Info |
---|
System: CentOS 7 openvpn: 2.4.10-1.el8 easy-rsa: 3.0.8-1.el8 |
Info |
---|
Make sure to perform the following operations as the root. |
Table of Contents |
---|
1 Installation and preparation
Code Block |
---|
yum install -y epel-release
yum install -y openvpn
yum install -y easy-rsa
mkdir /etc/openvpn/easy-rsa
cp -R /usr/share/easy-rsa/3.0.8/* /etc/openvpn/easy-rsa/
cp -p /usr/share/doc/openvpn-2.4.10/sample/sample-config-files/server.conf /etc/openvpn/
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa/vars |
For now, the contents of the two directories are shown in the figure:
Modify the below lines of the file - vars
Code Block |
---|
set_var EASYRSA "$PWD" set_var EASYRSA_PKI "$EASYRSA/pki" set_var EASYRSA_DN "cn_only" set_var EASYRSA_REQ_COUNTRY"CN" set_var EASYRSA_REQ_PROVINCE "SJ" set_var EASYRSA_REQ_CITY "NJ" set_var EASYRSA_REQ_ORG "HTEK" set_var EASYRSA_REQ_EMAIL "support@htek.com" set_var EASYRSA_REQ_OU "HTEK Support" set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_ALGO rsa set_var EASYRSA_CA_EXPIRE 7000 set_var EASYRSA_CERT_EXPIRE 3650 set_var EASYRSA_NS_SUPPORT "no" set_var EASYRSA_NS_COMMENT "Hanlong" set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" set_var EASYRSA_DIGEST "sha256" |
Next, we will start to create the OpenVPN server.
2 Generate Certification files
2.1 Initialize Certificate
Code Block | ||
---|---|---|
| ||
[root@localhost openvpn]# cd /etc/openvpn/easy-rsa/ [root@localhost easy-rsa]# ./easyrsa init-pki |
You will get the below notice
Code Block |
---|
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki |
2.2 Generate a CA certificate
Code Block |
---|
[root@localhost easy-rsa]# ./easyrsa build-ca |
You will be prompt to enter New CA Key Passphrase, please remember it, you will use them later.
Code Block |
---|
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Enter New CA Key Passphrase: Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus ......................+++ ..+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:Htek CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/pki/ca.crt |
2.3 Generate a server certificate
Code Block |
---|
[root@localhost easy-rsa]# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key ............+++ ..............+++ writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-12489.hN5NM9/tmp.EPD3Vi' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/server.req key: /etc/openvpn/easy-rsa/pki/private/server.key |
2.4 Sign the server certificate
Code Block |
---|
[root@localhost easy-rsa]# ./easyrsa sign server server |
When signing the server certificate, you need to enter the passphrase of the CA (you have set it in 2.2).
Code Block |
---|
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 825 days: subject= commonName = server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-12735.ljcLtB/tmp.pO6V2f Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Jun 5 11:40:39 2023 GMT (825 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt |
2.5 Generate Diffie-Hellman key
Code Block |
---|
[root@localhost easy-rsa]# ./easyrsa gen-dh Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time .................................................................................+.....................+..........................+......................................................................................+...........+........................+.....................................................................................................................................................................................................................+......+.+.......+...............................................................+.............+.........................................+..........................................................................................................................................................................................................+....................................+............+...................................................................++*++*++*++* DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem |
2.6 Generate a client certificate
Code Block |
---|
[root@localhost easy-rsa]# ./easyrsa gen-req client nopass Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key .......................................................+++ ..............+++ writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-15549.IGSWyv/tmp.prgjs5' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/client.req key: /etc/openvpn/easy-rsa/pki/private/client.key |
2.7 Sign the client certificate
Code Block |
---|
[root@localhost 3.0.8]# ./easyrsa sign client client |
Like sign the server certificate, you need the passphrase of the CA to sign the client certificate.
Code Block |
---|
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 825 days: subject= commonName = client Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-16082.Oox3nT/tmp.7oMIBX Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'client' Certificate is to be certified until Jun 5 11:49:34 2023 GMT (825 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt |
3 Configure the server
3.1 Configure IP route and firewall rules
Code Block |
---|
vim /etc/sysctl.conf |
Add the below line to this file
Code Block |
---|
net.ipv4.ip_forward = 1 |
After editing the file, you can run the following command to make the changes take effect right away.
