Your browser (Internet Explorer 6) is out of date. It has known security flaws and may not display all features of this and other websites. Learn how to update your browser.
X
Aside

Embedding Certificates into OpenVPN Config

I found out a very cool configuration trick for OpenVPN while doing some read-up on OpenVPN encryption key size.

In the middle of the thread, one of the user, “300000”, posted his/her configuration settings.
The part that caught my eye was the chunk of Base64 encoded certs.

I never knew you could embed the certs directly into the config file!

All these while I’ve been using the respective keywords to define the path to the individual cert files. This have made the distribution of configuration to each user quite a pain, since in addition to the config file, I have to send them the cert and key files and also to instruct them on where to put the individual files.

Now, I can just pass them a single .ovpn file and tell them where to place it and they are good to go. No more additional steps like telling them to download the cert files and placing them in a specific directory.

To embed the certs, simply place the Base64 encoded cert text into the respective <ca> </ca>, <cert> </cert> and <key> </key> tags in your .ovpn config file and comment out the “ca”, “cert” and “key” keywords.

client
remote my-server 1194
proto udp
dev tun
persist-key
persist-tun
resolv-retry infinite
nobind
#ca ca.crt
#cert client.crt
#key client.key
comp-lzo
verb 3
<ca>
-----BEGIN CERTIFICATE-----
***Paste CA Cert Text Here***

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
***Paste Your Cert Text Here***

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
***Paste Your Cert Private Key Here***

-----END PRIVATE KEY-----
</key>

There, simple.

Kee Wee

Kee Wee is an IT Specialist specialising in High Availability and Messaging solutions. He is a curious person who likes to build things and figure out how stuff works. This is where he share his thoughts with the world.

  • Worked like a charm ! thanks a lot.. I think this is must if you want to use the profile on openVPN iphone app. Thanks a lot for sharing ! 🙂

    abhi

    December 24, 2015

  • […] used the following page at Brainfart on embedding the certificates right into the VPN configuration […]

  • Thanks for writing this awesome article. I’m a long time reader
    but I’ve never been compelled to leave a comment. I subscribed to your blog and shared
    this on my Facebook. Thanks again for a great post!

    www.9-blog.com

    December 3, 2016

  • Does this work for tls-auth to?

    key-direction 0

    John

    December 16, 2016

  • Hi John,

    Yes! This works for tls-auth too

    Just include:
    <tls-auth>
    ...
    Server TLS Key
    ...
    </tls-auth>

    Remember to include the key-direction directive too:
    key-direction 1

    Kee Wee

    December 29, 2016

  • Any idea how I’d add the contents of a ‘dh2048.pem’ cert/file into into an OVPN config file?

    Thanks 🙂

    Ben

    February 4, 2017

  • Setting the DH key is a server side setting
    Just include the dh parameter in your server.conf file and restart OpenVPN
    dh /etc/openvpn/keys/dh2048.pem

    Kee Wee

    February 4, 2017

  • Thanks for your reply, Kee Wee.

    Server side for me, is my VPN provider.

    First off, I only have a basic understanding of VPNs and OVPN so apologies for my ignorance in what follows…

    I own an Asus DSL-AC68U that has server and client capability. I’m trying to setup the client capability. I’m hoping to be able to set my router as a VPN client to my VPN service provider.

    Only problem is, the Asus’s interface is a little spartan. I’m not sure there are enough fields available to put all the info in that’s required by my provider?

    I can import an .ovpn config
    I can manually paste the CA, Cert and Key into fields.
    It also offers a username and password field.

    But every time I try to connect to my VPN service provider from the router, it fails.

    I’m not entirely sure what’s going wrong. But I suspect the router is either incapable of providing ‘enough’ credentials due to the limited GUI interface or I’m doing something wrong.

    For what it’s worth, connecting using exactly the same .ovpn file and certs is fine from a laptop so I know I’m using the correct details.

    My VPN provider’s .ovpn file references four files/certs; the dh2048.pem, plus the CA, Cert and Key, plus it contains all the other parameters like host name, compression etc.

    Perhaps I’m barking up the wrong tree with the dh2048.pem thing. I was hoping that if I could include all the certs actually in the .ovpn config file, I could import that to the router and I’d be in business. Just can’t get anything to work though 🙁

    Could it be the encrypted ‘.key’? On a laptop, I get the option to enter a password for it. Not so in the Asus interface. Well, not outside the username and password fields that I suspect are unrelated.

    Hmmm. Got the feeling I might be trying to push water uphill here 🙂

    Ben

    February 4, 2017

Leave a comment  

name*

email*

website

Submit comment