Instantly share code, notes, and snippets.

@seebk /README.md
Last active Dec 7, 2018

Embed
What would you like to do?
Extract embedded certificates and keys from OpenVPN config files

This python script is intended to automate the extraction of embedded certificates and keys from OpenVPN config files.

Unfortunately the GNOME Network-Manager is not able to automatically import OpenVPN config files with embedded certificates and keys. A workaround is to manually extract these and store them in separate files (e.g. see https://naveensnayak.wordpress.com/2013/03/04/ubuntu-openvpn-with-ovpn-file/).

Instructions:

  • Make shure all the required packages are installed. For example on Ubuntu and Debian run:

    $ sudo apt-get install python3 network-manager-openvpn-gnome

  • Extract the certs and keys using the python script

    $ python3 extract_ovpn_cert.py path/to/VPNCONFIG.ovpn

  • Import the created file path/to/VPNCONFIG_nocert.ovpn with the GNOME network config tool


References:

#!/usr/bin/python3
#
# Extract certificates and keys from an OpenVPN config file (*.ovpn)
# The config file is rewritten to use the extracted certificates.
#
# Usage: >$ extract_ovpn_cert.py VPNCONFIG.ovpn
#
import os
import re
import sys
# open input ovpn config file
ovpn_file_path = os.path.dirname(os.path.abspath(sys.argv[1]))
ovpn_file = open(sys.argv[1], 'r')
ovpn_config = ovpn_file.read()
ovpn_file.close()
# open output config file
ovpn_file = open(os.path.splitext(sys.argv[1])[0]+"_nocert.ovpn", 'w')
# prepare regex
regex_tls = re.compile("<tls-auth>(.*)</tls-auth>", re.IGNORECASE|re.DOTALL)
regex_ca = re.compile("<ca>(.*)</ca>", re.IGNORECASE|re.DOTALL)
regex_cert = re.compile("<cert>(.*)</cert>", re.IGNORECASE|re.DOTALL)
regex_key = re.compile("<key>(.*)</key>", re.IGNORECASE|re.DOTALL)
# extract keys
match_string = regex_tls.search(ovpn_config)
if match_string is not None:
cert_file = open(os.path.join(ovpn_file_path, 'tls-auth.key'), 'w')
cert_file.write(match_string.group(1))
cert_file.close()
ovpn_config = regex_tls.sub("",ovpn_config)
# get key direction setting
regex_tls = re.compile("key-direction ([01])", re.IGNORECASE)
match_string = regex_tls.search(ovpn_config)
if match_string is not None:
key_direction = match_string.group(1)
else:
key_direction = ""
ovpn_file.write("tls-auth tls-auth.key " + key_direction + "\n")
match_string = regex_ca.search(ovpn_config)
if match_string is not None:
cert_file = open(os.path.join(ovpn_file_path, 'ca.crt'), 'w')
cert_file.write(match_string.group(1))
cert_file.close()
ovpn_config = regex_ca.sub("",ovpn_config)
ovpn_file.write("ca ca.crt\n")
match_string = regex_cert.search(ovpn_config)
if match_string is not None:
cert_file = open(os.path.join(ovpn_file_path, 'client.crt'), 'w')
cert_file.write(match_string.group(1))
cert_file.close()
ovpn_config = regex_cert.sub("",ovpn_config)
ovpn_file.write("cert client.crt\n")
match_string = regex_key.search(ovpn_config)
if match_string is not None:
cert_file = open(os.path.join(ovpn_file_path, 'client.key'), 'w')
cert_file.write(match_string.group(1))
cert_file.close()
ovpn_config = regex_key.sub("",ovpn_config)
ovpn_file.write("key client.key\n")
# copy and append previous config
ovpn_file.write(ovpn_config)
ovpn_file.close()
@mpathy

This comment has been minimized.

mpathy commented Sep 14, 2015

The files will get written in the / of the filesystem - please correct the paths..

@vdchuyen

This comment has been minimized.

vdchuyen commented Sep 16, 2015

remove os.path.sep in 3 cert_files.

@seebk

This comment has been minimized.

Owner

seebk commented Nov 16, 2015

Fixed it now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment