Error when importing .ovpn file to iphone OpenVPN app

I’m trying to set up a home vpn through netgear but I when I download the configuration files and try to import it on the OpenVPN app on iphone, I get this error. How do I fix?

Also side question, I don’t normally use a netgear router. I normally use my xfinity router that Comcast gave us but the only problem with that is that I can’t I can’t set up a home VPN unless I go into bridge mode and I don’t even know what that means or if it’s a good or a bad thing. So should I continue to do it on the netgear router or just do it through the xfinity one since that’s the only one I use anyway

I don’t know what the message actually states, but can it say that those files are missing? You mentioned that you download the files, in the plural, so I’m assuming that those files are in the same folder of the .ovpn file: are they?

Is there any chance that you downloaded all the files inside a compressed file, and tried to open the configuration file directly from inside the compressed file, without extracting them first to a folder? By the way: I don’t use iPhones, and only once I installed the OpenVPN client in my Android smartphone.

By the way: it is possible to embed the contents of the .crt and .key files inside the configuration file, if it will make things easier.

https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV

About the bridge thing: it means to make the ISP’s router, that now has a public IP address in its WAN interface (whether it has a WAN ethernet port or not), stop acting as a router, and instead your own router, connected properly to the ISP’s one, will act as the only router and have a public IP address in its WAN port. It’s a good thing, that can be easily done if you do some basic research.

Yes they are in the same folder. I’m on mac but when I downloaded the configuration files to my Mac the client.key, client3.ovpn, ca.crt, and client.crt we’re all in a folder. Does that mean I don’t have to extract anything?

And yeah I saw online somewhere that I needed to open the .ovpn file in a text editor and remove the words
Ca.crt
Client.key
Client.crt
And then re add them to the bottom of the text edit but I don’t think I’m doing that right

And as far as the bridge question, if I only use my ISP router alone, then it wouldn’t make sense to go into bridge mode right?

Yes they are in the same folder. I’m on mac but when I downloaded the configuration files to my Mac the client.key, client3.ovpn, ca.crt, and client.crt we’re all in a folder.

Did you try to make the VPN work on your Mac?

Does that mean I don’t have to extract anything?

I don’t know. I don’t know if you are looking at the contents of a compressed file as if it was a folder. I don’t know how you downloaded the files, and I’m not used to Apple stuff. How did you download the files?

And yeah I saw online somewhere that I needed to open the .ovpn file in a text editor and remove the words Ca.crt Client.key Client.crt And then re add them to the bottom of the text edit but I don’t think I’m doing that right

I don’t know if we are thinking of the same thing in this particular aspect, and I don’t know what instructions you are talking about. Is there a chance that this thing you read was, in fact, instructing you to make sure that the names of the certificate files declared inside the .ovpn file match the names of the actual files? Or maybe it was instructions on how to embed the certificates like I suggested: I can’t figure it out without more info.

And as far as the bridge question, if I only use my ISP router alone, then it wouldn’t make sense to go into bridge mode right?

The simplest answer to your question is: yes, it wouldn’t make sense.

Put content of all these files in one file.ovpn
Like this ca content etc

No. I don’t want it to work on my Mac I want it to work on my iphone. I just transferred that folder with all the configuration files onto my iphone and then tried to put it into OpenVPN and it didn’t work.

I downloaded the files from my netgear router settings client. That’s where I set up the vpn and then there are options to download the configuration files to your need. One being non windows, the other being iphone and iPad, and the other being android.

And yeah this is what I’m talking about https://www.reddit.com/r/OpenVPN/comments/8tumre/openvpn_connect_on_ios_missingbad_files/?utm_source=share&utm_medium=web2x&context=3

in this post I just linked, he has the same issue as me with the same error message. In the comments, he suggested removing the following three lines:
Ca.crt
Client.crt
Client.key

And then, he says that those three things are just placeholders, and what your actually supposed to add is supposed to go on the bottom but I don’t know how to add that information

No. I don’t want it to work on my Mac I want it to work on my iphone. I just transferred that folder with all the configuration files onto my iphone and then tried to put it into OpenVPN and it didn’t work.

I didn’t ask if you want to work on your Mac: I asked if you tried to make the VPN work on your Mac. The title of your post says “Error when importing .ovpn file to iphone OpenVPN app”, but we still don’t know if it should be “Error when importing .ovpn file to iphone OpenVPN app” instead.

I downloaded the files from my netgear router settings client. That’s where I set up the vpn and then there are options to download the configuration files to your need. One being non windows, the other being iphone and iPad, and the other being android.

I asked “I don’t know. I don’t know if you are looking at the contents of a compressed file as if it was a folder. I don’t know how you downloaded the files, and I’m not used to Apple stuff. How did you download the files?”, and you didn’t answer properly, and I’m also not used to OpenVPN in routers in general, let alone NetGear. Maybe the proper answer will help to pinpoint what exactly you were doing wrong or to rule out some possibilities.

in this post I just linked, he has the same issue as me with the same error message. In the comments, he suggested removing the following three lines: Ca.crt Client.crt Client.key

OK, now I know what you are talking about: it is really that thing that I mentioned (but didn’t really suggest) about embedding the certificates and then using one single file, the .ovpn file, for everything.

