Forensic Analysis of OpenVPN on iOS

OpenVPN is an average VPN client app that allows a user to connect to other OpenVPN protocol compatible Server.
This is going to be a quick analysis of what I found in the few files that were backed up from OpenVPN.
Analysis Methodology
For this analysis I used an iPhone XS running iOS 13 Beta 1 with OpenVPN version 894. The acquisition was generated by performing an unencrypted iTunes Backup. The iTunes Backup was then restructured into a more human readable filesystem by using my iTunes_Backup_Analyzer tool. The following artifacts were examined:
- \AppDomainGroup-group.net.openvpn.connect\openvpn-current.ovpnlog
- \AppDomain-net.openvpn.connect.app\Library\unified\reduxPersist%3Alogs
- \AppDomain-net.openvpn.connect.app\Library\unified\reduxPersist%3AprivateTunnel
- \AppDomain-net.openvpn.connect.app\Library\unified\reduxPersist%3Astatus
Analysis
openvpn-current.ovpnlog & reduxPersist%3Alogs
These files are pretty standard log files for the application. We can see details such as:
- Connection start times
- Disconnect times
- Bytes in
- Bytes out
- Packets in
- Packets out
- IP address connecting to
- Host name connecting to
- IP routes
- CPU Usage
- Network bytes per CPU second
- Tunnel bytes per CPU second
- Peer hardware address in the form of an 128 bit UUID
This is what the logs actually look like:

It’s important to note that in these log files, the usernames and passwords are just “Username” and “Password”. Which is good, but there’s some bad news about how OpenVPN manages passwords, which we will get into later…
The data in these logs can actually be seen inside the application by pressing the the top right icon as seen below:

reduxPersist%3AprivateTunnel
There’s not too much relevant information in this log file, but what is in here is the following:
- Host names, ports, and IP addresses of OpenVPN
- Blank username and password fields

reduxPersist%3Astatus
This is where the fun artifacts come into play:
- Private keys
- Usernames
- Profile names
- PASSWORDS IN PLAINTEXT

Conclusion
There’s not a ton of artifacts, but the main point to take away is that OpenVPN stores usernames, passwords, and private keys unencrypted which can be easily accessible inside an unencrypted iTunes Backup and restructured using my iTunes_Backup_Analyzer tool (or any other iTunes Backup tool).
On a side note, this is definitely worrying to me as my college, Champlain College, uses this service!