Embedding Certificates into OpenVPN Config
I found out a very cool configuration trick for OpenVPN while doing some read-up on OpenVPN encryption key size.
In the middle of the thread, one of the user, “300000”, posted his/her configuration settings.
The part that caught my eye was the chunk of Base64 encoded certs.
I never knew you could embed the certs directly into the config file!
All these while I’ve been using the respective keywords to define the path to the individual cert files. This have made the distribution of configuration to each user quite a pain, since in addition to the config file, I have to send them the cert and key files and also to instruct them on where to put the individual files.
Now, I can just pass them a single .ovpn file and tell them where to place it and they are good to go. No more additional steps like telling them to download the cert files and placing them in a specific directory.
To embed the certs, simply place the Base64 encoded cert text into the respective <ca> </ca>, <cert> </cert> and <key> </key> tags in your .ovpn config file and comment out the “ca”, “cert” and “key” keywords.
client remote my-server 1194 proto udp dev tun persist-key persist-tun resolv-retry infinite nobind #ca ca.crt #cert client.crt #key client.key comp-lzo verb 3 <ca> -----BEGIN CERTIFICATE----- ***Paste CA Cert Text Here*** -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- ***Paste Your Cert Text Here*** -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- ***Paste Your Cert Private Key Here*** -----END PRIVATE KEY----- </key>
There, simple.
Kee Wee
Kee Wee is an IT Specialist specialising in High Availability and Messaging solutions. He is a curious person who likes to build things and figure out how stuff works. This is where he share his thoughts with the world.
Leave a comment
[…] https://www.brainfart.sg/index.php/2012/05/embedding-certificate-into-openvpn-config/ […]
Setting up VPN on an iPhone with a Mikrotik RouterOS VPN server | @kentindell
October 15, 2015
Worked like a charm ! thanks a lot.. I think this is must if you want to use the profile on openVPN iphone app. Thanks a lot for sharing ! 🙂
abhi
December 24, 2015
[…] used the following page at Brainfart on embedding the certificates right into the VPN configuration […]
IPFire Site-to-Site VPN (OpenVPN) with Edgerouter-X EdgeOS / Vyatta - David Biers
April 5, 2016
Thanks for writing this awesome article. I’m a long time reader
but I’ve never been compelled to leave a comment. I subscribed to your blog and shared
this on my Facebook. Thanks again for a great post!
www.9-blog.com
December 3, 2016
Does this work for tls-auth to?
…
key-direction 0
John
December 16, 2016
Hi John,
Yes! This works for tls-auth too
Just include:
<tls-auth>
...
Server TLS Key
...
</tls-auth>
Remember to include the key-direction directive too:
key-direction 1
Kee Wee
December 29, 2016
Any idea how I’d add the contents of a ‘dh2048.pem’ cert/file into into an OVPN config file?
Thanks 🙂
Ben
February 4, 2017
Setting the DH key is a server side setting
Just include the dh parameter in your server.conf file and restart OpenVPN
dh /etc/openvpn/keys/dh2048.pem
Kee Wee
February 4, 2017
Thanks for your reply, Kee Wee.
Server side for me, is my VPN provider.
First off, I only have a basic understanding of VPNs and OVPN so apologies for my ignorance in what follows…
I own an Asus DSL-AC68U that has server and client capability. I’m trying to setup the client capability. I’m hoping to be able to set my router as a VPN client to my VPN service provider.
Only problem is, the Asus’s interface is a little spartan. I’m not sure there are enough fields available to put all the info in that’s required by my provider?
I can import an .ovpn config
I can manually paste the CA, Cert and Key into fields.
It also offers a username and password field.
But every time I try to connect to my VPN service provider from the router, it fails.
I’m not entirely sure what’s going wrong. But I suspect the router is either incapable of providing ‘enough’ credentials due to the limited GUI interface or I’m doing something wrong.
For what it’s worth, connecting using exactly the same .ovpn file and certs is fine from a laptop so I know I’m using the correct details.
