OpenVPN – Creating OVPN configuration files

back to OpenVPN

Table Of Contents
  1. OVPN File Format
  2. OpenVPN connect Client
  3. TunnelBlick Client

OVPN File Format

So far, I copied a bundle of files from the sever to the client so that TunnelBlick could connect. TunnelBlick then copies all these files to a directory that it manages and stores everything there. This works, but its a little bit clunky and its cumbersome when mobile clients are concerned as the underlying filesystem is normally hidden by the OS.

To recap, the files needed by a VPN client are

  • Certificate Authority Certificate
  • The Certificate for the Client Machine
  • The private key for the Client Machine
  • The TLS key for setting up the secure link
  • And Finally, the actual configuration file for the client – the server IP, connection type, protocol etc.

There is a way to merge all of these into a single file that can be passed to the client. This is especially useful for when you are setting up mobile clients. For the files that we need to include, we surround the values with an appropriate xml style tag.

In the client.config file, change the properties that supply the file name to have the file embedded with the XML tags.

From the OpenVPM community man page found here

OpenVPN allows including files in the main configuration for the –ca, –cert, –dh, –extra-certs, –key, –pkcs12, –secret, –crl-verify, –http-proxy-user-pass, –tls-auth and –tls-crypt options.
Each inline file started by the line <option> and ended by the line </option>

Here is an example of an inline file usage

<cert>
—–BEGIN CERTIFICATE—–
[…]
—–END CERTIFICATE—–
</cert>
When using the inline file feature with –pkcs12 the inline file has to be base64 encoded. Encoding of a .p12 file into base64 can be done for example with OpenSSL by running openssl base64 -in input.p12

Certificate Authority certificate file

Using the information above we can replace

ca ca.cert

with

<ca>
-----BEGIN CERTIFICATE-----
MIIDYzCCAkugAwIBAgIUMGU
... lots of characters ...
qn3Au7KxKg==
-----END CERTIFICATE-----
</ca>

Client Certificate and Key

we replace

cert client.crt
<cert>
-----BEGIN CERTIFICATE-----
MIIDZDCCAkygAwIBAgIRAK79p
...
1WVBRbsXq4Y=
-----END CERTIFICATE-----
</cert>

the key client.key is replaced with 

<key>
-----BEGIN PRIVATE KEY-----
ABCDEFG ...
-----END PRIVATE KEY-----
</key>

TLS Key

and finally the “tls-auth ta.key 1” will become 

# tls-auth ta.key 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
XXXX
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1

Note:

There are two configuration options that need to be configured here

  • TLS key: the actual key used for the TLS
  • The key direction parameter: either 0 or 1. It’s easy to mss out on the key direction and if you do (as I have done before!) the connection will fail.

At this point we have merged the 5 files into a single configuration file. Far easier for loading into client software.

OpenVPN connect Client

If you take the time to create the .ovpn file then you will be able to use the official OpenVPN connect client. You can simply drag and drop the .opvn client file to the application and that is it.

TunnelBlick Client

The TunnelBlick client also accepts the .opvn files, so you can simply drag and drop the file into the open OpenBlick window.