Code Block |
---|
sysctl -p |
Now start the firewall service and add rules for the OpenVPN service
Code Block |
---|
[root@localhost easy-rsa]# systemctl start firewalld.service |
Check the status of the firewall
Code Block |
---|
[root@localhost easy-rsa]# firewall-cmd --state running [root@localhost easy-rsa]# firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: |
Add rules for the firewall and then reload it.
Code Block |
---|
[root@localhost easy-rsa]# firewall-cmd --add-service=openvpn --permanent success [root@localhost easy-rsa]# firewall-cmd --add-port=1194/udp --permanent success [root@localhost easy-rsa]# firewall-cmd --add-port=22/tcp --permanent success [root@localhost easy-rsa]# firewall-cmd --add-source=10.8.0.0 --permanent success [root@localhost easy-rsa]# firewall-cmd --query-source=10.8.0.0 --permanent yes [root@localhost easy-rsa]# firewall-cmd --add-masquerade --permanent success [root@localhost easy-rsa]# firewall-cmd --query-masquerade --permanent yes [root@localhost easy-rsa]# firewall-cmd --reload success |
Check the status of the firewall again
Code Block |
---|
[root@localhost easy-rsa]# firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: ens33 sources: 10.8.0.0 services: dhcpv6-client openvpn ssh ports: 1194/udp 22/tcp protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: |
3.2 server.conf
Code Block |
---|
port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt key /etc/openvpn/easy-rsa/pki/private/server.key dh /etc/openvpn/easy-rsa/pki/dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.0.0 255.255.252.0" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 192.168.0.230" push "dhcp-option DNS 114.114.114.114" client-to-client keepalive 10 120 cipher AES-256-CBC comp-lzo max-clients 100 persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 3 mute 20 explicit-exit-notify 1 |
3.3 Start openvpn@server.service
Code Block |
---|
[root@localhost easy-rsa]# systemctl start openvpn@server |
You can check the status by below command:
Code Block |
---|
[root@localhost easy-rsa]# systemctl status openvpn@server ● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2021-03-02 20:16:44 CST; 5s ago Main PID: 26175 (openvpn) Status: "Initialization Sequence Completed" CGroup: /system.slice/system-openvpn.slice/openvpn@server.service └─26175 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf Mar 02 20:16:44 localhost.localdomain systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server... Mar 02 20:16:44 localhost.localdomain systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server. |
4 Using openvpn on the Htek phone
4.1 Create client.ovpn
Code Block |
---|
[root@localhost easy-rsa]# vim /etc/openvpn/client/client.ovpn |
Add the below lines to this file:
Code Block |
---|
client dev tun proto udp remote 223.68.137.166 1194 resolv-retry infinite nobind persist-key persist-tun ca /hlfs/vpn/ca.crt cert /hlfs/vpn/client.crt key /hlfs/vpn/client.key remote-cert-tls server cipher AES-256-CBC verb 3 comp-lzo mute 20 |
Note
If there is no M or D in the DSP info of your phone, please change the file path to /hlcfg/vpn/xxx, such as /hlcfg/vpn/client.crt
(no M or D, path should be /hlcfg/vpn/client.crt)
(has M, path should be /hlfs/vpn/client.crt)
4.2 Creating the tar file for the phone (client)
The phone as an OpenVPN client needs at least ca.crt, client.crt, client.key, client.ovpn, and these files should be packaged in tar format.
Code Block |
---|
[root@localhost easy-rsa]# cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/client/ [root@localhost easy-rsa]# cp /etc/openvpn/easy-rsa/pki/issued/client.crt /etc/openvpn/client/ [root@localhost easy-rsa]# cp /etc/openvpn/easy-rsa/pki/private/client.key /etc/openvpn/client/ |
Now the files in /etc/openvpn/client should be:
Anchor | ||||
---|---|---|---|---|
|
Code Block |
---|
[root@localhost client]# tar -cvpf openvpn.tar * ca.crt client.crt client.key client.ovpn |
Now you get the openvpn.tar file, then you should put it into a folder that you could import the file into the phone.
