Question about content of my .ovpn file downloaded form access server

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
lv426hudson
OpenVpn Newbie
Posts: 3
Joined: Fri Sep 15, 2023 1:04 pm

Question about content of my .ovpn file downloaded form access server

Post by lv426hudson » Tue Sep 19, 2023 2:12 pm

Hi,

For my own understanding I would like to know what each key/certificate is inside the ".ovpn" file I have downloaded from my access server I have installed on Debian 10. Some of the keys are commented out and some are in-line. Apologies for noob question just trying to wrap my head around it all. I have deliberately shortened all the keys.

Cheers,
------------------------------------------------------------------------------------------------------------------------------------------------------
1) First item in the fie commented out i think i understand, this is the web server certificate and i can find this @ "/usr/local/openvpn_as/etc/web-ssl/ca.crt"

# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
# MIIBwDCCAUWgAwIBAgIEZQQnETAKBggqhkjOPQQDAjA4MTYwNAYDVQQDDC1PcGVu
# -----END CERTIFICATE-----
------------------------------------------------------------------------------------------------------------------------------------------------
2) I can find mention of this key in "/usr/local/openvpn_as/etc/db/.certs.db". If this the public certificate of the CA?

<ca>
-----BEGIN CERTIFICATE-----
MIIBeTCB/6ADAgECAgRlBCcLMAoGCCqGSM49BAMCMBUxEzARBgNVBAMMCk9wZW5W
-----END CERTIFICATE-----
</ca>

------------------------------------------------------------------------------------------------------------------------------------------------
3) I can find mention of this key in "/usr/local/openvpn_as/etc/db/.certs.db". If this the public certificate of the vpn server?

<cert>
-----BEGIN CERTIFICATE-----
MIIBoDCCASWgAwIBAgIILwJxQOI4wgcwCgYIKoZIzj0EAwIwFTETMBEGA1UEAwwK
-----END CERTIFICATE-----
</cert>

------------------------------------------------------------------------------------------------------------------------------------------------
4) i'm not quite sure what this is and i cant find it on the access server. Is this a randomly assigned private key generates by the access server for the client to using as a private key?

<key>
-----BEGIN PRIVATE KEY-----
MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDBx/PBssPOq1G1aHEnQ
-----END PRIVATE KEY-----
</key>

------------------------------------------------------------------------------------------------------------------------------------------------
5) TLS crypt key is used for that encryption and decryption of the TLS handshake on both the server and client??? I can find this key on my access server in ""/usr/local/openvpn_as/etc/db/.certs.db"

<tls-crypt>
#
# 2048 bit OpenVPN static key (Server Agent)
#
-----BEGIN OpenVPN Static key V1-----
15da800fe2ddb6ec18f9e3fc2ad346d4
</tls-crypt>

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1321
Joined: Tue Feb 16, 2021 10:41 am

Re: Question about content of my .ovpn file downloaded form access server

Post by openvpn_inc » Wed Sep 20, 2023 9:27 am

Hello,

1) Public web CA certificate, for some legacy purposes. The only remaining purpose is for server-locked profiles as a fallback trusted CA for verifying access to the web API to retrieve connection profiles in case it has no valid signed certificate.

2) Public VPN server CA certificate, for verifying the identity of the VPN server.

3) The public certificate for this particular VPN user, for verifying the identity of the VPN client (works as a pair with 4).

4) The private key for this particular VPN user, for verifying the identity of the VPN client (works as a pair with 3).

5) A kind of 'software firewall' that we call TLS-Crypt in OpenVPN. There's TLS-Auth, TLS-Crypt, and TLS-Cryptv2. You can look in the OpenVPN2 reference documentation what that means. Basically, anyone that doesn't have such a valid key cannot even start a handshake with this server. Packets are signed and verified with such a key. If packets fail such a validation they get dropped really early on in the processing of packets.

Hope that helped,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply