openvpn: embedding pkcs12 into ovpn config

I guess I'm not sure where to ask this, so I'll try here.

I've been provided an ovpn file and a separate pkcs12 (p12) file.  The
ovpn file contains:

  pkcs12 /path/to/my.p12

I am using Ubuntu 16.10 and I have network-manager-openvpn-gnome,
network-manager-openvpn, and openvpn itself all installed (as well as
openssl etc.)  If I add a new VPN by importing this ovpn configuration
it works, so yay!

Next I need to distribute this file to a group of users and I'd like to
simplify it somewhat.  So, I have two questions:

First, is it possible to add a setting to the ovpn file that will cause
networkmanager to automatically check the IPv4 (and IPv6) "Use this
connection only for resources on its network" box, without requiring the
user to do it?  I'd really like to have the routing set up that way, by
default, for the users.

Second, I really want to use an embedded certificate format in the ovpn
for the pkcs12 file rather than shipping two separate files.  I see that
(from what I can tell) I should be able to replace the above line with
this in my ovpn file:


And, I see that the certificate has to be base64 encoded; of course my
.p12 file is not: it's just a binary file.

So after reading some things I ran this:

  openssl base64 -in /path/to/my.p12 > my.p12.b64

Then I imported that my.p12.b64 into my ovpn file in between the
BEGIN/END CERTIFICATE lines.  This SEEMED to work in that networkmanager
accepted the contents of that file without complaint, but when I attempt
to connect it fails.  Looking at journalctl output I see the error is:

nm-openvpn[31545]: OpenVPN 2.3.11 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] 
built on Jun 22 2016
nm-openvpn[31545]: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
nm-openvpn[31545]: NOTE: the current --script-security setting may allow this configuration to call 
user-defined scripts
nm-openvpn[31545]: OpenSSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
nm-openvpn[31545]: OpenSSL: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
nm-openvpn[31545]: Error reading PKCS#12 file /home/paul/.cert/nm-openvpn/my-pkcs12.pem
nm-openvpn[31545]: Exiting due to fatal error
NetworkManager[948]: nm-openvpn[31539] <warn>  openvpn[31545] exited with error code 1

Looking at /home/paul/.cert/nm-openvpn/my-pkcs12.pem I can see that it's
not the same as my original .p12 file, plus by the name it seems that a
PEM file is expected here instead maybe?

All my attempts to work out what format things need to be in to make
this work have failed.

Anyone have any help for either of these problems?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]