I am on a Mac the Microsoft documentation covers Powershell, makecert and Linux instructions for creating Self-Signed certs for the OpenVPN P2S configuration.
However I prefer the familiar and I've used OpenVPN before on Linux and the bundled easyrsa utility included in Debian/Ubuntu makes it easy to create and generate and manage the certs and keys.
So download https://github.com/OpenVPN/easy-rsa/releases and untar the latest EasyRSA
Check out the readme https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Readme.md
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | cd /to/place/where/you/untarred/easyrsacp vars.sample vars# edit vars# un comment and modify the following varsset_var EASYRSA_OPENSSL "/usr/local/Cellar/openssl@1.1/1.1.1c/bin/openssl"set_var EASYRSA_REQ_COUNTRY "AU"set_var EASYRSA_REQ_PROVINCE "Victoria"set_var EASYRSA_REQ_CITY "Melbourne"set_var EASYRSA_REQ_ORG "Toggen"set_var EASYRSA_REQ_EMAIL "james@toggen.com.au"set_var EASYRSA_REQ_OU "Azure Demo OpenVPN"./easyrsa init-pki# create a ca.crt./easyrsa build-ca# build a client cert/easyrsa build-client-full client2 nopassNote: using Easy-RSA configuration from: ./varsUsing SSL: /usr/local/Cellar/openssl@1.1/1.1.1c/bin/openssl OpenSSL 1.1.1c 28 May 2019Generating a RSA private key.....+++++......................+++++writing new private key to '/Users/jmcd/Downloads/easy-rsa/EasyRSA-v3.0.6/pki/private/client2.key.DYOAXJrtRM'-----Using configuration from /Users/jmcd/Downloads/easy-rsa/EasyRSA-v3.0.6/pki/safessl-easyrsa.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName :ASN.1 12:'client2'Certificate is to be certified until Aug 19 14:51:06 2022 GMT (1080 days)Write out database with 1 new entriesData Base Updated |
In the Azure portal you add the contents of ca.crt to the Root certificates. NAME is arbitrary and PUBLIC CERTIFICATE DATA is the contents of ca.crt without the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- sections
When you click the Download VPN client button and download the zip containing the ovpn file the certificate copied into the PUBLIC CERTIFICATE DATA field will be in the <ca></ca> section.
This is a copy of the OpenVPN\openvpn.ovpn file that you download when you click the "Download VPN client" button from the azure portal. Everything is standard except for removing the log statement which Tunnelblick doesn't like, and adding the ca.crt, and client.crt and client.key.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 | clientremote azuregateway-15460063-9c68-4296-8656-84328f96ead2-08086fb9383b.vpn.azure.com 443verify-x509-name '15460063-9c68-4296-8656-84328f96ead2.vpn.azure.com' nameremote-cert-tls serverdev tunproto tcpresolv-retry infinitenobindauth SHA256cipher AES-256-GCMpersist-keypersist-tuntls-timeout 30tls-version-min 1.2key-direction 1#log openvpn.logverb 3# P2S CA root certificate<ca>-----BEGIN