My VPN provider’s .ovpn file references four files/certs; the dh2048.pem, plus the CA, Cert and Key, plus it contains all the other parameters like host name, compression etc.
Perhaps I’m barking up the wrong tree with the dh2048.pem thing. I was hoping that if I could include all the certs actually in the .ovpn config file, I could import that to the router and I’d be in business. Just can’t get anything to work though 🙁
Could it be the encrypted ‘.key’? On a laptop, I get the option to enter a password for it. Not so in the Asus interface. Well, not outside the username and password fields that I suspect are unrelated.
Hmmm. Got the feeling I might be trying to push water uphill here 🙂
Ben
February 4, 2017
Hi Ben,
You say your .key file is encrypted (if you look at the text of your .key file, you should see “Proc-Type: 4,ENCRYPTED” somewhere in it)? That might be the case for your issue, as I believe the Asus router is not able to decrypt your private key automatically.
Do you have access to a Linux machine? You can try to decrypt your private key and import your key file into your router and try again.
https://techjourney.net/how-to-decrypt-an-enrypted-ssl-rsa-private-key-pem-key/
Kee Wee
March 6, 2017
Hi, I have a ivacy vpn ovpn file. But the cert and key is a separate file.
Would you be able to help me compile it to a single file?
I can send u the ovpn and the rest of the files. Can u email me: [email protected]
Thank you
Fenz
March 13, 2017
Hi Fenz,
Do keep store your key file securely and not transmit them to anyone else 😉
You can simply open the cert file and key file with notepad, copy out the entire “—–BEGIN CERTIFICATE—–/—–END CERTIFICATE—–” and “—–BEGIN PRIVATE KEY—–/—–END PRIVATE KEY—–” text and paste them into the respective tags.
Kee Wee
March 13, 2017
Hi Kee Wee.
I tried to follow ur code but didn’t work. ivacy config is different.
Can you put the code for this config and I can paste the CRT and key in it?
Here is the Ivacy ovpn file config:
client
dev tun
proto tcp
remote au1-ovpn-tcp.ivacy.net 80
persist-key
persist-tun
ca ca.crt
tls-auth Wdc.key 1
cipher AES-256-CBC
comp-lzo
verb 1
mute 20
route-method exe
route-delay 2
route 0.0.0.0 0.0.0.0
float
auth-user-pass
auth-retry interact
ifconfig-nowarn
Fenz
March 14, 2017
i cannot get this to work
I am using OpenVPN 2.3.2 and testing the unified import with the client ovpn con fig the error i am getting is Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where –tls-server or –tls-client is also specified.
I added the –tlsclient as sugested by the error message and now I get this error
Options error: You must define private key file (–key) or PKCS#12 file (–pkcs12)
carey
April 20, 2017
I cannot get this to work
first error
is
Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where –tls-server or –tls-client is also specified.
i added the –tls-client directive as suggested by the error message
new error after is
Options error: You must define private key file (–key) or PKCS#12 file (–pkcs12)
carey
April 20, 2017
Hey, sorry for the delayed response.
You will need to include your private key in the config file:
—–BEGIN PRIVATE KEY—–
***Paste Your Cert Private Key Here***
—–END PRIVATE KEY—–
Kee Wee
June 20, 2017
Hello i urgently need your help could u please reply?
CZ1
June 14, 2017
Yup?
Kee Wee
June 20, 2017
Hi Kee Wee,
First of all, nice post, thank you!
I have a short question about this thread.
I can’t determine what is the advantage of this “all in one” client config against using a single config (.ovpn) file with an encrypted pkcs (.p12) ?
Thanks,
letix
letix
August 1, 2017
Hi letix,
The main advantage is portability and ease of configuration. You can simply plug this config file into any OpenVPN client and it will immediately work. No need to edit the config file to point to the individual cert files.
Hope this helps!
Kee Wee
August 1, 2017
Thank you for your quick response!
In security aspect there is no difference between the two methods, right?
letix
August 2, 2017
Hi letix,
If you encrypt the private key, then yes, there are no difference between the two methods in terms of security.
Kee Wee
August 2, 2017