I found out a very cool configuration trick for OpenVPN while doing some read-up on OpenVPN encryption key size.
In the middle of the thread, one of the user, “300000”, posted his/her configuration settings.
The part that caught my eye was the chunk of Base64 encoded certs.
I never knew you could embed the certs directly into the config file!
All these while I’ve been using the respective keywords to define the path to the individual cert files. This have made the distribution of configuration to each user quite a pain, since in addition to the config file, I have to send them the cert and key files and also to instruct them on where to put the individual files.
Now, I can just pass them a single .ovpn file and tell them where to place it and they are good to go. No more additional steps like telling them to download the cert files and placing them in a specific directory.
To embed the certs, simply place the Base64 encoded cert text into the respective <ca> </ca>, <cert> </cert> and <key> </key> tags in your .ovpn config file and comment out the “ca”, “cert” and “key” keywords.
client remote my-server 1194 proto udp dev tun persist-key persist-tun resolv-retry infinite nobind #ca ca.crt #cert client.crt #key client.key comp-lzo verb 3 <ca> -----BEGIN CERTIFICATE----- ***Paste CA Cert Text Here*** -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- ***Paste Your Cert Text Here*** -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- ***Paste Your Cert Private Key Here*** -----END PRIVATE KEY----- </key>
There, simple.
Worked like a charm ! thanks a lot.. I think this is must if you want to use the profile on openVPN iphone app. Thanks a lot for sharing ! π
Thanks for writing this awesome article. I’m a long time reader
but I’ve never been compelled to leave a comment. I subscribed to your blog and shared
this on my Facebook. Thanks again for a great post!
Does this work for tls-auth to?
…
key-direction 0
Hi John,
Yes! This works for tls-auth too
Just include:
<tls-auth>
...
Server TLS Key
...
</tls-auth>
Remember to include the key-direction directive too:
key-direction 1
Any idea how I’d add the contents of a ‘dh2048.pem’ cert/file into into an OVPN config file?
Thanks π
Setting the DH key is a server side setting
Just include the dh parameter in your server.conf file and restart OpenVPN
dh /etc/openvpn/keys/dh2048.pem
Thanks for your reply, Kee Wee.
Server side for me, is my VPN provider.
First off, I only have a basic understanding of VPNs and OVPN so apologies for my ignorance in what follows…
I own an Asus DSL-AC68U that has server and client capability. I’m trying to setup the client capability. I’m hoping to be able to set my router as a VPN client to my VPN service provider.
Only problem is, the Asus’s interface is a little spartan. I’m not sure there are enough fields available to put all the info in that’s required by my provider?
I can import an .ovpn config
I can manually paste the CA, Cert and Key into fields.
It also offers a username and password field.
But every time I try to connect to my VPN service provider from the router, it fails.
I’m not entirely sure what’s going wrong. But I suspect the router is either incapable of providing ‘enough’ credentials due to the limited GUI interface or I’m doing something wrong.
For what it’s worth, connecting using exactly the same .ovpn file and certs is fine from a laptop so I know I’m using the correct details.
My VPN provider’s .ovpn file references four files/certs; the dh2048.pem, plus the CA, Cert and Key, plus it contains all the other parameters like host name, compression etc.
Perhaps I’m barking up the wrong tree with the dh2048.pem thing. I was hoping that if I could include all the certs actually in the .ovpn config file, I could import that to the router and I’d be in business. Just can’t get anything to work though π
Could it be the encrypted ‘.key’? On a laptop, I get the option to enter a password for it. Not so in the Asus interface. Well, not outside the username and password fields that I suspect are unrelated.
Hmmm. Got the feeling I might be trying to push water uphill here π
Hi Ben,
You say your .key file is encrypted (if you look at the text of your .key file, you should see “Proc-Type: 4,ENCRYPTED” somewhere in it)? That might be the case for your issue, as I believe the Asus router is not able to decrypt your private key automatically.
Do you have access to a Linux machine? You can try to decrypt your private key and import your key file into your router and try again.
https://techjourney.net/how-to-decrypt-an-enrypted-ssl-rsa-private-key-pem-key/
Hi, I have a ivacy vpn ovpn file. But the cert and key is a separate file.
Would you be able to help me compile it to a single file?
I can send u the ovpn and the rest of the files. Can u email me: [email protected]
Thank you
Hi Fenz,
Do keep store your key file securely and not transmit them to anyone else π
You can simply open the cert file and key file with notepad, copy out the entire “—–BEGIN CERTIFICATE—–/—–END CERTIFICATE—–” and “—–BEGIN PRIVATE KEY—–/—–END PRIVATE KEY—–” text and paste them into the respective tags.
Hi Kee Wee.
I tried to follow ur code but didn’t work. ivacy config is different.
Can you put the code for this config and I can paste the CRT and key in it?
Here is the Ivacy ovpn file config:
client
dev tun
proto tcp
remote au1-ovpn-tcp.ivacy.net 80
persist-key
persist-tun
ca ca.crt
tls-auth Wdc.key 1
cipher AES-256-CBC
comp-lzo
verb 1
mute 20
route-method exe
route-delay 2
route 0.0.0.0 0.0.0.0
float
auth-user-pass
auth-retry interact
ifconfig-nowarn
i cannot get this to work
I am using OpenVPN 2.3.2 and testing the unified import with the client ovpn con fig the error i am getting is Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where –tls-server or –tls-client is also specified.
I added the –tlsclient as sugested by the error message and now I get this error
Options error: You must define private key file (–key) or PKCS#12 file (–pkcs12)
I cannot get this to work
first error
is
Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where –tls-server or –tls-client is also specified.
i added the –tls-client directive as suggested by the error message
new error after is
Options error: You must define private key file (–key) or PKCS#12 file (–pkcs12)
Hey, sorry for the delayed response.
You will need to include your private key in the config file:
ββBEGIN PRIVATE KEYββ
***Paste Your Cert Private Key Here***
ββEND PRIVATE KEYββ
Hello i urgently need your help could u please reply?
Yup?
Hi Kee Wee,
First of all, nice post, thank you!
I have a short question about this thread.
I can’t determine what is the advantage of this “all in one” client config against using a single config (.ovpn) file with an encrypted pkcs (.p12) ?
Thanks,
letix
Hi letix,
The main advantage is portability and ease of configuration. You can simply plug this config file into any OpenVPN client and it will immediately work. No need to edit the config file to point to the individual cert files.
Hope this helps!
Thank you for your quick response!
In security aspect there is no difference between the two methods, right?
Hi letix,
If you encrypt the private key, then yes, there are no difference between the two methods in terms of security.
can we generate the config automatically? I mean no copy-pasting XD
not that I know of, unless you can doing programmatically via code or scripting