Your browser (Internet Explorer 6) is out of date. It has known security flaws and may not display all features of this and other websites. Learn how to update your browser.
X
Aside

Embedding Certificates into OpenVPN Config

I found out a very cool configuration trick for OpenVPN while doing some read-up on OpenVPN encryption key size.

In the middle of the thread, one of the user, “300000”, posted his/her configuration settings.
The part that caught my eye was the chunk of Base64 encoded certs.

I never knew you could embed the certs directly into the config file!

All these while I’ve been using the respective keywords to define the path to the individual cert files. This have made the distribution of configuration to each user quite a pain, since in addition to the config file, I have to send them the cert and key files and also to instruct them on where to put the individual files.

Now, I can just pass them a single .ovpn file and tell them where to place it and they are good to go. No more additional steps like telling them to download the cert files and placing them in a specific directory.

To embed the certs, simply place the Base64 encoded cert text into the respective <ca> </ca>, <cert> </cert> and <key> </key> tags in your .ovpn config file and comment out the “ca”, “cert” and “key” keywords.

client
remote my-server 1194
proto udp
dev tun
persist-key
persist-tun
resolv-retry infinite
nobind
#ca ca.crt
#cert client.crt
#key client.key
comp-lzo
verb 3
<ca>
-----BEGIN CERTIFICATE-----
***Paste CA Cert Text Here***

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
***Paste Your Cert Text Here***

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
***Paste Your Cert Private Key Here***

-----END PRIVATE KEY-----
</key>

There, simple.

Kee Wee

Kee Wee is an IT Specialist specialising in High Availability and Messaging solutions. He is a curious person who likes to build things and figure out how stuff works. This is where he share his thoughts with the world.

  • Worked like a charm ! thanks a lot.. I think this is must if you want to use the profile on openVPN iphone app. Thanks a lot for sharing ! 🙂

    abhi

    December 24, 2015

  • […] used the following page at Brainfart on embedding the certificates right into the VPN configuration […]

  • Thanks for writing this awesome article. I’m a long time reader
    but I’ve never been compelled to leave a comment. I subscribed to your blog and shared
    this on my Facebook. Thanks again for a great post!

    www.9-blog.com

    December 3, 2016

  • Does this work for tls-auth to?

    key-direction 0

    John

    December 16, 2016

  • Hi John,

    Yes! This works for tls-auth too

    Just include:
    <tls-auth>
    ...
    Server TLS Key
    ...
    </tls-auth>

    Remember to include the key-direction directive too:
    key-direction 1

    Kee Wee

    December 29, 2016

  • Any idea how I’d add the contents of a ‘dh2048.pem’ cert/file into into an OVPN config file?

    Thanks 🙂

    Ben

    February 4, 2017

  • Setting the DH key is a server side setting
    Just include the dh parameter in your server.conf file and restart OpenVPN
    dh /etc/openvpn/keys/dh2048.pem

    Kee Wee

    February 4, 2017

  • Thanks for your reply, Kee Wee.

    Server side for me, is my VPN provider.

    First off, I only have a basic understanding of VPNs and OVPN so apologies for my ignorance in what follows…

    I own an Asus DSL-AC68U that has server and client capability. I’m trying to setup the client capability. I’m hoping to be able to set my router as a VPN client to my VPN service provider.

    Only problem is, the Asus’s interface is a little spartan. I’m not sure there are enough fields available to put all the info in that’s required by my provider?

    I can import an .ovpn config
    I can manually paste the CA, Cert and Key into fields.
    It also offers a username and password field.

    But every time I try to connect to my VPN service provider from the router, it fails.

    I’m not entirely sure what’s going wrong. But I suspect the router is either incapable of providing ‘enough’ credentials due to the limited GUI interface or I’m doing something wrong.

    For what it’s worth, connecting using exactly the same .ovpn file and certs is fine from a laptop so I know I’m using the correct details.

    My VPN provider’s .ovpn file references four files/certs; the dh2048.pem, plus the CA, Cert and Key, plus it contains all the other parameters like host name, compression etc.

