The first file, or .ovpn12
file, includes:
- ovpn info (tls-client, client, nobind, dev tun, proto udp, tun-mtu, etc.)
- Root Certificate (cacert) or <ca>
- TLS Authentification Key or <tls-auth>
The second file, or .ovpn
file, includes:
- Client Certificate or <cert>
- Private Key or <key>
Includes the five sections in the Manual Method all in an easy to run script.
Installation on IPFire
There is no web interface for this script. To run the script open the client console or terminal and access the IPFire box via SSH.
Once connected via SSH, create a directory for creating .ovpn files with this script. Example:
mkdir /root/ios
cd /root/ios
Locate the the <ovpn_file>.ovpn
file obtained from the Download Client Package (zip) and copy the file to the /root/ios
directory on the IPFire box.
Copy the code below to a file named create_ovpn12.sh
into the same directory:
#!/bin/bash
set -e
# OpenVPN keychain script
# started from openvpncmd_v28.sh (version = v28)
#
# Launch via:
# create_ovpn12 ovpn_file password(PKCS12 File Password)
#
# $1 param = YourNewOpenVPNfile.ovpn
# $2 param = PKCS12 File Password
#
# create_ovpn version 5a
#
if (( $# < 2 )); then
echo "Usage: create_ovpn12 <ovpn_file> <PKCS12 File Password>"
exit 1
fi
if grep -q "BEGIN CERTIFICATE" "$1"; then
echo "Error: wrong .ovpn file"
echo "Usage: create_ovpn12 <ovpn_file> <PKCS12 File Password>"
exit 1
fi
cp "$1" tmp.ovpn
PKCS12_PW="$2" # PKCS12 File Password
# Convert windows file to linux file (drop Carriage Returns)
sed -i 's/\r$//g' tmp.ovpn
# get key & value from input ovpn file <ovpn_file>
while IFS=" " read -r key value remainder
do
#echo "key=$key" ; echo "value=$value" ; echo "remainder=$remainder" ; echo
case "$key" in
verify-x509-name )
RedIPaddr="$value"
;;
*pkcs12 )
pkcs12File="$value"
;;
esac
done < tmp.ovpn
# Comment out the "tls-auth ta.key" line and the "pkcs12 *.p12" line
sed -i -E -e 's/^tls-auth /#tls-auth /' -e 's/^pkcs12 /#pkcs12 /' tmp.ovpn
p12File=/var/ipfire/ovpn/certs/"$pkcs12File"
ovpnBasename=${pkcs12File%%.*} # remove extension
ovpnFile="$ovpnBasename.ovpn" # add new extension
ovpn12File="Install_first.$ovpnBasename.ovpn12"
printf "\nUsing $1 to create $ovpnFile and ${ovpnBasename}.ovpn12\n\n"
cp tmp.ovpn "$ovpnFile"
echo "key-direction bidirectional" >> $ovpnFile
# get Root Certificate (cacert) <ca>
echo "<ca>" >> $ovpnFile
cat /var/ipfire/ovpn/ca/cacert.pem | sed '/^-----BEGIN CERTIFICATE-----/,$!d' >> $ovpnFile
echo "</ca>" >> $ovpnFile
printf "created Root Certificate\n"
# get TLS-Authentification-Key <tls-auth>
echo "<tls-auth>" >> $ovpnFile
cat /var/ipfire/ovpn/certs/ta.key | sed '/^-----BEGIN OpenVPN Static key V1-----/,$!d' >> $ovpnFile
echo "</tls-auth>" >> $ovpnFile
printf "created TLS Authentification Key\n"
printf "created $ovpnFile\n\n"
# Output only client certificates to pem key file format (base64 / ASCII)
openssl pkcs12 -in $p12File -passin pass:$PKCS12_PW -clcerts -nokeys -out tmp.pem
printf "created Client Certificate\n"
# Output without certificates to pem key file format (base64 / ASCII)
openssl pkcs12 -nocerts -in $p12File -passin pass:$PKCS12_PW -passout pass:$PKCS12_PW -out key.pem
# Output ovpn12 file (binary / gibberish)
openssl pkcs12 -export -in tmp.pem -passin pass:$PKCS12_PW -passout pass:$PKCS12_PW -inkey key.pem -certfile /var/ipfire/ovpn/ca/cacert.pem -name $ovpnBasename -out $ovpn12File
printf "created ${ovpnBasename}.ovpn12\n\n"
# cleanup
rm tmp.ovpn
rm tmp.pem
rm key.pem
printf "clean-up files\n\n"
#echo "ovpn file = "
#cat $ovpnFile; echo
exit
Once copied and saved, enter:
chmod +x create_ovpn12.sh
and to run the command enter:
./create_ovpn12.sh <ovpn_file>.ovpn <PKCS12 File Password>
Copy the newly created ovpn12
and .ovpn
files from the IPFire to the client computer. And now install the those files on the device via Files app.