OpenVPN内联文件——将客户端证书内置到配置文件

原创
2021/01/28 15:12
阅读数 4.3K

1. 官方文档(2.5)

INLINE FILE SUPPORT
OpenVPN allows including files in the main configuration for the --ca, --cert, --dh, --extra-certs, --key, --pkcs12, --secret, --crl-verify, --http-proxy-user-pass, --tls-auth, --auth-gen-token-secret, --tls-crypt and --tls-crypt-v2 options.

Each inline file started by the line <option> and ended by the line </option>

Here is an example of an inline file usage

<cert>
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
</cert>
When using the inline file feature with --pkcs12 the inline file has to be base64 encoded. Encoding of a .p12 file into base64 can be done for example with OpenSSL by running openssl base64 -in input.p12

2. 规则解释

OpenVPN允许将以下参数对应的文件内容放到主配置文件中: cacertextra-certskeypkcs12secretcrl-verifyhttp- proxy-user-passtls -authauth -gen-token-secrettls -crypttls-crypt-v2

最常用的有ca.crt、client.crt、client.key、ta.key、tls-auth

3. 例子

ca ca.crt

<ca>
-----BEGIN CERTIFICATE-----
QIIDJjCCAg6gAwIBAgIJANykxpDuwJKZMA0GCSqGSIb3DQEBCwUAMBExDzANBgNP
rAMMBnNyZXZwbjAgFw0yMTAxMjIwODA1NDlaGA8yMTIwMTIyOTA4MDU0OVowETEP
MA0GA1UEAwwGc3JldnBuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
xekYy9xIm89tpzJc+1uDMpfukmMyRaLDkYUERHIPiXGLRLladkl5jkLi/3Q+8An7
xRanKa3ColZXePTVq7s4545/NnTosrnbKCyNnh9lolTim4jtC4G6KHtP9ork3dHg
bRWgj8ETy7PuMbmWJVd5vzhHZxO9adqkVDRrSEDATvhcrOn2NU8EY3QeUIhrOMXr
39neAznKHvqIEElaWjH31inpJLw33YLDOI7we3oEzyine5zCrZth2YhgKdm+8k5H
bpL9VUfU/rOxKOfZ06ieWqDevP6/VIaFQLYNdEJM1x/FpUEWfGkFdTk4lCTPxXAc
sAld/BYinq15Hpp81vTC9wIDAQABo66wfTAdBgNVHQ4EFgQUF/iBE6/GM3dNMb70
JS/jCXzNuWkwQQYDVR0jBDowOIAUF/iBE6/GM3dNMb70JS/jCXzNuWmhFaQTMBEx
DzANBgNVBAMMBnNyZXZwboIJANykxpDuwJKZMAwGA1UdEwQFMAMBAf8wCwYDVR0P
BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCxVV+rn3MISiAYKQx7GQAL6I4qsdFS
qcBi99jAy4p7Uhk8IlEQF+Ma3aSsWYuTbeiOBhvRLkOkrW8CHhrHRJxNVyOLc18D
zNBpBF2Yd44wINiv5FcX6DUE+hs2VQeQ/CUECTeYeJ3up1cYhfb84LhwhW5us/TN
vUmWTjD4YLZczXc9ZsfGYxH3lEud93pRB0Jw8BcLW1AFlKTeqAhBo3px4ZdhxywG
KRNWUDCqOXWGft+DCKomLlgUqVmER4IOp/hD6tOVgYktcf8yjvFjoAkvMzE77/vo
Sq+tFQXOWpWsDTuGbC8/jNOu/BHdFUyUa6h+LnL3rLZ2zQ6KHYhJFYtr
-----END CERTIFICATE-----
</ca>

tls -auth ta.key 1

tls-auth需要key-direction参数支持,后者的作用:为--tls-auth和--secret选项指定可选的direction参数的替代方法

# 内联文件支持 为tls-auth参数内置到配置文件提供支持
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
1ad48dd3c09f26ce5351a7017672f598
aef648396ed44d665eb4ad816e26d18r
0271dff4ae5ecb7745a4f418e9b4671t
45edc40ec9b166136af5484c6043f4c7
06415fabb8cb26b2d6693dfc81d2cb3p
2cd71cc177cd7630a06cba9bac0b8892
cf310ebb1b192f0cee2a3b6d40c45161
17e34f7e5d977555cb359fccebd946d4
9be734894a4a5233ec902135780fae25
dc350ccf3c807dc6370496ae3285917f
6941ce1f7a1d37b42f39307f0cd69c9e
933276f78f576681c82e97fc800c8b95
1e0b83957df504b328c37ef7e85afc6a
ecbb0fa9ec10f535906b95857dc43e12
e2a0ec2b1d89c68d9c81d2b604df9605
14bf4f35e5f8962469f41aac5ab567rt
-----END OpenVPN Static key V1-----
</tls-auth>
展开阅读全文
加载中
点击引领话题📣 发布并加入讨论🔥
打赏
0 评论
1 收藏
1
分享
返回顶部
顶部