    Perhaps I’m barking up the wrong tree with the dh2048.pem thing. I was hoping that if I could include all the certs actually in the .ovpn config file, I could import that to the router and I’d be in business. Just can’t get anything to work though 🙁

    Could it be the encrypted ‘.key’? On a laptop, I get the option to enter a password for it. Not so in the Asus interface. Well, not outside the username and password fields that I suspect are unrelated.

    Hmmm. Got the feeling I might be trying to push water uphill here 🙂

    Ben

    February 4, 2017

  • Hi Ben,

    You say your .key file is encrypted (if you look at the text of your .key file, you should see “Proc-Type: 4,ENCRYPTED” somewhere in it)? That might be the case for your issue, as I believe the Asus router is not able to decrypt your private key automatically.
    Do you have access to a Linux machine? You can try to decrypt your private key and import your key file into your router and try again.
    https://techjourney.net/how-to-decrypt-an-enrypted-ssl-rsa-private-key-pem-key/

    Kee Wee

    March 6, 2017

  • Hi, I have a ivacy vpn ovpn file. But the cert and key is a separate file.
    Would you be able to help me compile it to a single file?
    I can send u the ovpn and the rest of the files. Can u email me: [email protected]
    Thank you

    Fenz

    March 13, 2017

  • Hi Fenz,
    Do keep store your key file securely and not transmit them to anyone else 😉

    You can simply open the cert file and key file with notepad, copy out the entire “—–BEGIN CERTIFICATE—–/—–END CERTIFICATE—–” and “—–BEGIN PRIVATE KEY—–/—–END PRIVATE KEY—–” text and paste them into the respective tags.

    Kee Wee

    March 13, 2017

  • Hi Kee Wee.
    I tried to follow ur code but didn’t work. ivacy config is different.
    Can you put the code for this config and I can paste the CRT and key in it?

    Here is the Ivacy ovpn file config:

    client
    dev tun
    proto tcp
    remote au1-ovpn-tcp.ivacy.net 80
    persist-key
    persist-tun
    ca ca.crt
    tls-auth Wdc.key 1
    cipher AES-256-CBC
    comp-lzo
    verb 1
    mute 20
    route-method exe
    route-delay 2
    route 0.0.0.0 0.0.0.0
    float
    auth-user-pass
    auth-retry interact
    ifconfig-nowarn

    Fenz

    March 14, 2017

  • i cannot get this to work
    I am using OpenVPN 2.3.2 and testing the unified import with the client ovpn con fig the error i am getting is Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where –tls-server or –tls-client is also specified.
    I added the –tlsclient as sugested by the error message and now I get this error
    Options error: You must define private key file (–key) or PKCS#12 file (–pkcs12)

    carey

    April 20, 2017

  • I cannot get this to work
    first error
    is
    Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where –tls-server or –tls-client is also specified.
    i added the –tls-client directive as suggested by the error message
    new error after is
    Options error: You must define private key file (–key) or PKCS#12 file (–pkcs12)

    carey

    April 20, 2017

  • Hey, sorry for the delayed response.

    You will need to include your private key in the config file:

    —–BEGIN PRIVATE KEY—–
    ***Paste Your Cert Private Key Here***

    —–END PRIVATE KEY—–

    Kee Wee

    June 20, 2017

  • Hello i urgently need your help could u please reply?

    CZ1

    June 14, 2017

  • Yup?

    Kee Wee

    June 20, 2017

  • Hi Kee Wee,

    First of all, nice post, thank you!
    I have a short question about this thread.

    I can’t determine what is the advantage of this “all in one” client config against using a single config (.ovpn) file with an encrypted pkcs (.p12) ?
    Thanks,
    letix

    letix

    August 1, 2017

  • Hi letix,

    The main advantage is portability and ease of configuration. You can simply plug this config file into any OpenVPN client and it will immediately work. No need to edit the config file to point to the individual cert files.
    Hope this helps!

    Kee Wee

    August 1, 2017

  • Thank you for your quick response!
    In security aspect there is no difference between the two methods, right?

    letix

    August 2, 2017

  • Hi letix,
    If you encrypt the private key, then yes, there are no difference between the two methods in terms of security.

    Kee Wee

    August 2, 2017

Leave a comment  

name*

email*

website

Submit comment