OpenVPN configs with inline data

I’ve been issuing a lot of x.509 certs and OpenVPN user configurations lately, and I came across something that has reduced the complexity quite a bit. It seems that OpenVPN configuration files can now include data inline. So rather than generating and distributing the following for each user:

  • a configuration file
  • a chain of CA certs
  • a client certificate
  • a client key
  • a tls HMAC authentication file
  • the OpenVPN client

one may distribute to users just the following:

  • a configuration file with data inline
  • the OpenVPN client

This process and the process of creating new users/certificates is automated by the fine people who develop OpenVPN itself and the OpenVPN AS management software. It is good to know that if you are unable to use this service, the process is at least much less complicated these days.

One thing to keep in mind is that some platforms do not support all OpenVPN configuration file options. One in particular that has been giving me trouble is the dev and dev-type options. If your configuration file (.ovpn or .conf) is intended for use with Tunnelblick on OSX, be sure to set dev to either tun or tap, and be sure not to use the dev-type option. It seems that the tuntap code on OSX does not support arbitrary names for the devices; the device names must be generated by the kernel.

This entry was posted in CentOS, debian, Free Software, linux, Networking, OpenVPN, OSX, security, Software, tls, tuntap, ubuntu, Windows, work, x509. Bookmark the permalink.

2 Responses to OpenVPN configs with inline data

  1. mirabilos says:

    Eh, that’s funny about OSX, because on BSD (where the device names are also fixed – {tun,tap}N where N is an unsigned integer – but need not be sequential), you specify *only* dev-type and *not* dev…

Leave a Reply