The first file, or .ovpn12 file, includes:

  • ovpn info (tls-client, client, nobind, dev tun, proto udp, tun-mtu, etc.)
  • Root Certificate (cacert) or <ca>
  • TLS Authentification Key or <tls-auth>

The second file, or .ovpn file, includes:

  • Client Certificate or <cert>
  • Private Key or <key>

Includes the five sections in the Manual Method all in an easy to run script.

Installation on IPFire

There is no web interface for this script. To run the script open the client console or terminal and access the IPFire box via SSH.

Once connected via SSH, create a directory for creating .ovpn files with this script. Example:

mkdir /root/ios
cd /root/ios

Locate the the <ovpn_file>.ovpn file obtained from the Download Client Package (zip) and copy the file to the /root/ios directory on the IPFire box.

Copy the code below to a file named create_ovpn12.sh into the same directory:

#!/bin/bash
set -e

# OpenVPN keychain script
#   started from openvpncmd_v28.sh (version = v28)
#
# Launch via:
#   create_ovpn12 ovpn_file password(PKCS12 File Password)
#
#   $1 param = YourNewOpenVPNfile.ovpn
#   $2 param = PKCS12 File Password
#
#   create_ovpn version 5a
#

if (( $# < 2 )); then
    echo "Usage: create_ovpn12 <ovpn_file> <PKCS12 File Password>"
    exit 1
fi

if grep -q "BEGIN CERTIFICATE" "$1"; then
    echo "Error: wrong .ovpn file"
    echo "Usage: create_ovpn12 <ovpn_file> <PKCS12 File Password>"
    exit 1
fi


cp "$1" tmp.ovpn
PKCS12_PW="$2"              #   PKCS12 File Password

#   Convert windows file to linux file (drop Carriage Returns)
sed -i 's/\r$//g' tmp.ovpn

#   get key & value from input ovpn file <ovpn_file>
while IFS=" " read -r key value remainder
do
    #echo "key=$key" ; echo "value=$value" ; echo "remainder=$remainder" ; echo
    case "$key" in
        verify-x509-name ) 
            RedIPaddr="$value" 
            ;;

        *pkcs12 )
            pkcs12File="$value" 
            ;;
    esac
done < tmp.ovpn

#   Comment out the "tls-auth ta.key" line and the "pkcs12 *.p12" line
sed -i -E -e 's/^tls-auth /#tls-auth /' -e 's/^pkcs12 /#pkcs12 /' tmp.ovpn

p12File=/var/ipfire/ovpn/certs/"$pkcs12File"

ovpnBasename=${pkcs12File%%.*}          # remove extension
ovpnFile="$ovpnBasename.ovpn"           # add new extension
ovpn12File="Install_first.$ovpnBasename.ovpn12"

printf "\nUsing $1 to create $ovpnFile and ${ovpnBasename}.ovpn12\n\n"

cp tmp.ovpn "$ovpnFile"
echo "key-direction bidirectional" >> $ovpnFile

# get Root Certificate (cacert) <ca>
echo "<ca>" >> $ovpnFile
cat /var/ipfire/ovpn/ca/cacert.pem | sed '/^-----BEGIN CERTIFICATE-----/,$!d' >> $ovpnFile
echo "</ca>" >> $ovpnFile
printf "created Root Certificate\n"


# get TLS-Authentification-Key <tls-auth>
echo "<tls-auth>" >> $ovpnFile
cat /var/ipfire/ovpn/certs/ta.key | sed '/^-----BEGIN OpenVPN Static key V1-----/,$!d' >> $ovpnFile
echo "</tls-auth>" >> $ovpnFile
printf "created TLS Authentification Key\n"
printf "created $ovpnFile\n\n"


# Output only client certificates to pem key file format (base64 / ASCII)
openssl pkcs12 -in $p12File -passin pass:$PKCS12_PW -clcerts -nokeys -out tmp.pem
printf "created Client Certificate\n"

# Output without certificates to pem key file format (base64 / ASCII)
openssl pkcs12 -nocerts -in $p12File -passin pass:$PKCS12_PW -passout pass:$PKCS12_PW -out key.pem

# Output ovpn12 file (binary / gibberish)
openssl pkcs12 -export -in tmp.pem -passin pass:$PKCS12_PW -passout pass:$PKCS12_PW -inkey key.pem -certfile /var/ipfire/ovpn/ca/cacert.pem -name $ovpnBasename -out $ovpn12File
printf "created ${ovpnBasename}.ovpn12\n\n"


# cleanup
rm tmp.ovpn
rm tmp.pem
rm key.pem
printf "clean-up files\n\n"

#echo "ovpn file = "
#cat $ovpnFile; echo
exit


Once copied and saved, enter:

chmod +x create_ovpn12.sh

and to run the command enter:

./create_ovpn12.sh <ovpn_file>.ovpn <PKCS12 File Password>

Copy the newly created ovpn12 and .ovpn files from the IPFire to the client computer. And now install the those files on the device via Files app.