24

Embedding Certificates into OpenVPN Config

I found out a very cool configuration trick for OpenVPN while doing some read-up on OpenVPN encryption key size.

In the middle of the thread, one of the user, “300000”, posted his/her configuration settings.
The part that caught my eye was the chunk of Base64 encoded certs.

I never knew you could embed the certs directly into the config file!

All these while I’ve been using the respective keywords to define the path to the individual cert files. This have made the distribution of configuration to each user quite a pain, since in addition to the config file, I have to send them the cert and key files and also to instruct them on where to put the individual files.

Now, I can just pass them a single .ovpn file and tell them where to place it and they are good to go. No more additional steps like telling them to download the cert files and placing them in a specific directory.

To embed the certs, simply place the Base64 encoded cert text into the respective <ca> </ca>, <cert> </cert> and <key> </key> tags in your .ovpn config file and comment out the “ca”, “cert” and “key” keywords.

client
remote my-server 1194
proto udp
dev tun
persist-key
persist-tun
resolv-retry infinite
nobind
#ca ca.crt
#cert client.crt
#key client.key
comp-lzo
verb 3
<ca>
-----BEGIN CERTIFICATE-----
***Paste CA Cert Text Here***

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
***Paste Your Cert Text Here***

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
***Paste Your Cert Private Key Here***

-----END PRIVATE KEY-----
</key>

There, simple.

Kee Wee

Kee Wee is an IT Specialist specialising in High Availability and Messaging solutions. He is a curious person who likes to build things and figure out how stuff works. This is where he share his thoughts with the world.

24 Comments

  1. Worked like a charm ! thanks a lot.. I think this is must if you want to use the profile on openVPN iphone app. Thanks a lot for sharing ! πŸ™‚

  2. Thanks for writing this awesome article. I’m a long time reader
    but I’ve never been compelled to leave a comment. I subscribed to your blog and shared
    this on my Facebook. Thanks again for a great post!

    • Hi John,

      Yes! This works for tls-auth too

      Just include:
      <tls-auth>
      ...
      Server TLS Key
      ...
      </tls-auth>

      Remember to include the key-direction directive too:
      key-direction 1

  3. Any idea how I’d add the contents of a ‘dh2048.pem’ cert/file into into an OVPN config file?

    Thanks πŸ™‚

    • Setting the DH key is a server side setting
      Just include the dh parameter in your server.conf file and restart OpenVPN
      dh /etc/openvpn/keys/dh2048.pem

  4. Thanks for your reply, Kee Wee.

    Server side for me, is my VPN provider.

    First off, I only have a basic understanding of VPNs and OVPN so apologies for my ignorance in what follows…

    I own an Asus DSL-AC68U that has server and client capability. I’m trying to setup the client capability. I’m hoping to be able to set my router as a VPN client to my VPN service provider.

    Only problem is, the Asus’s interface is a little spartan. I’m not sure there are enough fields available to put all the info in that’s required by my provider?

    I can import an .ovpn config
    I can manually paste the CA, Cert and Key into fields.
    It also offers a username and password field.

    But every time I try to connect to my VPN service provider from the router, it fails.

    I’m not entirely sure what’s going wrong. But I suspect the router is either incapable of providing ‘enough’ credentials due to the limited GUI interface or I’m doing something wrong.

    For what it’s worth, connecting using exactly the same .ovpn file and certs is fine from a laptop so I know I’m using the correct details.

    My VPN provider’s .ovpn file references four files/certs; the dh2048.pem, plus the CA, Cert and Key, plus it contains all the other parameters like host name, compression etc.

    Perhaps I’m barking up the wrong tree with the dh2048.pem thing. I was hoping that if I could include all the certs actually in the .ovpn config file, I could import that to the router and I’d be in business. Just can’t get anything to work though πŸ™

    Could it be the encrypted ‘.key’? On a laptop, I get the option to enter a password for it. Not so in the Asus interface. Well, not outside the username and password fields that I suspect are unrelated.

    Hmmm. Got the feeling I might be trying to push water uphill here πŸ™‚

  5. Hi, I have a ivacy vpn ovpn file. But the cert and key is a separate file.
    Would you be able to help me compile it to a single file?
    I can send u the ovpn and the rest of the files. Can u email me: [email protected]
    Thank you

    • Hi Fenz,
      Do keep store your key file securely and not transmit them to anyone else πŸ˜‰

      You can simply open the cert file and key file with notepad, copy out the entire “—–BEGIN CERTIFICATE—–/—–END CERTIFICATE—–” and “—–BEGIN PRIVATE KEY—–/—–END PRIVATE KEY—–” text and paste them into the respective tags.

  6. Hi Kee Wee.
    I tried to follow ur code but didn’t work. ivacy config is different.
    Can you put the code for this config and I can paste the CRT and key in it?

    Here is the Ivacy ovpn file config:

    client
    dev tun
    proto tcp
    remote au1-ovpn-tcp.ivacy.net 80
    persist-key
    persist-tun
    ca ca.crt
    tls-auth Wdc.key 1
    cipher AES-256-CBC
    comp-lzo
    verb 1
    mute 20
    route-method exe
    route-delay 2
    route 0.0.0.0 0.0.0.0
    float
    auth-user-pass
    auth-retry interact
    ifconfig-nowarn

  7. i cannot get this to work
    I am using OpenVPN 2.3.2 and testing the unified import with the client ovpn con fig the error i am getting is Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where –tls-server or –tls-client is also specified.
    I added the –tlsclient as sugested by the error message and now I get this error
    Options error: You must define private key file (–key) or PKCS#12 file (–pkcs12)

  8. I cannot get this to work
    first error
    is
    Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where –tls-server or –tls-client is also specified.
    i added the –tls-client directive as suggested by the error message
    new error after is
    Options error: You must define private key file (–key) or PKCS#12 file (–pkcs12)

    • Hey, sorry for the delayed response.

      You will need to include your private key in the config file:

      —–BEGIN PRIVATE KEY—–
      ***Paste Your Cert Private Key Here***

      —–END PRIVATE KEY—–

  9. Hi Kee Wee,

    First of all, nice post, thank you!
    I have a short question about this thread.

    I can’t determine what is the advantage of this “all in one” client config against using a single config (.ovpn) file with an encrypted pkcs (.p12) ?
    Thanks,
    letix

    • Hi letix,

      The main advantage is portability and ease of configuration. You can simply plug this config file into any OpenVPN client and it will immediately work. No need to edit the config file to point to the individual cert files.
      Hope this helps!

  10. Thank you for your quick response!
    In security aspect there is no difference between the two methods, right?

    • Hi letix,
      If you encrypt the private key, then yes, there are no difference between the two methods in terms of security.

Leave a Reply

Your email address will not be published. Required fields are marked *