Connect to a VPN with certificate - iOS/Swift

Question

I am making a VPN connection that requires the certificate to authentication.

The code below is how i set the configuration that VPN requires. The parameter identityData is where i put my certificate as Data.

func setupVPN(){
guard let vpnManager = NEVPNManager.shared() else { return }

vpnManager.loadFromPreferences { error in

    var hasProtocolConfig = false;

    if #available(iOS 9, *) {
        hasProtocolConfig = self.vpnManager.protocolConfiguration != nil
    } else {
        hasProtocolConfig = self.vpnManager.`protocol` != nil
    }

    if hasProtocolConfig == true {

        let p = NEVPNProtocolIKEv2()
        // All preferences here
        if let vpnData = self.vpnData {
        p.serverAddress = vpnData.getePDGAddress() // "X.X.X.X"
        p.localIdentifier = vpnData.getlocalIdentifier() // "XXXYYYZZWWWWWWWWWW@pppp.ppp.pppppp.pppppp.ppppppppppp.org"
        p.remoteIdentifier = vpnData.getAPN() // "gggggg.uuuuuuuuuuu"
        p.identityData = vpnData.getUserCertificateData() // User Certificate as Data
        }

        p.ikeSecurityAssociationParameters.integrityAlgorithm = NEVPNIKEv2IntegrityAlgorithm.SHA256
        p.ikeSecurityAssociationParameters.encryptionAlgorithm = NEVPNIKEv2EncryptionAlgorithm.algorithmAES128
        p.ikeSecurityAssociationParameters.diffieHellmanGroup = NEVPNIKEv2DiffieHellmanGroup.group14
        p.serverCertificateIssuerCommonName = "TEST SubCA"
        p.serverCertificateCommonName = "TEST SubCA"
        p.authenticationMethod = NEVPNIKEAuthenticationMethod.certificate

        if #available(iOS 9, *) {
            self.vpnManager.protocolConfiguration = p
        } else {
            self.vpnManager.`protocol` = p
        }
        self.vpnManager.isEnabled = true

        self.vpnManager.saveToPreferences { error in
            if let e = error{
                print("[VPN] error saving: " + e.localizedDescription)
            } else {
                print("[VPN] vpn saved")
                Timer.scheduledTimer(timeInterval: 5, target: self, selector: #selector(self.connectVPN), userInfo: nil, repeats: false)
            }
            return
        }
    }
}

}

One example of that certificate encoded in base 64:

MIIFqTCCA5GgAwIBAgIQKLf5dlFRabt3cAe9ax2kXjANBgkqhkiG9w0BAQsFADBgMRwwGgYDVQQDDBNURVNUIFZGQ1ogRVBDIFN1Yk ... wdWJsaWMgYS5zLjELMAkGA1UEBhMCQ1owggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNgTmc6uQ9Md

And then the parse to Data is done that way:

CaCertificateData = Data(base64Encoded: "Base64StringEncoded_Here")

When all set, i start the VPN tunnel that way:

do {
 try vpnManager.connection.startVPNTunnel()
} catch let error {
     print("Error starting VPN Connection \(error.localizedDescription)");
}

I can see the status of VPN and VPN starts Connecting and then becomes Disconnected. The 3 algorithm that we can see above are correct.

Someone can notice what i am doing wrong? I have some .pcap files from some different tests I have made. In all .pcap files I don't send the message "Client Hello" that is required. I think the problem is with certificate.

Answer 1

you can use .ovpn files. You can easily integrate certificates inside ovpn file. Look this article https://medium.com/better-programming/how-to-build-an-openvpn-client-on-ios-c8f927c11e80