And then, he says that those three things are just placeholders, and what your actually supposed to add is supposed to go on the bottom but I don’t know how to add that information

I found this particular comment, it is the last one there right now, right? That person is wrong: ca ca.crt, cert client.crt and key client.key are not “placeholders for the new stuff you are supposed to add at the bottom”, on the contrary: those lines serve to declare the names and roles of the certificate files that are supposed to be in the same folder of the .ovpn file if you are following the usual approach, and if you are going to try the embedding approach (so you don’t have to use the extra files anymore) you need to delete those three lines. And there is something that you need to keep in mind: it is possible that those certificate files don’t have those exact names, and this can happen often with the client certificates and keys: we can create certificates for several users, with different file names, and then we need to edit the template .ovpn file to match them. Did you check if the names match (if you are not trying the embedding approach)?

Now let’s talk about the example they gave there, that follows the embedding approach:

<ca>
-----BEGIN CERT etc
</ca>
<cert>
-----BEGIN CERT etc
</cert>
<key>
-----BEGIN PRIVATE KEY etc
</key>

You understand that you need to write:

<ca>

</ca>
<cert>

</cert>
<key>

</key>

And then fill the blank lines with the contents of each matching certificate or key file, right? Open each .crt and .key file, copy the entire contents, and paste in the proper space.

An additional info: instead of deleting lines, I think it’s better to comment the lines (making them not being used by OpenVPN), so in the future you can have a clue of what you did in the past, and to comment you add a “#” or a semi-colon at the beginning, something like this:

# I commented the three lines below because I will embed the certificates inside this file here, like that awesome dude on Reddit suggested.
;ca ca.crt
;cert client.crt
;key client.key

Ahhh okay this actually helps a lot. I have a few questions though.

1. you mentioned to open each .crt .key file and copy all of the contents and paste it in the proper place. But how do I open those files? When I try on my iphone it doesn’t work and same with my mac. Is there an app I need to download to allow me to open those files to then be able to get the content inside of them?

2. when pasting the contents in the places they belong, do I do it like this:

Or

So basically what I’m trying to ask is if I need to add these “———“ into it or literally just type the content in between the and

1. you mentioned to open each .crt .key file and copy all of the contents and paste it in the proper place. But how do I open those files? When I try on my iphone it doesn’t work and same with my mac. Is there an app I need to download to allow me to open those files to then be able to get the content inside of them?

Any simple text editor can open them. I believe MacOS comes with TextEdit, isn’t that right? Open this program and use it to open those files, but since their extension is not .txt you will probably need to check, uncheck or select something that will allow you to choose files with any extension. And I just realized: if you are already editing the .opvn file as text, you are already able to do it.

2. when pasting the contents in the places they belong, do I do it like this:

It is going to be something like this:

<ca>
-----BEGIN CERTIFICATE-----
blablablablabla
blablablablabla
blablablablabla
blablablablabla
blablabla=
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
blablablablabla
blablablablabla
blablablablabla
blablablablabla
blablabla==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
blablablablabla
blablablablabla
blablablablabla
blablablablabla
blablablabla
-----END PRIVATE KEY-----
</key>

But I have never done it like this, so now I have this doubt: there is more content inside client.crt then what appears here, so focus only on the part between “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----” and see if it works.

Ah okay sounds good. Thanks for the help and being patient with me lmfao I’m at work but I’m gonna try later and see if I can get it to work

You’re welcome, it’s fun! Good luck!

Okay so I did it and this time I got no error messages. However when I turn the vpn on it just continuously loads and then eventually times out. How do I fix this?

I put the keys in the .ovpn document in this order. Ca.crt first, then client.crt, and lastly client.key was that the correct order?

Okay so I did it and this time I got no error messages. However when I turn the vpn on it just continuously loads and then eventually times out. How do I fix this?

First you need to find what is going wrong. Take a look at the beginning of this article to find out how to view the OpenVPN Connect client log:

You will need to take a look at it and try to figure out where possible error messages are.

I put the keys in the .ovpn document in this order. Ca.crt first, then client.crt, and lastly client.key was that the correct order?

I don’t know if the order matters, but since that’s the order we always see around, it’s OK.

It would help a lot to share your configuration file and the log… but it’s a terrible idea, because a lot of information would need to be redacted, particularly the line that begins with “remote” (followed by the server address and port) and the contents of the certificates, and we can’t expect that you do it safely. The same thing with the log. So, even if it sounds tempting, don’t do it with anyone you don’t trust personally.

But take a look at the log: export it like in the link above, find out if it goes up or down by the timestamps, and look for something that sounds like an error message. If you decide to publish it here, make sure your server address (whether it is a FQDN or an IP address) is redacted.

Oh, and about the contents of the client.crt file: what about trying differently, with the entire content of the file this time? What did you do, by the way: the entire content, or just that similar part?

I removed the important stuff, but it’s not even giving any information as to why it’s happening. Can I dm it to u?

What do you mean by similar part? And yeah I just dm u

Yes, you can, if you feel safe to do so.

OK, let’s go to the other relevant stuff, but without assuming that the issues so far are cleared: maybe we will still need to get back to the certificates later.

Are you inside your house, with your smartphone connected to your home network? If that’s the case, then you need to disconnect your smartphone from your wireless network so your smartphone can be outside your house (from the point of view of the network) and access the router “from the Internet”. I assume the IP address or FQDN supplied in the “remote” line of the configuration file points to your house’s router’s public IP address, and that the port supplied in the same line is forwarded, inside the Xfinity router, pointing to the internal address of the Netgear router. That’s when your choices can make things difficult for you: if you had made the Xfinity router work in bridged mode, properly, you wouldn’t need to deal with port forwarding because the Netgear router would be directly connected to the Internet.

You need to take some time to tell us what you have done so far.