CERTIFICATE-----MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsBCSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7PT19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbRTLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUwDQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/EsrhMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJFPnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0lsYSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQkCAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=-----END CERTIFICATE-----</ca># Pre Shared Key<tls-auth>-----BEGIN OpenVPN Static key V1-----edaa9d2e7cd34a59a80a08d10b1173c0ed07f33ec56db66e5e8c564ccd895edd2d48dc5370e02f336772b465155fb1a14180dcedb0e1ab5c2f8b3066dff8f1018a8705e1397f22de66fd1a3c05afcdb247717e18a1a5e1b8e4c80413b2f858cae774b715b36231a503da49401b8822083198da18b44b823b268541d4705f7bd7ab9b62d93686de42a27dcb95bfc920a8464516f6d8bafe0b3b23924fb8ab9a7516fc71bda23984d23b79fb4681af0408db39b3aabd7d541ce99b42f871ecf25246fe8992e696ca047fe9573b42863185cce990efffbc6047c995dd9df00409418ebdb370548ac0e9ba0d8fbaf6eeeb5d94777e538fd1b738552fe49568ae0948-----END OpenVPN Static key V1-----</tls-auth># P2S client certificate# Please fill this field with a PEM formatted client certificate# Alternatively, configure 'cert PATH_TO_CLIENT_CERT' to use input from a PEM certificate file.<cert>-----BEGIN CERTIFICATE-----MIIDVDCCAjygAwIBAgIQM51UoKxWZcslb8aHjOFqyjANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAeFw0xOTA5MDQxMzA0NTRaFw0yMjA4MTkxMzA0NTRaMBExDzANBgNVBAMMBmNsaWVuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKJXkzd84Rh3xhtn/89ucNXM6zKVKTcdyhTsOaCqLRPB06xX2lGbzrBmM8U4wN9B6rw0nNBhHP10+2KqLcJMxTsT8fGLYjY3aleJ0gOtJQGi3vQhe2fNckix/h+b7CmSKZLOtSjD0ssGWSzdLl8oPhTbemHSpomBFeE7i3TDnp2NniTxjXo6gasr4M4v26oK9MgykxmXEqCDKNQe8ok7qlUghtMVA77c2RwIxC/HAqZAIDd4kO6KlDN/9Aru+hj4G1XSmQJOhZltf6ACFw4eaBn/RrO6UiX28cRcCS/2FzhQTh40DH0eRdxUhfD3QcWOdcxLnkjQj1QKnCJ47TNaRAcCAwEAAaOBojCBnzAJBgNVHRMEAjAAMB0GA1UdDgQWBBSi5fBtPM8A4deX1D660Kf4VC0+yDBRBgNVHSMESjBIgBQ4XPjOkVXivU/2smkn4xFsMI+SiaEapBgwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0GCFHRIWaaAK7491BtE/EKPzSwjxiINMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAPek25GelYy4K3W4mNmpGRhWVRi88ZGGzQrAPePmLPTg5rdRJC5ldUk450rHco33jeO9MgAnB0tsHsUeKZk3nd7pQl9+PNicHS3Za1kXafNFIvcyv6Ku2nth2Rk391mK5xTcLzil91dlgRLGEZztBHidJ2yMwJamn+JXzeJWozH9oi6DilC5RFlNGk+Ou4KEmrPAr//ZN97WNgeWf8dIQegyeGxAaOwOfFbS3yKivOyOMnl1UAC/tpFc/NzTHgdNQ17avSiescpceHBfhk5mFoaCGAx3HPE+awFQG5uB5RqZ6bg80Tw+X0aP25VX4ouu1ZOXBo8h/J7Bfp5O8FSTupg==-----END CERTIFICATE-----</cert># P2S client certificate private key# Please fill this field with a PEM formatted private key of the client certificate.# Alternatively, configure 'key PATH_TO_CLIENT_KEY' to use input from a PEM key file.