - done. Three devices ready in less than 10 minutes.
And then I tried the iPad ...
First question: how to copy the files to the device? Well, the file manager found on the device can't do network connections. Useless.
In the end I settled with copying the zip to a fileserver and used Safari to download it.
At least the file manager can unpack the zip - but why is iOS always generating numbers when the file already exist, instead of asking me if I want to overwrite it? After some tests I ended up with "ca.crt", "ca 01.crt", "ca 02.crt" and so on. Just stupid.
On to OpenVPN, installed the app, and it tells me that I need a ".opvn" file - why? Ok, next round of zip files. But the app itself cannot open the .opvn file, instead I have to use the file manager and then use "open with". Talk about obvious ...
Next round: I can't select the cert and key files, everything has to be provided as part of the .opvn configuration file. Added the filenames to the file:
ca ca.crt cert ipad.crt key ipad.key
Not helpful - even when all files are in the same directory, the iPad will not find the files, and OpenVPN complains. Further reading reveals that everything can be part of the .opvn file:
<ca> -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- </key>
That works, the iPad can start the VPN connection. However after starting the tunnel, no network access is possible. Looks like DNS servers are missing, although the VPN server is pushing 2 DNS servers as part of the connection configuration. Ok, well, let's specify DNS servers as part of the .opvn file ...
dhcp-option DNS 220.127.116.11 dhcp-option DNS 18.104.22.168
Plus the "usual":
remote vpn.server.name 443 ping 10 comp-lzo
Finally, VPN is working!