UNBLOG Tutorials (EN)

OpenVPN Connect using on iPhone and Android

Home
Leave a comment

OpenVPN is enjoying increasing popularity. The OPNsense firewall offers an excellently integrated OpenVPN server with numerous features, but other open source solutions also use OpenVPN, as well as the Synology NAS devices, where OpenVPN is part of the VPN server, which is available in the DSM Package Center. The popular open source VPN solution is available for all common operating systems, from Linux and Windows to MacOS and mobile devices with iOS and Android.

This tutorial shows how to set up OpenVPN Connect and using VPN connections on iOS and Android.

How to use OpenVPN Connect on iPhone and Android

First, the OpenVPN Connect app is loaded onto the device. This is available free of charge in the Apple App Store and Google Play.

OpenVPN Apple StoreOpenVPN Google Play

The configuration of the clients is done by importing the ovpn profile, which contains all the necessary settings.

OpenVPN
  1. Launch the OpenVPN Connect app
  2. Tap Upload File
  3. Tab BROWSE
  4. Choose My Documents folder – Select Downloads
  5. Select OpenVPN configuration file .ovpn
  6. Tab Done
  7. Import .ovpn profile? OK
  8. Enter your username and select CONNECT
  9. For 2FA enter OTP and password together OTP token + password

  Import more OpenVPN profiles by tapping on the + symbol.

Screenshot gallery of OpenVPN Import Profile for Android.

OpenVPN Connect Import Profile
OpenVPN Connect Import Profile
OpenVPN Connect Import Connection Request
OpenVPN Connect Connections
OpenVPN Connect Status Connected

  The first time you connect after tapping the slide switch, the app will ask for permission to add the VPN configuration. If everything has been completed successfully, a VPN tunnel is established by the client to the server, which the app outputs via the status CONNECTED.

How to transfer OpenVPN profile?

The easiest way to transfer the configuration file (.ovpn) to an iOS or Android device is to transfer the file from the PC to the smartphone or tablet via Bluetooth. First both devices you’re have to pair via Bluetooth, then on the PC select the OVPN file with click the right mouse button, from the context menu choose – Send to Bluetooth device.

How to transfer OpenVPN profile

After confirming with OK, the OVPN file should now be found on the mobile device under “My Documents” in the “Downloads” folder.

Alternatively, you can send the OVPN file by email to your email address and then save it to your smartphone or tablet, or via cloud storage, and if available, via local synchronization such as Synology Drive.

Conclusion

OpenVPN as an open source solution is available for all clients of the common platforms, such as iOS and Android.

The corresponding app can be obtained from the respective store and the configuration is done via a file that contains all the settings and that you download from the OpenVPN server.

The OPNsense firewall is particularly recommended as an OpenVPN server. Numerous options can be configured, such as client and server certificates and 2FA authentication, with the integration of LDAP for active directory and google authenticator TOTP for multi-factor authentication.

Sources:

The next relevant post might also be helpful, see How To OPNsense 2FA TOTP with Google Authenticator shows the provisioning.

UNBLOG Tutorials (EN)

Name Resolution via VPN with Split Horizon DNS

Home
Leave a comment

Using Name Resolution in VPN connections, clients often cannot resolve the network resources to which the VPN clients are connected.

This is especially problematic with Active Directory, because the clients cannot reach domain controllers to log on. The login then takes place only via the local cache, as a result, group policies and login scripts fail to run.

Customize Interface Metric

To control the Windows interface metric and favor the DNS server after dialing the VPN connection. The VPN interface can be assigned a higher priority and thus lower metric via the TCP/IP settings of the network adapter using the Windows+R keys and entering ncpa.cpl

In the properties of the corresponding network adapter you open with a double-click. Internetprotocol, version 4 (TCP/IPv4), then via the button Advanced, you will find the field for the value of the interface metric.

Split Horizon DNS Interface metric

Here “Automatic metric” should not be activated for the VPN interface, a low value can be entered. After the next initialization, name resolution should take place over the VPN network.

Disable multicast name resolution

Windows 10 and 11 introduced Smart Multi-Homed Name Resolution (SMHNR), which sends DNS requests to multiple DNS servers simultaneously to speed up name resolution.

This is an undesirable side effect, the requests for internal name resolution are sent to external DNS servers (“DNS leakage”). Their operators can thus obtain a detailed overview of the organisation’s IT resources.

Name resolution via VPN

The setting is Turn off smart multi-homed name resolution under Computer Configuration => Administrative Templates => Network > DNS Client.

Turn off smart multi-homed name resolution

Customize interface metrics in PowerShell

The interface metrics of the different network connections can be displayed sorted in PowerShell with the following command.

PS C:\> Get-NetIPInterface | Sort-Object Interfacemetric

PowerShell now shows all interface metrics.

Get-NetIPInterface Sort-Object Interfacemetric

Alternatively, the metrics can be output with the netsh.exe utility, although not as detailed as in PowerShell.

C:\> netsh int ip show interfaces

Idx     Met         MTU          State                Name
---  ----------  ----------  ------------  ---------------------------
  1          75  4294967295  connected     Loopback Pseudo-Interface 1
 10           5       65535  disconnected  OpenVPN Wintun
 12          40        1500  connected     WLAN
 15           5        1500  disconnected  Ethernet
  8          25        1500  disconnected  OpenVPN TAP-Windows6
 11          65        1500  disconnected  Bluetooth-Netzwerkverbindung
 17          25        1500  disconnected  OpenVPN Data Channel Offload
 16          25        1500  disconnected  LAN-Verbindung* 3
 22          25        1500  disconnected  LAN-Verbindung* 12
  4          35        1500  connected     VMware Network Adapter VMnet1
  6          35        1500  connected     VMware Network Adapter VMnet8

The interface metric is changed in PowerShell as follows.

PS C:\> Set-NetIPInterface -InterfaceIndex <ifIndex Wert> -InterfaceMetric <Metrik>

The network adapter is identified by using the –InterfaceIndex parameter, which is obtained when queried with the Get-NetIPInterface cmdlet in the ifIndex column.

Conclusion

In this tutorial we show you, the name resolution for VPN clients is enabled via the tunneled VPN connections.

Network resources are resolved and the domain controllers can be reached for authentication. Login can be done through Local Security Authority Subsystem Service (LSASS), running Group Policy and login scripts.

What is Split-Horizon DNS

When split-horizon DNS is deployed by a network. Then certain domains are only resolvable by querying the network-designated DNS server rather than a public DNS server.

DNS clients which use DNS servers not provided by the network need to route those DNS domain queries to the network-designated DNS server.

This document informs DNS clients of split-horizon DNS, their DNS domains, and is compatible with encrypted DNS.