<key>-----BEGIN PRIVATE KEY-----MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCiV5M3fOEYd8YbZ//PbnDVzOsylSk3HcoU7Dmgqi0TwdOsV9pRm86wZjPFOMDfQeq8NJzQYRz9dPtiqi3CTMU7E/Hxi2I2N2pXidIDrSUBot70IXtnzXJIsf4fm+wpkimSzrUow9LLBlks3S5fKD4U23ph0qaJgRXhO4t0w56djZ4k8Y16OoGrK+DOL9uqCvTIMpMZlxKggyjUHvKJO6pVIIbTFQO+3NkcCMQvxwKmQCA3eJDuipQzf/QK7voY+BtV0pkCToWZbX+gAhcOHmgZ/0azulIl9vHEXAkv9hc4UE4eNAx9HkXcVIXw90HFjnXMS55I0I9UCpwieO0zWkQHAgMBAAECggEAJonvsu58aViVuQ/ZVJ79PmQlOZ7bZ/A0dv8VNyTvCo+q9nDsrQ715D5+78TnVJjLZt5+k6FaRnks7GFF96hN8hZsC1FxgTlqj1lyd9j0vgyyLPZ920iUZtmKYGqdh8jhAa78pq7GLdhV9yaSyZg+FKl9xhdB3ca9MPj3xEJkNzZ0loTrKlbx3nNn2LBsKnEDP+27NNMDbN3wPKW6/cgWxG5SU5jDpJfhNXaZaiX9Ubb149RtZkZLDlvX9nGUlQExT8xa/eOLzL9yOrscujrwLdZZMW0+NWYvnLibl1qeXVAVj2SIhNfeC4As3aB4eUloJNA9jBAfk0Pb3Udt49OaQQKBgQDN673L2C4u8pLvUL+dbaChXPj7OrZyAZMcy09oP5ebhWqFJEo2YF0cL9EOQesni+tBdihX2ASaaTDsdk4MWgKzYqc7cG9PC1c+OVHOT+m7i/o+E/aihBvRAhNOXcP6oxvHLhASuPO09JLZlUNpE1JLeajFaVTxccjC20+w1EPKkQKBgQDJ0rLKbpOTfwS3PULhWi2+ySoTClBZigSY18bTQVR5foGaUQyRMF5FzXNksne44drZgnOlWPBhxbgzrI+icLRW62iH0jNND13Ip5ihpC4eTw5MDv1yk0VPHOmEwIUlXuXTuT8giyDgSuAK1/ICl/FOdBDB9pcq6NDBIwnarTCBFwKBgALEpYOE/3HwHtuKuVizbZJdvpcZ/fPgY4rijMm4+R/FFl5902WRvA6x8dyANFoOvnXd0cMEi2NMALVdDcWKvDiPHfJlm4lzfJPAj4H3fwvfYNjOyeT7Y6hWn83Q4t6OrMPrsZme1N/c3dCA+iwCb3vGQeeNd+/a+Ljt289juxmRAoGBAIxfx0lzdaO+UfpdWrpBLdYoNuJ9ZvuQOrhQRJNFOksyyVQbEWGewcNNLfiZBRqLxNtKl8MmxDNNAVy3pkO2nkhifhcSBeqQSIu6vjeXaRhdpjUSrAfYFPn8wxM5kKI4iiQkEZtCCcDXc1M3dbWGFymZItq199i5jBD5nO4DTdxLAoGBAKgiOhgRgyTk49D1zhc1AvJqv74BmJ1DXcZ9jaAmmipLNkRafCqVQfxOj/I7XYCa8dkBm9W2oyOlDQDCCpvxsUMru9prDQswwPZlJd43FkdzdE9VZ+PszejWc/2d/enHZQunpq2+ziGpOUMmMQn0VLvmVqQ38T217UyFfuMM3+5O-----END PRIVATE KEY-----</key> |
This is how the bottom section of the OpenVPN\vpnconfig.ovpn file looks before you replace the place holders with the proper cert and key values
1 2 3 4 5 6 7 8 9 10 11 12 13 | # P2S client certificate# Please fill this field with a PEM formatted client certificate# Alternatively, configure 'cert PATH_TO_CLIENT_CERT' to use input from a PEM certificate file.<cert>$CLIENTCERTIFICATE</cert># P2S client certificate private key# Please fill this field with a PEM formatted private key of the client certificate.# Alternatively, configure 'key PATH_TO_CLIENT_KEY' to use input from a PEM key file.<key>$PRIVATEKEY</key> |
By the time you read this post I will have deleted all of the above configuration from my Free Trial of Azure.
Hi James,
Thank you for this post, very helpful.
I'm struggling at the moment exporting the private key for the section:
# P2S client certificate private key
# Please fill this field with a PEM formatted private key of the client certificate.
# Alternatively, configure 'key PATH_TO_CLIENT_KEY' to use input from a PEM key file.
$PRIVATEKEY
I'm in the same scenario using a MAC (OpenVPN and Tunnelblick) but I'm not sure how to export the private key to insert in the section above.
Any ideas?
Kind Regards,
Humza