OpenVPN Client Export to OpenVPN Connect (iOS)

[RickNY]

Hi.. Over the weekend, I migrated my Netgate RCC-VE 2440 from pfSense to OPNSense.. I had a question on the OpenVPN client export area.. Previously, on pfSense, I could use an iOS device on my Wi-Fi network to connect to the pfSense device and then use the client export to export an OpenVPN Connect (iOS/Android) inline configuration.  The firewall would serve up the .ovpn file as a download in mobile Safari on the iOS device, where I could choose "Open In...OpenVPN", and the configuration would be imported.

With OPNSense, I still have that option -- but when I try to get the configuration, mobile Safari (and Chrome for iOS) just display a text version of the .ovpn file, instead of serving it as a download.

Is there a way to change this behavior?  The other options for OpenVPN Connect are either not very secure (i.e. send via email) or a hassle (i.e. connect to iTunes and add the .ovpn file to the shared files area for OpenVPN Connect)

Thanks,
Rick

[AdSchellevis]

Hi Rick,

The first thing that came to my mind was that there should be a difference in the headers we send, but I've inspected them and there doesn't seem to be a difference there.
When you downloaded the file in pfSense, was the filetype equal to the one your using now and did it have the same extension?
There could also be a difference in file handling in different versions of ios.

Best regards,

Ad

[RickNY]

Hi Ad... It served a download of an .ovpn file.

I did notice in the headers that nginx under pfSense is setting "X-Content-Type-Options: nosniff", while lighttpd under OPNSense is not...

Code: [Select]

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 28 Sep 2016 22:13:41 GMT
Content-Type: application/octet-stream
Content-Length: 6009
Connection: keep-alive
Last-Modified: Wed, 28 Sep 2016 22:13:41 GMT
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma:
Cache-Control:
Content-Disposition: attachment; filename=config_filename.ovpn
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
And on OPNSense:

Code: [Select]

HTTP/1.1 200 OK
Expires: Sat, 01 Oct 2016 00:11:17 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: max-age=180000
Cache-Control:
X-Frame-Options: SAMEORIGIN
Set-Cookie: PHPSESSID=b5e138e40c6809e9c4af7d4c4b6b87f9; path=/; secure; HttpOnly
Pragma:
Content-Type: application/octet-stream
Content-Disposition: attachment; filename=config_filename.ovpn
Content-Length: 6016
Date: Wed, 28 Sep 2016 22:11:18 GMT
Server: lighttpd/1.4.41
Is it possible that Mobile Safari is sniffing the MIME type and opting to display it instead of download it?

[RickNY]

So, I did some playing around... The nosniff option added to lighttpd configuration does fix it so the iOS device gets the config file as a download instead of a text document... Out of all the browsers I tested, (including desktop Safari on macOS) - mobile Safari on iOS 10 seems to be the only one sniffing the MIME type and ignoring what the server is directing as application/octet-stream  and rendering it as a document.

Here is what I did:

Edit /usr/local/etc/inc/system.inc -- Under the lighttpd configuration file section -- needed to add "mod_setenv" to the server.modules section

Code: [Select]

## modules to load
server.modules              =   ( "mod_access", "mod_expire", "mod_compress", "mod_redirect",
  "mod_cgi", "mod_fastcgi","mod_alias", "mod_rewrite", "mod_setenv",
)

Also added the following:

Code: [Select]

setenv.add-response-header = ("X-Content-Type-Options" => "nosniff")
Rebooted, and then checked /var/etc/lighty-webConfigurator.conf to make sure the changes made it... Tested it with iPhone, and now the client export presents a download where I can "Open in 'OpenVPN'"

That will work for now, but is it possible to incorporate this at some point?

Thanks,
Rick

[AdSchellevis]

Hi Rick,

Ok, that's good, if we add this header to the headers we now send from php it should work.

I've created an issue for this https://github.com/opnsense/core/issues/1204, will let you know when there's something to test.

Best regards,

Ad

[AdSchellevis]

Hi Rick,

Can you try this patch? https://github.com/opnsense/core/commit/ab3098d6e6daa40721c6f947f84a3686f40f8ad7

Easy to install on the command line with:

Code: [Select]

opnsense-patch ab3098d6e
Best regards,
Ad

[franco]

I have queued this up for 16.7.6.