4.3 Import tar file into Htek phone
Import openvpn.tar file into the phone.
Choose Yes and then click the SaveSet button on the bottom of the webpage, the phone will reboot to apply the new configuration.
Upon the phone boot up, you can check the VPN address.
LCD GUI: Menu -> Status -> Network -> 5.VPN
4.4 Download VPN configuration file
Click the "Download" button to download the OpenVPN configuration file that the phone is currently using.
5 Option: Authenticate with Username/Password
If you want to use username/password along with the certificate to verify the client, you could do as follows.
5.1 Prepare a script to check username/password
Code Block |
---|
[root@localhost openvpn]# vim /etc/openvpn/checkpsw.sh |
The content is:
Code Block | ||
---|---|---|
| ||
#!/bin/bash ########################################################### # checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se> # # This script will authenticate OpenVPN users against # a plain text file. The passfile should simply contain # one row per user with the username first followed by # one or more space(s) or tab(s) and then the password. PASSFILE="/etc/openvpn/auth_file" LOG_FILE="/var/log/openvpn-password.log" TIME_STAMP=`date "+%Y-%m-%d %T"` ########################################################### if [ ! -r "${PASSFILE}" ]; then echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE} exit 1 fi CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}` if [ "${CORRECT_PASSWORD}" = "" ]; then echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 fi if [ "${password}" = "${CORRECT_PASSWORD}" ]; then echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE} exit 0 fi echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 |
After you have done this, exit and give the executable permissions to it by
Code Block |
---|
[root@localhost openvpn]# chmod +x checkpsw.sh |
5.2 Create username/password record file
In the file - checkpsw.sh - we have defined a PASSFILE
, that is used to store username and password pairs.
Code Block |
---|
[root@localhost openvpn]# vim /etc/openvpn/auth_file |
In this file, we record the username and password line by line like following
( each line contains a pair of username and password )
Code Block |
---|
htek 123456
client 456789 |
5.3 Modify server.conf
Code Block |
---|
[root@localhost openvpn]# vim /etc/openvpn/server.conf |
Add these three lines:
Code Block |
---|
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env username-as-common-name script-security 3 |
So the server.conf now looks like this:
Code Block |
---|
port 1194 proto udp dev tun auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env username-as-common-name script-security 3 ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt key /etc/openvpn/easy-rsa/pki/private/server.key dh /etc/openvpn/easy-rsa/pki/dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.0.0 255.255.252.0" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 192.168.0.230" push "dhcp-option DNS 114.114.114.114" client-to-client keepalive 10 120 cipher AES-256-CBC comp-lzo max-clients 100 persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 3 mute 20 explicit-exit-notify 1 |
Info |
---|
After you have done this, you should restart openvpn server to make it effective. |
Code Block |
---|
[root@localhost openvpn]# systemctl restart openvpn@server |
5.4 Modify the client.conf
Add this line to the client.conf
Code Block |
---|
auth-user-pass /hlfs/vpn/auth.txt |
And now the whole file is like this:
Code Block |
---|
client dev tun proto udp remote 223.68.137.166 1194 resolv-retry infinite nobind persist-key persist-tun auth-user-pass /hlfs/vpn/auth.txt ca /hlfs/vpn/ca.crt cert /hlfs/vpn/client.crt key /hlfs/vpn/client.key remote-cert-tls server cipher AES-256-CBC verb 3 comp-lzo mute 20 |
5.5 Create a username/password file for client
Code Block |
---|
[root@localhost client]# vim auth.txt |
Type in the username and password, like
Code Block | ||
---|---|---|
| ||
htek
123456 |
Different with the auth record file ( in this example, the filename is auth_file ) in server, the format of the auth file used by the client needs two lines to store the username and password. The first line is username, the second line is password.
After that, add the username and password equals to into the record in file /etc/openvpn/auth_file
, such as:
Code Block |
---|
htek 123456 |
5.6 Creating the tar file for the phone (client)
In the previous steps, we have prepared some files for the phone.
Now there is a new file, so in /etc/openvpn/client :
Code Block |
---|
[root@localhost client]# tar -cvpf openvpn.tar * auth.txt ca.crt client.crt client.key client.ovpn |
Now, put the new openvpn.tar file into a folder and import it into the phone.
