Menu

How to configure OpenVPN for Android with certificate authentication and managed configurations in Knox Manage

Environment

  • Knox Manage (KM)
  • Android Enterprise

Prerequisites

Before following these instructions, you must have an OpenVPN server set up according to your enterprise's VPN security requirements.

Overview

This article guides you through the steps on how to set up OpenVPN for Android using Knox Manage (KM)'s certificate provisioning, and shows you how to automate the setup process using KM managed configurations.

Install the OpenVPN for Android client

  1. In your KM console, go to Application > Add > Public.
  2. In the search bar, enter "OpenVPN for Android" and click Search.
  3. Select the "OpenVPN for Android" application.
  4. On the OpenVPN for Android application page, click Approve.
  5. In the pop-up window that appears, click Approve.
  6. Click Done, then click Save.
  7. Go to Application.
  8. Under the OpenVPN application, click Assign.
  9. Under Target device, select Android Enterprise with the Automatic install type.
  10. Under Target section, select your group or organization, then click Assign.

Create a PKCS12 certificate and upload it to Android Keystore through Knox Manage

If you use OpenVPN configuration files with embedded certificates, you need to extract the certificates in PKCS12 format. The extraction process ensures that your private keys are not stored in the configuration file. Instead, they are provisioned using KM and stored in your device's Android Keystore.

To extract the PKCS12 certificates:

  1. In a text editor, open your OpenVPN configuration file.
  2. In the file, locate the following sections of code:
    <ca>...</ca>
    <cert>...</cert>
    <key>...</key>
  3. Copy the text in the <ca> section into a new text file. Ensure the content matches the following format:
    -----BEGIN CERTIFICATE-----
    ... (certificate contents)
    -----END CERTIFICATE-----
  4. Save the new text file as "ca.crt".
  5. Repeat Step 3 for the <cert> section, saving it as "client.crt".
  6. Repeat Step 3 for the <key> section, saving it as "client.key".

After copying the certificate information out of the OpenVPN configuration, you should have three files named "ca.crt", "client.crt", and "client.key". You can now use OpenSSL to combine them:

  1. On your computer, install OpenSSL.
  2. In your file manager, navigate to the folder containing your "ca.crt", "client.crt", and "client.key" files.
  3. Open Command Prompt and enter the following SSL command:
    openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -name MyClient -out client.p12
  4. When prompted, enter a strong password to secure your certificate with.

You now have an OpenVPN-compatible "client.p12" certificate that you can upload to KM and push to your device's Android Keystore.

Add the PKCS12 certificate to Knox Manage

  1. In your KM console, go to Advanced > Certificate > External Certificate > Add.
  2. Upload your "client.p12" certificate and enter the information as shown below:
  3. Click Save.

To store the client certificate in your device's Android Keystore:

  1. In your KM console, go to Profile.
  2. Click on your device's profile > Modify Policy.
  3. Select Certificate, then enter the information as shown below:
  1. Click Save and Apply.

To install the client certificate on your device:

  1. In the KM client on your device, navigate to Download Configuration > Install.
  2. Tap OK.

To sync the OpenVPN configuration file (*.ovpn) with your device:

  1. In your KM console, under Content, upload the configuration file to to KM.
  2. Enter the information as shown below:

Apply VPN managed configurations

When applying VPN managed configurations, you need to enter the following info:

  1. UUID - A unique UUID that identifies the profile (sample format: 0E910C15–9A85-4DD9-AE0D-E6862392E638). You can generate the UUID using uuidgen or similar tools.
  2. Name - A name for your VPN profile.
  3. Config - The content of your OpenVPN configuration file, typically with the extension .ovpn or .conf. In Command Prompt, convert this file to base64 using the command: openssl base64 -A –in

Your OpenVPN configuration file should be in the below format:

			client  
            dev tun  
            proto udp  
            remote <your server name/IP>  
            port 1194  
            resolv-retry infinite  
            nobind  
            user nobody  
            group nogroup  
            persist-key  
            persist-tun  
            remote-cert-tls server  
            cipher AES-256-CBC  
            auth SHA256  
            verb 3  
            

Your Base64 encoded string should be in the below format:

Y2xpZW50CmRldiB0dW4KcHJvdG8gdWRwCnJlbW90ZSB0ZXN0b3Zwbi5kZG5zLm5ldApwb3J0IDExOTQKcmVzb2x2LXJldHJ5IGluZmluaXRlCm5vYmluZAp1c2VyIG5vYm9keQpncm91cCBub2dyb3VwCnBlcnNpc3Qta2V5CnBlcnNpc3QtdHVuCnJlbW90ZS1jZXJ0LXRscyBzZXJ2ZXIKY2lwaGVyIEFFUy0yNTYtQ0JDCmF1dGggU0hBMjU2CnZlcmIgMw==

After saving your configuration, launch the OpenVPN for Android application to see your new profile.

Select the Android Keystore certificate in the OpenVPN for Android app

After launching the OpenVPN for Android app:

  1. Tap the pen icon next to your profile.
  2. Next to Client Certificate, tap Select.
  3. In the pop-up that appears, select [636] Knox, then tap Select.


You have successfully imported the OpenVPN profile with your certificate. To complete the configuration, tap on your profile to establish the OpenVPN connection on your device.