Question

Hi,

I am currently trying to set up a VPN between a RUT950 as a Server and my iPhone as a Client to access devices behind the router. For this I am using the following settings in the router for a TUN OpenVPN setup with a simple Static Key authentication:

I have already installed the OpenVPN app in my iPhone but haven´t been able to set it up. I am currently facing the following problems/questions:

• I took a general *.ovpn file and modified it based on the settings of the connection (i.e. TUN, UDP protocol, remote DDNS address, same cryptografic cipher as in the server, etc.). I integrated in the same file the Static Key uploaded in the RUT950 as:
  • <key>
    -----BEGIN PRIVATE KEY-----
    ******
    ***Key inserter here****
    ******
    </key>
    
    When I tried initiating the connection to the server through my iPhone, I got an error because the CA certificate was not found. Here I ask the following, is the CA certificate also needed, if the authentication is done via the Static Key? if so, why is the RUT950 not asking for it during the set up?
• In spite of the previous point, I integrated a previously generated CA certificate into the *.ovpn file just as I had done for the static key. Now I am receiving the following error: mbed TLS: error parsing ca certificate : X509 - The CRT/CRL/CSR format is invalid, e.g. different type expected. My understanding of the situation, besides of the "wrong formatting" is that the OpenVPN app in my cellphone thinks the VPN is using TLS authentication. Is this correct? if so, how can I configure a simple static key authentication so that I am not requested for the other certificates?
• I was expecting in the *.ovpn configuration file to be asked for the local and remote tunnel endpoints. However, this information is not being asked as far as I see. Is this not needed on the client´s side? or how can it be added?
• A final point is the following... I set up in the RUT950 a DDNS to receive the updates of the WAN IP of the router. When I compare it with the one showed in https://whatsmyip.com/, I noticed that they are different. Will this have an impact on the set up the VPN? Or will it be able to establish the tunnel to the WAN IP uploaded in the DDNS?

Thank you in advance for your support!

Answer 1

Hello,

To begin with, according to your last point, your router might not have Public IP address. if this is the case, this means that you will not be able to establish VPN connection to the router. In such case, you would need to contact your ISP and ask for "Public IP" service. We have brief article about public IP address, in which you might be interested. You can find ir here.

From the picture, which you uploaded, I can see that your router's configuration is incorrect: "Remote tunnel endpoint IP" field cannot be "172.16.1.0", since this is networks address and not host's. Simply solution: change IP address to "172.16.1.2".

Regarding your mobile phones configuration: CA certification should not be needed in "Static key" connection. It might indeed be a possibility that your phone is trying to establish TLS connection instead of static key.

In this case, personally, I would not recommend to start working with OpenVPN with mobile phones, since that might lead to frustation, because in the beginning you have too many unisolated variables and each of them might prevent connection from being established. Best practice would be to create your first OpenVPN tunnel from any computer (running OpenVPN GUI application) since it will allow you to more easily change settings and troubleshoot the connection/check detailed connection logs. And once the connection from computer will be working, you would be able to transfer all same configuration to mobile phone and troubleshoot only its variables, leaving all Public IP/connection/OpenVPN uncertainties aside.

Comments

Thank you for your response. It clarified all my questions.