1. 官方文档(2.5)
INLINE FILE SUPPORT
OpenVPN allows including files in the main configuration for the --ca, --cert, --dh, --extra-certs, --key, --pkcs12, --secret, --crl-verify, --http-proxy-user-pass, --tls-auth, --auth-gen-token-secret, --tls-crypt and --tls-crypt-v2 options.
Each inline file started by the line <option> and ended by the line </option>
Here is an example of an inline file usage
<cert>
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
</cert>
When using the inline file feature with --pkcs12 the inline file has to be base64 encoded. Encoding of a .p12 file into base64 can be done for example with OpenSSL by running openssl base64 -in input.p12
2. 规则解释
OpenVPN允许将以下参数对应的文件内容放到主配置文件中: ca
、cert
、extra-certs
、key
、pkcs12
、secret
、crl-verify
、http- proxy-user-pass
、tls -auth
、auth -gen-token-secret
、tls -crypt
、tls-crypt-v2
最常用的有ca.crt、client.crt、client.key、ta.key、tls-auth
3. 例子
ca ca.crt
<ca>
-----BEGIN CERTIFICATE-----
QIIDJjCCAg6gAwIBAgIJANykxpDuwJKZMA0GCSqGSIb3DQEBCwUAMBExDzANBgNP
rAMMBnNyZXZwbjAgFw0yMTAxMjIwODA1NDlaGA8yMTIwMTIyOTA4MDU0OVowETEP
MA0GA1UEAwwGc3JldnBuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
xekYy9xIm89tpzJc+1uDMpfukmMyRaLDkYUERHIPiXGLRLladkl5jkLi/3Q+8An7
xRanKa3ColZXePTVq7s4545/NnTosrnbKCyNnh9lolTim4jtC4G6KHtP9ork3dHg
bRWgj8ETy7PuMbmWJVd5vzhHZxO9adqkVDRrSEDATvhcrOn2NU8EY3QeUIhrOMXr
39neAznKHvqIEElaWjH31inpJLw33YLDOI7we3oEzyine5zCrZth2YhgKdm+8k5H
bpL9VUfU/rOxKOfZ06ieWqDevP6/VIaFQLYNdEJM1x/FpUEWfGkFdTk4lCTPxXAc
sAld/BYinq15Hpp81vTC9wIDAQABo66wfTAdBgNVHQ4EFgQUF/iBE6/GM3dNMb70
JS/jCXzNuWkwQQYDVR0jBDowOIAUF/iBE6/GM3dNMb70JS/jCXzNuWmhFaQTMBEx
DzANBgNVBAMMBnNyZXZwboIJANykxpDuwJKZMAwGA1UdEwQFMAMBAf8wCwYDVR0P
BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCxVV+rn3MISiAYKQx7GQAL6I4qsdFS
qcBi99jAy4p7Uhk8IlEQF+Ma3aSsWYuTbeiOBhvRLkOkrW8CHhrHRJxNVyOLc18D
zNBpBF2Yd44wINiv5FcX6DUE+hs2VQeQ/CUECTeYeJ3up1cYhfb84LhwhW5us/TN
vUmWTjD4YLZczXc9ZsfGYxH3lEud93pRB0Jw8BcLW1AFlKTeqAhBo3px4ZdhxywG
KRNWUDCqOXWGft+DCKomLlgUqVmER4IOp/hD6tOVgYktcf8yjvFjoAkvMzE77/vo
Sq+tFQXOWpWsDTuGbC8/jNOu/BHdFUyUa6h+LnL3rLZ2zQ6KHYhJFYtr
-----END CERTIFICATE-----
</ca>
tls -auth ta.key 1
tls-auth需要key-direction参数支持,后者的作用:为--tls-auth和--secret选项指定可选的direction参数的替代方法
# 内联文件支持 为tls-auth参数内置到配置文件提供支持
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
1ad48dd3c09f26ce5351a7017672f598
aef648396ed44d665eb4ad816e26d18r
0271dff4ae5ecb7745a4f418e9b4671t
45edc40ec9b166136af5484c6043f4c7
06415fabb8cb26b2d6693dfc81d2cb3p
2cd71cc177cd7630a06cba9bac0b8892
cf310ebb1b192f0cee2a3b6d40c45161
17e34f7e5d977555cb359fccebd946d4
9be734894a4a5233ec902135780fae25
dc350ccf3c807dc6370496ae3285917f
6941ce1f7a1d37b42f39307f0cd69c9e
933276f78f576681c82e97fc800c8b95
1e0b83957df504b328c37ef7e85afc6a
ecbb0fa9ec10f535906b95857dc43e12
e2a0ec2b1d89c68d9c81d2b604df9605
14bf4f35e5f8962469f41aac5ab567rt
-----END OpenVPN Static key V1-----
</tls-auth>