.ovpn12 files #773
.ovpn12 files #773
Conversation
Added new step to create an .ovpn12 file that can be stored on iOS keychain This step is more secure method and does not require the end-user to keep entering passwords, or storing the client private cert where it can be easily tampered based on documentation located: https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/ Someone can improve upon this by adding a parameter (possibly -i|--iOS) and then generating the original .ovpn file to not contain the client private certificate.
|
Will let other most active users comment on this as I am not at all familiar with IOS devices. If their feedback is positive then ill gladly merge it. @orazioedoardo @devZer0 @Giraffe1966 any takes on this? |
|
Yeah, I see that this is more secure because the private parts of the config are not in the .ovpn file, though it's a bit less convenient since the user need to copy two files and perhaps we should instruct the user on how to use them. Also your script doesn't do the whole job:
By the way I wouldn't make this the default, I would add a one time dialog after the first client creation with some text like "TIP: If you have an iOS device you can pass -i|--iOS to [...]" |
|
No need to use expect for the password, you can use the |
added changes related to chown and chmod of .ovpn12 file. Also removed sudo.
Incorporated feedback on how to properly implement .ovpn12 files.
the makeOVPN.sh now generates .ovpn12 files in the /home/${INSTALL_USER}/ovpns/ directory.
The remove script was updated to remove both the .ovpn and .ovpn12 files
|
Updated. |
|
@orazioedoardo , @Giraffe1966 what is your take on this? is it good to be merged? thanks a lot for keeping the boat moving! =) |
| echo ":::" | ||
| echo "::: Commands:" | ||
| echo "::: [none] Interactive mode" | ||
| echo "::: nopass Create a client without a password" | ||
| echo "::: -d,--days Expire the certificate after specified number of days (default: 1080)" | ||
| echo "::: -n,--name Name for the Client (default: '"$(hostname)"')" | ||
| echo "::: -p,--password Password for the Client (no default)" | ||
| echo "::: -i,--iOS Generate a certificate that leverages iOS keychain" |
There was a problem hiding this comment.
Perhaps include a link to https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/ so users know how to use the .ovpn12 file, and why this option increases security.
There was a problem hiding this comment.
wouldn't a link be too much of information there?
Maybe we should put the link in the FAQ or wiki or whatsoever and get a simple reference to it?
|
@IcedComputer please apply the changes and suggestions mentioned by @Giraffe1966 and ill merge your PR |
Co-Authored-By: Giraffe1966 <[email protected]>
Removed typo and changed -passin pass:$PASSWD to -passin env:$PASSWD
|
@4s3ti - I believe this is ready to go. |
|
Thanks @IcedComputer , Merging. |
Added new step to create an .ovpn12 file that can be stored on iOS keychain
This step is more secure method and does not require the end-user to keep entering passwords, or storing the client private cert where it can be easily tampered based on documentation located:
https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/
Someone can improve upon this by adding a parameter (possibly -i|--iOS) and then generating the original .ovpn file to not contain the client private certificate.