Using OpenVPN on Windows instead of VPN apps: missing certificate

Question

Sorry this might be a noob question, but I subscribed to a VPN provider which ships its own app on Windows. Now I thought I'd prefer to use the OpenVPN client app instead.

I create a profile by providing it with a .ovpn file, which contains a <ca> block and a <tls-auth> block as well.

Upon connecting, OpenVPN fails with "Connection Error. Missing external certificate".

All those different certificates are quite abstract to me, but I think it needs a "client certificate". Is it something created for my profile by the VPN provider when I registered? Or can I generate it myself? When trying to add a certificate in the Windows OpenVPN app, I am asked for .p12 files. Also, when hitting "continue" (without external certificate), the connection never establishes.

For comparison, when putting .ovpn file in Linux in Network-Manager, it works out of the box.

What is the missing step or package? It's never made clear on the VPN provider help pages.

Answer 1

Here's what worked for me:

In my case, I'm using SurfShark. I don't know what resources other VPN providers offer, but I was able to download a certificate from SurfShark's website and install it on my Windows 10 PC by double clicking the downloaded file.

The next step is to open Windows certificate manager where you should be able to navigate to the location of the certificate that was installed. In my case it was under "Trusted Root Certification Authorities" Labeled "SurfShark Root CA".

Use the tool bar or right click to copy the certificate and then navigate to the OpenVPN Certificate Store folder in the certificate manager and paste the certificate there.

At this point you should be able to launch the OpenVPN app on Windows, select one of your profiles, edit, and you should be able to see your certificate in a drop down list.

Hope this helps...

Answer 2

on my setup I can select "Continue" and OpenVPN connects. Despite this, the issue is that you need to inform OpenVPN which client certificate it should use. You'd be able to do this by editing the profile in OpenVPN, selecting it from the "Certificate" drop-down. The issue is that you can't just browse your certificate here; you need to add it to your PC/User:

• Windows key -> write "Certificate" -> select "Manage user certificates" -> from the list of certificates stores select "OpenVPN Certificate Store" -> right-click -> "All Tasks" -> "Import" -> and just now you can browse to your client certificate.

After this, edit the profile in OpenVPN once again and you will be able to select your client certificate from the drop-down list.

Regards, George

Answer 3

EDIT: I missed the line about being able to put the OVPN into Linux NetworkManager and it working. That makes it more likely that the provider actually uses OpenVPN, and stranger that it doesn't work on Windows. There might be a missing certificate authority - that is, Windows might not trust the certificate the server uses where NetworkManager either does or just doesn't complain - in which case you need to find the relevant CA certificate and install it as trusted in Windows or else convince OpenSSL to trust the leaf certificate directly. Or there might actually be a missing client cert, which is indeed usually a .p12 file but might have some other extension like .PFX. It could even be a .PEM or .CER or similar, possibly with a separate file containing the private key.

---

There are many different ways to build a VPN connection, and they are not compatible! At a minimum, you need to use a VPN protocol that your provider supports, which is quite possibly not the one OpenVPN supports. OpenVPN security is based on TLS (same protocol used to secure HTTPS), and tunnels the traffic through its own protocol. Other VPN programs use different means of establishing and securing a tunnel, such as PPTP, L2TP, SSTP, etc.

There's also the question of authentication. While OpenVPN supports many forms of authentication, the way it presents its credentials to the server may be different from what the server expects. You say you think you need a "client certificate", but even if that's correct, and even if you got the correct certificate, OpenVPN might not present it to the server in the way the server expects. The OpenVPN client could also just be confusing the server's error response for something else.

Finally, there's the question of credentials. If the official client bundles a secret key of some sort (such as the private key corresponding to a client certificate), you'll never be able to make your own client work without obtaining that key. Creating your own certificate certainly won't work, any more than logging into somebody else's Gmail by making up your own password for them would work.

---

Your best bet at this point, if you don't want to use the official client, is to look for instructions on using your own client. They might use a protocol built into many operating systems (like L2TP/IPsec, which is supported out of the box on Windows and easily configurable on Linux, not sure about MacOS). They might actually use OpenVPN, and have specific instructions for how to obtain the required certificate. They might use something weird but which there nonetheless exists a third-party (ideally open-source) implementation of that you can use.

One option is of course to just search the internet for references to using that company's VPN service without the official client, or with a particular client. Another option is to look up the instructions for using the service on other platforms, such as Linux or iOS, and see what software they say to use; even if you're on Windows that software might exist for Windows or you might be able to simply follow the provided steps using Windows' built-in VPN support.

Since you didn't provide any information about the VPN provider or their official client, we can't really be more specific than that.

Answer 4

In your ovpn file, in between lines reneg-sec and cipher, add the following line:

setenv CLIENT_CERT 0