5.7 If you don’t want to verify by a certificate
In the server.conf, add this line
Code Block | ||
---|---|---|
| ||
client-cert-not-required |
So the whole server.conf will be
Code Block |
---|
port 1194 proto udp dev tun client-cert-not-required auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env username-as-common-name script-security 3 ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt key /etc/openvpn/easy-rsa/pki/private/server.key dh /etc/openvpn/easy-rsa/pki/dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.0.0 255.255.252.0" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 192.168.0.230" push "dhcp-option DNS 114.114.114.114" client-to-client keepalive 10 120 cipher AES-256-CBC comp-lzo max-clients 100 persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 3 mute 20 explicit-exit-notify 1 |
In the client.conf, comment out these two lines
Code Block |
---|
;cert /hlfs/vpn/client.crt ;key /hlfs/vpn/client.key |
So the whole client.conf will be
Code Block |
---|
client dev tun proto udp remote 223.68.137.166 1194 resolv-retry infinite nobind persist-key persist-tun auth-user-pass /hlfs/vpn/auth.txt ca /hlfs/vpn/ca.crt ;cert /hlfs/vpn/client.crt ;key /hlfs/vpn/client.key remote-cert-tls server cipher AES-256-CBC verb 3 comp-lzo mute 20 |
6 Option: Use one file - client.ovpn
In some purpose, you may would like to contain all the files to one, that is possible.
Let’s continue with the above example in section 4. We now have at least 4 files, they are
Code Block | ||
---|---|---|
| ||
client.ovpn
ca.crt
client.crt
client.key |
We could attach ca.crt
, client.crt
and clinet.key
into the corresponding angle brackets in client.ovpn
to merge them into one file.
Below is an completly example.
Code Block |
---|
client
dev tun
proto udp
remote 223.68.137.166 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
comp-lzo
mute 20
<ca>
-----BEGIN CERTIFICATE-----
MIIDHjCCAgagAwIBAgIJAKV150fiYst9MA0GCSqGSIb3DQEBCwUAMA8xDTALBgNV
BAMMBEh0ZWswHhcNMjEwMjI3MDkwODMwWhcNNDAwNDI4MDkwODMwWjAPMQ0wCwYD
VQQDDARIdGVrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2R9KlUaT
wN2b6Y8L1bRqgKdHCj/vSFG6teETMtc2GQlLKZxnwlVxHXv82zNhs8e2YeroOU5w
YJU4fR6RJHz+xAntCiIGhrwGUTNyNOJXNeg8/gLemeG5L0LchzIToNWJjkgvzEpf
zZfAJ1Dk4Jqx4vnGc3CENfZYjDvQCVIMdgElbp/I+3eO81TK7V0B9UGAdq4V3beK
71uluMlvBvOLldQwO//H87zs9p6sD55jRrdey+i/VHOdrOqLo0Lee8ggbtjI1FEY
