Configure point-to-site VPN clients: certificate authentication - iOS OpenVPN client

Straipsnis
06/18/2024

This article helps you connect to your Azure virtual network (VNet) using VPN Gateway point-to-site (P2S) and Certificate authentication on iOS using an OpenVPN client.

Before you begin

Before you begin configuring your client, verify that you're on the correct article. The following table shows the configuration articles available for Azure VPN Gateway P2S VPN clients. Steps differ, depending on the authentication type, tunnel type, and the client OS.

Authentication	Tunnel type	Client OS	VPN client
Certificate
	IKEv2, SSTP	Windows	Native VPN client
	IKEv2	macOS	Native VPN client
	IKEv2	Linux	strongSwan
	OpenVPN	Windows	Azure VPN client OpenVPN client version 2.x OpenVPN client version 3.x
	OpenVPN	macOS	OpenVPN client
	OpenVPN	iOS	OpenVPN client
	OpenVPN	Linux	Azure VPN Client OpenVPN client
Microsoft Entra ID
	OpenVPN	Windows	Azure VPN client
	OpenVPN	macOS	Azure VPN Client
	OpenVPN	Linux	Azure VPN Client

Prerequisites

This article assumes that you've already performed the following prerequisites:

You created and configured your VPN gateway for point-to-site certificate authentication and the OpenVPN tunnel type. See Configure server settings for P2S VPN Gateway connections - certificate authentication for steps.
You generated and downloaded the VPN client configuration files. See Generate VPN client profile configuration files for steps.
You can either generate client certificates, or acquire the appropriate client certificates necessary for authentication.

Connection requirements

To connect to Azure using the OpenVPN client using certificate authentication, each connecting client requires the following items:

The Open VPN Client software must be installed and configured on each client.
The client must have a client certificate that's installed locally.

Workflow

The workflow for this article is:

Install the OpenVPN client.
View the VPN client profile configuration files contained in the VPN client profile configuration package that you generated.
Configure the OpenVPN client.
Connect to Azure.

Generate client certificates

For certificate authentication, a client certificate must be installed on each client computer. The client certificate you want to use must be exported with the private key, and must contain all certificates in the certification path. Additionally, for some configurations, you'll also need to install root certificate information.

For information about working with certificates, see Point-to site: Generate certificates - Linux.

Configure the OpenVPN client

The following example uses OpenVPN Connect from the App store.

Important

Only iOS 11.0 and above is supported with OpenVPN protocol.

Note

OpenVPN Client version 2.6 is not yet supported.

Install the OpenVPN client (version 2.4 or higher) from the App store. Version 2.6 is not yet supported.
If you haven't already done so, download the VPN client profile package from the Azure portal.
Unzip the profile. Open the vpnconfig.ovpn configuration file from the OpenVPN folder in a text editor.
Fill in the P2S client certificate section with the P2S client certificate public key in base64. In a PEM formatted certificate, you can open the .cer file and copy over the base64 key between the certificate headers.
Fill in the private key section with the P2S client certificate private key in base64. See Export your private key on the OpenVPN site for information about how to extract a private key.
Don't change any other fields.
E-mail the profile file (.ovpn) to your email account that is configured in the mail app on your iPhone.
Open the e-mail in the mail app on the iPhone, and tap the attached file.
Tap More if you don't see Copy to OpenVPN option.
Tap Copy to OpenVPN.
Tap on ADD in the Import Profile page
Tap on ADD in the Imported Profile page
Launch the OpenVPN app and slide the switch in the Profile page right to connect