OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • OpenVPN Client Export to OpenVPN Connect (iOS)
« previous next »
  • Print
Pages: [1]

Author Topic: OpenVPN Client Export to OpenVPN Connect (iOS)  (Read 8001 times)

RickNY

  • Jr. Member
  • **
  • Posts: 60
  • Karma: 8
    • View Profile
OpenVPN Client Export to OpenVPN Connect (iOS)
« on: September 28, 2016, 04:30:44 pm »
Hi.. Over the weekend, I migrated my Netgate RCC-VE 2440 from pfSense to OPNSense.. I had a question on the OpenVPN client export area.. Previously, on pfSense, I could use an iOS device on my Wi-Fi network to connect to the pfSense device and then use the client export to export an OpenVPN Connect (iOS/Android) inline configuration.  The firewall would serve up the .ovpn file as a download in mobile Safari on the iOS device, where I could choose "Open In...OpenVPN", and the configuration would be imported.

With OPNSense, I still have that option -- but when I try to get the configuration, mobile Safari (and Chrome for iOS) just display a text version of the .ovpn file, instead of serving it as a download.

Is there a way to change this behavior?  The other options for OpenVPN Connect are either not very secure (i.e. send via email) or a hassle (i.e. connect to iTunes and add the .ovpn file to the shared files area for OpenVPN Connect)

Thanks,
Rick
Logged

AdSchellevis

  • Administrator
  • Hero Member
  • *****
  • Posts: 855
  • Karma: 166
    • View Profile
Re: OpenVPN Client Export to OpenVPN Connect (iOS)
« Reply #1 on: September 28, 2016, 10:01:10 pm »
Hi Rick,

The first thing that came to my mind was that there should be a difference in the headers we send, but I've inspected them and there doesn't seem to be a difference there.
When you downloaded the file in pfSense, was the filetype equal to the one your using now and did it have the same extension?
There could also be a difference in file handling in different versions of ios.

Best regards,

Ad
Logged

RickNY

  • Jr. Member
  • **
  • Posts: 60
  • Karma: 8
    • View Profile
Re: OpenVPN Client Export to OpenVPN Connect (iOS)
« Reply #2 on: September 29, 2016, 12:36:02 am »
Hi Ad... It served a download of an .ovpn file.

I did notice in the headers that nginx under pfSense is setting "X-Content-Type-Options: nosniff", while lighttpd under OPNSense is not...

Code: [Select]
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 28 Sep 2016 22:13:41 GMT
Content-Type: application/octet-stream
Content-Length: 6009
Connection: keep-alive
Last-Modified: Wed, 28 Sep 2016 22:13:41 GMT
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma:
Cache-Control:
Content-Disposition: attachment; filename=config_filename.ovpn
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff

And on OPNSense:

Code: [Select]
HTTP/1.1 200 OK
Expires: Sat, 01 Oct 2016 00:11:17 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: max-age=180000
Cache-Control:
X-Frame-Options: SAMEORIGIN
Set-Cookie: PHPSESSID=b5e138e40c6809e9c4af7d4c4b6b87f9; path=/; secure; HttpOnly
Pragma:
Content-Type: application/octet-stream
Content-Disposition: attachment; filename=config_filename.ovpn
Content-Length: 6016
Date: Wed, 28 Sep 2016 22:11:18 GMT
Server: lighttpd/1.4.41

Is it possible that Mobile Safari is sniffing the MIME type and opting to display it instead of download it?
Logged

RickNY

  • Jr. Member
  • **
  • Posts: 60
  • Karma: 8
    • View Profile
Re: OpenVPN Client Export to OpenVPN Connect (iOS)
« Reply #3 on: September 29, 2016, 01:40:35 pm »
So, I did some playing around... The nosniff option added to lighttpd configuration does fix it so the iOS device gets the config file as a download instead of a text document... Out of all the browsers I tested, (including desktop Safari on macOS) - mobile Safari on iOS 10 seems to be the only one sniffing the MIME type and ignoring what the server is directing as application/octet-stream  and rendering it as a document.

Here is what I did:

Edit /usr/local/etc/inc/system.inc -- Under the lighttpd configuration file section -- needed to add "mod_setenv" to the server.modules section
Code: [Select]
## modules to load
server.modules              =   ( "mod_access", "mod_expire", "mod_compress", "mod_redirect",
  "mod_cgi", "mod_fastcgi","mod_alias", "mod_rewrite", "mod_setenv",
)

Also added the following:
Code: [Select]
setenv.add-response-header = ("X-Content-Type-Options" => "nosniff")
Rebooted, and then checked /var/etc/lighty-webConfigurator.conf to make sure the changes made it... Tested it with iPhone, and now the client export presents a download where I can "Open in 'OpenVPN'"

That will work for now, but is it possible to incorporate this at some point?

Thanks,
Rick
« Last Edit: September 29, 2016, 01:44:52 pm by RickNY »
Logged

AdSchellevis

  • Administrator
  • Hero Member
  • *****
  • Posts: 855
  • Karma: 166
    • View Profile
Re: OpenVPN Client Export to OpenVPN Connect (iOS)
« Reply #4 on: September 29, 2016, 01:46:19 pm »
Hi Rick,

Ok, that's good, if we add this header to the headers we now send from php it should work.

I've created an issue for this https://github.com/opnsense/core/issues/1204, will let you know when there's something to test.

Best regards,

Ad
Logged

AdSchellevis

  • Administrator
  • Hero Member
  • *****
  • Posts: 855
  • Karma: 166
    • View Profile
Re: OpenVPN Client Export to OpenVPN Connect (iOS)
« Reply #5 on: September 29, 2016, 09:03:11 pm »
Hi Rick,

Can you try this patch? https://github.com/opnsense/core/commit/ab3098d6e6daa40721c6f947f84a3686f40f8ad7

Easy to install on the command line with:
Code: [Select]
opnsense-patch ab3098d6e
Best regards,
Ad
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13988
  • Karma: 1211
    • View Profile
Re: OpenVPN Client Export to OpenVPN Connect (iOS)
« Reply #6 on: October 01, 2016, 02:04:17 pm »
I have queued this up for 16.7.6.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • OpenVPN Client Export to OpenVPN Connect (iOS)
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2