Hi,
I’m guessing the OpenVPN “insecure” config is the one that embeds <key><ca><cert><tls-auth> all into the one .ovpn file.
If I try download it however, I am just getting internal server error
Hi Ian,
The “insecure” config button should not be visible when you have specified a password. That is a bug that has been raised but not yet fixed.
https://bugzilla.ipfire.org/show_bug.cgi?id=11048
I am the assignee on that bug. The scope was expanded a little and that effectively also includes trying to get the certs embedded into the config file as in your other post but that has some challenges when the cert is password protected as you then have to embed the cert in an encrypted form. It also includes having all the different versions of cert /config combination provided in one file so that there is only one button that provides all the different options in one go.
That bug is pushing my capabilities but I have made some progress with it and will continue to work on it.
Of course if someone else more capable than me wants to pick it up I don’t have any problems with that at all.
1 Like
Gotcha, I’ve got somewhat of a work around by putting the <ca> tag and <tls-auth> into the client.local.conf so that it puts it in all .ovpn files by default. I had to extract the <key> from the .p12 using openssl pkcs12 -in certs/client.p12 -nocerts -passout pass: -out clientkey.pem and then openssl rsa -in clientkey.pem -outform pem -out decryptedclientkey.pem
I can then manually embed in the .ovpn
If I understand what you are doing correctly, you are decrypting the key and then embedding it in plaintext into the .ovpn
That seems to negate the point of having defined a password in the first place.
That is where I am looking at having an embedded encrypted key in the .ovpn that then requires the password to be supplied, which can then be located in the macos or iphone key stores so they are protected. I have found some examples of how that is done but the challenge is to get that coded into the OpenVPN cgi page.
Glad you have a workaround that is working for you.
Ah yep, I wasn’t sure if iOS could extract encrypted key from the .ovpn
I believe iOS can because there have been people raising this in the past that they want a secure embedded .ovpn and IPFire doesn’t provide it.
Unfortunately I don’t have a mac or an iPhone so if I create a fix, I won’t be able to test it out.
Maybe I can ask you to help with testing “when” I have come up with a fix 
Yep sure thing, I have both mac and iphone. Can we put an encrypted pem key directly in the <key></key> tags?
Great, thanks very much. Now I have to make it work.
That is what I believe from what I have read but it can’t just be the standard encrypted key it has to be created in a certain way. I can’t remember the terminology now of the top of my head but I will have to find it again. I had several tabs on my browser with web pages I had found on the topic and one day SeaMonkey decided that it would no longer be able to recover all my tabs. I now have to hunt through my history to see if i can find them.
1 Like
Ah man I hate when that happens
I get the same error.
What can I do? I have a complete new installation of ipfire but get also the error all times.
Thx for the help.
Hi,
Known bug as per this comment by Adolf above.
Have to use the secure one for now, rip out the directives specifying the ta.key and .p12 files and add your own <tls-auth><cert><key> directives to essentially build your own insecure (all in one) config file.
It is easy to do, just modify the “secure” .ovpn file that you download.
See my comments above for extracting the key from .p12 file to use in <key> directive.
I tried a workaround and updated the newest version from the unstable branch and it’s working fine! But it’s a little bit slowly, but this was an another topic.
Best, Peter