OpyghWoyilSyXF4xKTLOFGWW339V/G+xOcruoNzzavn1f//TNF9KLht40VwmcGZt
eU8ZgozxIoANfwIDAQABo30wezAdBgNVHQ4EFgQUMp7Ugzrxljpt05h5hALXekSg
BZUwPwYDVR0jBDgwNoAUMp7Ugzrxljpt05h5hALXekSgBZWhE6QRMA8xDTALBgNV
BAMMBEh0ZWuCCQCldedH4mLLfTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAN
BgkqhkiG9w0BAQsFAAOCAQEAjQ/Kyqe4WnbtmWy+/ibbrTff8+v9QRxqDRPSPmmX
iK0A/ESp+jeUqXDNX8NO14LUU2Uciz7dTtvKABsbpHK2Jtebzw4RIEHIHmpQSErg
pFUTzm7yama3SH4EWFR1QLcYitiTirTFl4H26/GCYZUtFYJKHH74JRgUjYtkfN2t
fWkgiVrtcYct/s2yPHXToh2AiiKqbGjx8iL0Of60lf7/fcuNqUs1TVvaQcKh6oOH
jCE4Z5JLF6l9ytDtyl9WyiuWhgZYyElpEmoEMHeGZdqYapDPhiOOSnm1I+wx17Pt
tawGNHIa9f7Yc/9GXj3gtMrb/b0KaJLPdnVrmfbDl6hx7Q==
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7c:81:36:da:37:04:09:ac:2a:9a:07:a2:d0:a6:19:be
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Htek
Validity
Not Before: Feb 27 09:09:46 2021 GMT
Not After : Feb 25 09:09:46 2031 GMT
Subject: CN=htekclient
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c9:3a:a5:7a:df:e9:52:fa:ea:b3:ab:60:55:16:
0a:f0:f3:f7:eb:6c:e1:83:a4:13:6e:54:df:be:b7:
42:df:b0:e0:bd:3d:3f:13:64:ab:1f:e3:bb:e5:81:
19:eb:4b:be:36:d7:b8:3e:5c:34:fb:97:18:2e:c3:
e0:2c:42:0e:76:aa:f8:9c:5a:83:8f:8d:06:80:2e:
03:41:d3:f5:60:99:ea:9a:68:24:45:f3:97:ea:63:
96:00:de:18:8c:7e:05:8f:30:0a:40:61:46:81:08:
08:30:5c:d8:e8:00:7d:ff:1f:a6:1c:b7:13:5f:fd:
87:aa:39:c8:7e:76:74:13:3d:ca:45:f2:c4:26:a3:
3c:e4:f4:03:18:48:41:af:cd:c9:f0:21:7e:2c:1a:
57:43:5b:19:5c:80:91:d0:e1:c2:8f:f9:93:30:9e:
43:73:5f:a0:3c:43:52:59:61:b1:3f:4a:76:ac:26:
1e:34:64:b6:cd:07:74:5a:5e:0c:22:86:a6:48:63:
d9:c9:9c:75:38:16:fe:c6:66:ad:08:46:5d:1b:6c:
09:42:90:01:d7:4b:06:fd:0e:a7:e9:45:13:f7:a8:
c9:32:80:84:db:68:4a:51:33:48:19:f1:a2:af:ae:
94:c0:4c:92:db:f1:13:e2:47:4c:9f:b8:6d:49:19:
1a:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
EC:B1:C9:8B:74:67:4F:2E:25:A5:94:A6:99:51:33:C4:FE:7F:BD:BE
X509v3 Authority Key Identifier:
keyid:32:9E:D4:83:3A:F1:96:3A:6D:D3:98:79:84:02:D7:7A:44:A0:05:95
DirName:/CN=Htek
serial:A5:75:E7:47:E2:62:CB:7D
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
7a:8d:2c:67:0e:21:01:c6:42:ef:5b:d1:87:77:20:69:b4:e5:
a8:7a:60:24:ee:67:d7:32:8b:22:5b:3f:f2:e0:d8:33:bf:a2:
d8:f6:53:7e:8f:1c:2a:87:e6:ec:a6:94:79:81:2d:f2:31:3a:
88:54:a4:81:f4:de:85:f8:dd:8e:27:9b:75:0f:67:68:ff:2b:
b3:76:65:3d:0f:5a:81:04:78:d3:26:84:1a:70:cb:a4:bb:30:
63:19:5b:a5:36:3b:d3:6f:0d:e2:9d:49:32:2a:8b:46:20:fc:
e7:60:9c:7a:f5:45:5f:27:80:51:93:49:a3:44:56:f8:dc:8e:
