To ease the deployment of OpenVPN configuration, and public and private key files, a new feature is available to include all of them in a single file. This is done by integrating the contents of the ca
, cert
, key
, and optionally the tls-auth
file into the client configuration file itself. In this recipe, we will set up such a configuration file and use it to connect to our standard OpenVPN server.
We will use the following network layout:
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client was running Fedora 22 Linux and OpenVPN 2.3.11. Keep the configuration file, basic-udp-server.conf
, from the Server-side routing recipe from Chapter 2, Client-server IP-only Networks at hand, as well as the client configuration file, basic-udp-client.conf
.
[root@server]# openvpn --config basic-udp-server.conf
client proto udp remote openvpnserver.example.com port 1194 dev tun nobind remote-cert-tls server key-direction 1 <ca> -----BEGIN CERTIFICATE----- # insert base64 blob from ca.crt -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- # insert base64 blob from client1.crt -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- # insert base64 blob from client1.key -----END PRIVATE KEY----- </key> <tls-auth> -----BEGIN OpenVPN Static key V1----- # insert ta.key -----END OpenVPN Static key V1----- </tls-auth>
Insert the contents of the ca.crt
, client1.crt
, client1.key
and ta.key
files in the configuration. Save it as example10-3-client.conf
.
[root@client]# openvpn --config example10-3-client.conf
When OpenVPN parses the configuration file, it scans for the directives ca
, cert
, key
, and tls-auth
, (and dh
for server configuration files), but also for XML-like blobs starting with <ca>
, <cert>
, <key>
, <tls-auth>
and <dh>
respectively. If an XML-like block is found, then the contents of this XML-like block are then read and treated in the same manner as when a file is specified. When all the required configuration files or blocks are present, the connection is established.
Note that it is not required to treat all of the aforementioned configuration directives in the same manner. It is also possible to only specify an inline-block for the CA certificate and tls-auth
files, as these files tend to be static for all the clients.
3.149.26.27