46

Is there any documentation or resource describing how to generate and host a profile for an OpenVPN client to import? Ideally would like my users to not have to separately fetch a .zip file of the .ovpn + certs, extract it to the proper directory, tweak their .ovpn, etc.

Yang
  • 1,655
  • 6
  • 20
  • 35

4 Answers4

46

Apparently since OpenVPN 2.1 a inline configuration has been supported. Allowing you to locate your certs, and keys all in a single configuration file. But the documentation about how to create this configuration file was not added until the recent release of 2.3.

See the INLINE FILE SUPPORT section of the OpenVPN man page for more info.

client
proto udp
remote openvpnserver.example.com
port 1194
dev tun
nobind

key-direction 1

<ca>
-----BEGIN CERTIFICATE-----
# insert base64 blob from ca.crt
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
# insert base64 blob from client1.crt
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
# insert base64 blob from client1.key
-----END PRIVATE KEY-----
</key>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
# insert ta.key
-----END OpenVPN Static key V1-----
</tls-auth>

The docs for the config file are the same as the docs for the commandline options:

OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix can be removed when an option is placed in a configuration file.

Merlijn Sebrechts
  • 369
  • 1
  • 4
  • 14
Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • Couldn't get it to work with the Windows Connect Client (http://openvpn.net/?option=com_content&id=357), it complains about something like `Could not read file C:\\...\[inline]` so it seems that the client does not know about inline certificates (yet). – Patrick Oscity Jun 01 '13 at 19:39
  • Don't know if it helps, but I just left the ca, cert, key and tls-auth config values out and it works. – Ikke Sep 26 '13 at 20:00
  • 2
    You should remove the lines with [inline]. Instead of tls-auth [inline] 1 you should use tls-direction 1 – plaisthos Sep 30 '13 at 13:43
  • @plaisthos can you point me at some reference for this new tls-direction option? Like inline certificates it doesn't appear to be documented anywhere. I really wish someone would get the [man pages](http://openvpn.net/man.html) updated to describe the correct syntax. – Zoredache Sep 30 '13 at 17:01
  • 2
    Sorry it is key-direction 1. Got that mixed up. My patch to the man page has already been integrated. See the 2.3 man page under INLINE FILES: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage. I copied it to its own answer to make it make readable and accessable. – plaisthos Oct 01 '13 at 15:19
  • @Zoredache sorry for any inconvenience, nut is there any way to do this automatically? – QuyNguyen2013 Sep 09 '16 at 20:34
  • @QuyNguyen2013 yes, i have the same question. i cannot imagine to do that manually – Strubbl Oct 04 '16 at 18:34
  • @Strubbl I believe the non-free version of OpenVPN can do this for you. AFAIK, with the FOSS release you are on your own for writing a script that generates keys, and embeds them in a script. Perhaps someone has written something do to this and released source somewhere, but I personally don't really use this feature, so never have had a reason to look for it, or write something myself. – Zoredache Oct 04 '16 at 18:40
  • 1
    @Strubbl: see Steps 10 and 11 of this link https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04#step-11-generate-client-configurations – Sai Ramachandran May 15 '17 at 01:01
  • @SaiRamachandran thanks for the link. nice script to use there – Strubbl May 17 '17 at 11:39
9

From the OpenVPN 2.3 man page (It is supported since 2.1rc-something):

OpenVPN allows including files in the main configuration for the --ca, --cert, --dh, --extra-certs, --key, --pkcs12, --secret and --tls-auth options.

Each inline file started by the line <option> and ended by the line </option>.

Here is an example of an inline file usage 

<cert>
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
</cert>

When using the inline file feature with --pkcs12 the inline file has to be base64 encoded. Encoding of a .p12 file into base64 can be done for example with OpenSSL by running openssl base64 -in input.p12

Also Note the key-direction option:

--key-direction
Alternative way of specifying the optional direction parameter for the --tls-auth and --secret options. Useful when using inline files (See section on inline files).

hynekcer
  • 203
  • 4
  • 8
plaisthos
  • 285
  • 2
  • 7
4

This has been tested with OpenVPN 2.3.4 Debian 8.9 Server with Win7 clients.

