Inline certificates

To ease the deployment of OpenVPN configuration, and public and private key files, a new feature is available to include all of them in a single file. This is done by integrating the contents of the cacertkey, and optionally the tls-auth file into the client configuration file itself. In this recipe, we will set up such a configuration file and use it to connect to our standard OpenVPN server.

Getting ready

We will use the following network layout:

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client was running Fedora 22 Linux and OpenVPN 2.3.11. Keep the configuration file, basic-udp-server.conf, from the Server-side routing recipe from Chapter 2Client-server IP-only Networks at hand, as well as the client configuration file, basic-udp-client.conf.

How to do it...

  1. First, start the server:
    [root@server]# openvpn --config basic-udp-server.conf
    
  2. Create the client configuration file:
            client 
            proto udp 
            remote openvpnserver.example.com 
            port 1194 
            dev tun 
            nobind 
     
            remote-cert-tls server 
            key-direction 1 
     
            <ca> 
            -----BEGIN CERTIFICATE----- 
            # insert base64 blob from ca.crt 
            -----END CERTIFICATE----- 
            </ca> 
     
            <cert> 
            -----BEGIN CERTIFICATE----- 
            # insert base64 blob from client1.crt 
            -----END CERTIFICATE----- 
            </cert> 
     
            <key> 
            -----BEGIN PRIVATE KEY----- 
            # insert base64 blob from client1.key 
            -----END PRIVATE KEY----- 
            </key> 
     
            <tls-auth> 
            -----BEGIN OpenVPN Static key V1----- 
            # insert ta.key 
            -----END OpenVPN Static key V1----- 
            </tls-auth> 
    

    Insert the contents of the ca.crtclient1.crtclient1.key and ta.key files in the configuration. Save it as example10-3-client.conf.

  3. Then, connect the client:
    [root@client]# openvpn --config example10-3-client.conf
    

How it works...

When OpenVPN parses the configuration file, it scans for the directives cacertkey, and tls-auth, (and dh for server configuration files), but also for XML-like blobs starting with <ca><cert><key><tls-auth> and <dh> respectively. If an XML-like block is found, then the contents of this XML-like block are then read and treated in the same manner as when a file is specified. When all the required configuration files or blocks are present, the connection is established.

Note that it is not required to treat all of the aforementioned configuration directives in the same manner. It is also possible to only specify an inline-block for the CA certificate and tls-auth files, as these files tend to be static for all the clients.

There's more...

As stated in the first version of the OpenVPN 2 Cookbook, it was also possible to specify an inline file using the [[inline]] tag. However, this tag was never properly documented and starting with OpenVPN 2.3 it is no longer functional.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.139.104.23