Skip to end of metadata
Go to start of metadata

Unfortunately iPhones will not accept the Open VPN certificate that you sent us. But there is a solution...

To setup the VPN, so that the user can have their traffic directed through YONA's VPN server, we need the user to download a mobileconfig file like this:


This file is signed using an SSL certificate (, more detailed technical information about how this is done can be found here . I actually used my apple provisioning profile certificate, but you can create an SSL certificate for YONA and use that to sign the file.

The mobileconfig file is basically an XML with settings that can be specified for the user, adding the details of the VPN location and the ID of the user so we can track their traffic. The XML takes this format, you can open the following file in a text editor:


The file above is just an example. To create a file like this you will need to get the Apple Configurator on a mac running the latest OSX El Capitan Version 10.11.4

Once you have got this app you can then go about creating an UNSIGNED mobilconfig certificate:

1) Open Apple confi and create a new profile


2) Select general then fill in the details

3) In the security setting you can set the VPN to only be removed with authorization, this is useful if you want the user to always have the VPN on there unless they or their parents want to remove it...the password is set to 1234 in this example you will need to send it to the user after they have registered and downloaded the profile and installed it..


4)Now go to the VPN section, you need to firstly set the connection type to IKEv2. This is the best mobile protocol for VPN and it allows us to turn the VPN on straight away and keep it on unless the user removes the profile:

5) Fill in the rest of the settings (such as your VPN location), there are also many other settings that you may know about...


6) Once you have filled everything in, you then need to save the cert, don't sign it yet as you will not beable to edit it and insert the user's details:

7) You may want to check apples definitions of all the fields that need to be filled and decide what you need to fill in with the details of each user after they have registered and work out where the opvn certificate strings need to be placed. I believe you need to fill the details to do with Server certificate issuer:

8) This is the unsigned file that I just created, you can check the XML to see what fields you can fill

VPN Yon.mobileconfig

9) As I said above once you have this Unsigned certificate you need to sign it on the server side as described in that webpage and then put this on a server in a location we know and then the IOS app can go there and download it. Once this is done the VPN will be setup on the users device.



This information is useful for creating an OVPN certificate:


Q: Can I import an OpenVPN profile via an iOS .mobileconfig file?

A: Yes, OpenVPN profiles can be created using the iPhone Configuration utility and exported to a .mobileconfig file, which in turn can be imported onto one or more iOS devices. Unfortunately, the process is a bit cumbersome at the moment because the directives of the OpenVPN profile must be manually entered as key/value pairs into the iPhone Configuration utility UI.

To create a .mobileconfig-based profile, open the iPhone Configuration utility, go to the File menu, and select "New Configuration Profile" (note that these directions were tested with version 3.5 of the iPhone Configuration utility on a Mac tethered to an iPad Air running iOS 7.0.4).

Next, edit the newly created Configuration Profile. Click on General in the left pane and fill out the fields such as Name, Identifier, Organization, etc. Click on VPN in the left pane and a "Configure VPN" dialog box should appear in the main window. Click the "Configure" button. Fill out the VPN settings as described below:


  • Connection Name should be set to a name that will identity this profile on the device.
  • Connection Type should be set to Custom SSL.
  • Identifier should be set to "".
  • Server must be set to "DEFAULT". The actual server hostname will be configured via OpenVPN remote directives in the Custom Data section.
  • User Authentication should be set to Password, and the password field should be left blank.

Parameters normally given in the OpenVPN client configuration file must be defined using key/value pairs in the Custom Data section:

  • Define each OpenVPN directive as a key, with arguments specified as the value. As in the OpenVPN configuration file, arguments are space-delimited and may be quoted.
  • Key value pairs for remotecacertkeytls-authkey-directionauth-user-passcomp-lzocipherauthns-cert-typeremote-cert-tls must be defined if the server requires them.
  • If your server doesn't require clients to authenticate with a client certificate and private key, you can omit key/value pairs for ca and cert, but be sure to add the key/value pair "setenv" : "CLIENT_CERT 0".
  • The client certificate and private key can be separately imported onto the iOS device using a PKCS#12 file, in which case you can omit key/value pairs for ca and cert.
  • If you are attaching a private key to the configuration using the key directive, consider encrypting the key with a password to protect it while in transit to the target iOS device.
  • You must add a special key/value pair "vpn-on-demand" : "0" so that OpenVPN can distinguish this profile from an iOS VPN-On-Demand profile.
  • For OpenVPN directives with no arguments, use "NOARGS" as the value.
  • If multiple instances of the same directive are present, when entering the directive as a key, number the directives in the order they should be given to OpenVPN by appending .n to the directive, where n is an integer, such as remote.1 or remote.2
  • For multi-line directives such as cacertkey and tls-auth, where the argument is a multi-line file, an escaping model has been provided to allow the file content to be specified as a single-line value. The procedure is to convert the multi-line data to a single line by replacing line breaks with "\n" (without the quotes). Note that because of this escaping model, you must use "\\" to pass backslash itself.
  • For OpenVPN Access Server meta-directives such as "OVPN_ACCESS_SERVER_USERNAME", remove the OVPN_ACCESS_SERVER_ prefix, giving USERNAME as the directive.

Once the profile has been defined, you have two options for exporting it to an iOS device:

  • If your device is currently tethered, click on your device name in the left pane. Then in the main window, click on the Configuration Profiles tab. You should see the name of your Configuration Profile and a button to install it on the device.
  • You can also save the Configuration Profile as a .mobileconfig file, and make it available to iOS clients via email or the web. To do this, select your Configuration Profile, go to the File menu, and select "Export...". An Export Configuration Profile dialog box will appear. Select a Security option -- "Sign configuration profile" is a reasonable choice. Press the Export button and save the profile.

When an iOS device receives an OpenVPN .mobileconfig profile (via Mail attachment, Safari download, or pushed by the iPhone Configuration utility), it will raise a dialog box to facilitate import of the profile. After import, the profile will be visible in OpenVPN.




  • No labels