Step 1. Create a file containing your defaults (I call it inline_client.conf) all settings must match your server.conf values

client
dev tun
proto udp
remote yourserver.xyz 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3
;mute 20

ca [inline]
cert [inline]
key [inline]
tls-auth [inline] 1

Step 2. Create the following script, adjust paths as required and chmod ug+x MakeInline.sh

#!/bin/bash

# Default Variable Declarations

DEFAULT="inline_client.conf"
FILEEXT=".ovpn"
CRT=".crt"
KEY=".key"
CA="ca.crt"
TA="ta.key"
kPath="./keys/"


#Ask for a Client name
echo "Please enter an existing Client Name:"
read NAME

echo "Please enter an Name for the output file"
read ovpnName

#1st Verify that client's Public Key Exists
if [ ! -f $kPath$NAME$CRT ]; then
   echo "[ERROR]: Client Public Key Certificate not found: $kPath$NAME$CRT"
   exit
fi
echo "Client's cert found: $kPath$NAME$CRT"

#Then, verify that there is a private key for that client
if [ ! -f $kPath$NAME$KEY ]; then
   echo "[ERROR]: Client 3des Private Key not found: $kPath$NAME$KEY"
   exit
fi
echo "Client's Private Key found: $kPath$NAME$KEY"

#Confirm the CA public key exists
if [ ! -f $kPath$CA ]; then
   echo "[ERROR]: CA Public Key not found: $kPath$CA"
   exit
fi
echo "CA public Key found: $kPath$CA"

#Confirm the tls-auth ta key file exists
if [ ! -f $kPath$TA ]; then
   echo "[ERROR]: tls-auth Key not found: $kPath$TA"
   exit
fi
echo "tls-auth Private Key found: $kPath$TA"

#Ready to make a new .opvn file - Start by populating with the

cat $DEFAULT > $ovpnName$FILEEXT

#Now, append the CA Public Cert
echo "<ca>" >> $ovpnName$FILEEXT
cat $kPath$CA | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $ovpnName$FILEEXT
echo "</ca>" >> $ovpnName$FILEEXT

#Next append the client Public Cert
echo "<cert>" >> $ovpnName$FILEEXT
cat $kPath$NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $ovpnName$FILEEXT
echo "</cert>" >> $ovpnName$FILEEXT

#Then, append the client Private Key
echo "<key>" >> $ovpnName$FILEEXT
cat $kPath$NAME$KEY >> $ovpnName$FILEEXT
echo "</key>" >> $ovpnName$FILEEXT

#Finally, append the TA Private Key
echo "<tls-auth>" >> $ovpnName$FILEEXT
cat $kPath$TA >> $ovpnName$FILEEXT
echo "</tls-auth>" >> $ovpnName$FILEEXT

echo "Done! $ovpnName$FILEEXT Successfully Created."

#Script written by Eric Jodoin
#Update by Eric Maasdorp 2017-12-16

Step 3. Execute MakeInline.sh it will ask for the name of a client which you needed to have already created with build-key or build-key-pass. It will ask for a name for the ovpn file. My standard is ServerToConnectTo.ClientName which will produce ServerToConnectTo.ClientName.ovpn

Note: if you used build-key instead of build-key-pass then anyone that gets hold of the *.ovpn will have access to your server without a password!

hynekcer
  • 203
  • 4
  • 8
Eric Maasdorp
  • 41
  • 2
1

This Python script can be run on the server to generate the client keys and a profile. I'd inline it but it is not my creation and is long and may be updated periodically, and there are forks of it so odds are it will be searchable on the web for future web travelers. If the link doesn't work try searching "openvpn_gen.py".

https://gist.github.com/Justasic/908ef5f4fa162f15b3b8

dragon788
  • 756
  • 6
  • 10