I guess I'm not sure where to ask this, so I'll try here. I've been provided an ovpn file and a separate pkcs12 (p12) file. The ovpn file contains:
pkcs12 /path/to/my.p12 I am using Ubuntu 16.10 and I have network-manager-openvpn-gnome, network-manager-openvpn, and openvpn itself all installed (as well as openssl etc.) If I add a new VPN by importing this ovpn configuration it works, so yay! Next I need to distribute this file to a group of users and I'd like to simplify it somewhat. So, I have two questions: First, is it possible to add a setting to the ovpn file that will cause networkmanager to automatically check the IPv4 (and IPv6) "Use this connection only for resources on its network" box, without requiring the user to do it? I'd really like to have the routing set up that way, by default, for the users. Second, I really want to use an embedded certificate format in the ovpn for the pkcs12 file rather than shipping two separate files. I see that (from what I can tell) I should be able to replace the above line with this in my ovpn file: <pkcs12> -----BEGIN CERTIFICATE----- ...certificate... -----END CERTIFICATE----- </pkcs12> And, I see that the certificate has to be base64 encoded; of course my .p12 file is not: it's just a binary file. So after reading some things I ran this: openssl base64 -in /path/to/my.p12 > my.p12.b64 Then I imported that my.p12.b64 into my ovpn file in between the BEGIN/END CERTIFICATE lines. This SEEMED to work in that networkmanager accepted the contents of that file without complaint, but when I attempt to connect it fails. Looking at journalctl output I see the error is: nm-openvpn[31545]: OpenVPN 2.3.11 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2016 nm-openvpn[31545]: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08 nm-openvpn[31545]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts nm-openvpn[31545]: OpenSSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag nm-openvpn[31545]: OpenSSL: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error nm-openvpn[31545]: Error reading PKCS#12 file /home/paul/.cert/nm-openvpn/my-pkcs12.pem nm-openvpn[31545]: Exiting due to fatal error NetworkManager[948]: nm-openvpn[31539] <warn> openvpn[31545] exited with error code 1 Looking at /home/paul/.cert/nm-openvpn/my-pkcs12.pem I can see that it's not the same as my original .p12 file, plus by the name it seems that a PEM file is expected here instead maybe? All my attempts to work out what format things need to be in to make this work have failed. Anyone have any help for either of these problems? Thanks! _______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