f7:34:6b:35:5a:48:3e:ff:3c:79:d3:ce:99:6a:2e:cd:4a:aa:
10:48:d8:f7:0c:f6:d0:cd:1d:43:86:20:7c:85:21:24:7d:44:
28:fa:cf:c2:2a:64:30:28:87:85:dc:cc:6f:1f:56:fc:cd:e6:
a7:81:99:ed:32:20:43:39:10:45:15:bb:24:47:a5:a5:7d:e6:
40:ba:46:bb:67:e5:d2:4c:d8:83:6d:cf:64:4a:65:ac:8f:c2:
0a:ec:20:4c:42:66:b5:42:1c:e9:fa:67:58:e3:87:6f:bd:98:
7c:98:99:91:39:fc:be:4b:ec:7b:5b:39:e8:ec:d0:a7:eb:2c:
d5:78:ad:75
-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIQfIE22jcECawqmgei0KYZvjANBgkqhkiG9w0BAQsFADAP
MQ0wCwYDVQQDDARIdGVrMB4XDTIxMDIyNzA5MDk0NloXDTMxMDIyNTA5MDk0Nlow
FTETMBEGA1UEAwwKaHRla2NsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMk6pXrf6VL66rOrYFUWCvDz9+ts4YOkE25U3763Qt+w4L09PxNkqx/j
u+WBGetLvjbXuD5cNPuXGC7D4CxCDnaq+Jxag4+NBoAuA0HT9WCZ6ppoJEXzl+pj
lgDeGIx+BY8wCkBhRoEICDBc2OgAff8fphy3E1/9h6o5yH52dBM9ykXyxCajPOT0
AxhIQa/NyfAhfiwaV0NbGVyAkdDhwo/5kzCeQ3NfoDxDUllhsT9KdqwmHjRkts0H
dFpeDCKGpkhj2cmcdTgW/sZmrQhGXRtsCUKQAddLBv0Op+lFE/eoyTKAhNtoSlEz
SBnxoq+ulMBMktvxE+JHTJ+4bUkZGvsCAwEAAaOBkDCBjTAJBgNVHRMEAjAAMB0G
A1UdDgQWBBTsscmLdGdPLiWllKaZUTPE/n+9vjA/BgNVHSMEODA2gBQyntSDOvGW
Om3TmHmEAtd6RKAFlaETpBEwDzENMAsGA1UEAwwESHRla4IJAKV150fiYst9MBMG
A1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOC
AQEAeo0sZw4hAcZC71vRh3cgabTlqHpgJO5n1zKLIls/8uDYM7+i2PZTfo8cKofm
7KaUeYEt8jE6iFSkgfTehfjdjiebdQ9naP8rs3ZlPQ9agQR40yaEGnDLpLswYxlb
pTY7028N4p1JMiqLRiD852CcevVFXyeAUZNJo0RW+NyO9zRrNVpIPv88edPOmWou
zUqqEEjY9wz20M0dQ4YgfIUhJH1EKPrPwipkMCiHhdzMbx9W/M3mp4GZ7TIgQzkQ
RRW7JEelpX3mQLpGu2fl0kzYg23PZEplrI/CCuwgTEJmtUIc6fpnWOOHb72YfJiZ
kTn8vkvse1s56OzQp+ss1XitdQ==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDJOqV63+lS+uqz
q2BVFgrw8/frbOGDpBNuVN++t0LfsOC9PT8TZKsf47vlgRnrS74217g+XDT7lxgu
w+AsQg52qvicWoOPjQaALgNB0/VgmeqaaCRF85fqY5YA3hiMfgWPMApAYUaBCAgw
XNjoAH3/H6YctxNf/YeqOch+dnQTPcpF8sQmozzk9AMYSEGvzcnwIX4sGldDWxlc
gJHQ4cKP+ZMwnkNzX6A8Q1JZYbE/SnasJh40ZLbNB3RaXgwihqZIY9nJnHU4Fv7G
Zq0IRl0bbAlCkAHXSwb9DqfpRRP3qMkygITbaEpRM0gZ8aKvrpTATJLb8RPiR0yf
uG1JGRr7AgMBAAECggEBAL4MrY1HPE4qvM/D4894agz33gZzZum1ZMSnVEoDOx2Z
KCiSV6gxQ41ywFsZeylG9/dD9bavzzpukWBZjrc+C/r3rqW8ttQ1FRaqXlklnnIF
7BS4lsmaLrgoJdvb5sOJoiaB8KytMrFarKFAj3tOO7FgarpkDeByylZzDHCj3yzr
WQ10mblopXU7Ux1N2fyW496H8DkCkLKsvLqthR6h3sW31cH9GgoEDHPSIC/OIwWB
oH6j7/FQVOQeguuIaYsfFIhgr5Uyd/yQrWXMkbfXBr/Pzw6XyAdfrFFmYqa50x3Q
VyPEjhX5om0Cm5aji5hOViFhrDRZ8eZdv884tBdw98ECgYEA8v+WwW4s04xupdsf
PdpzyV0SQ3/LtRlZAwFMqiCyfYt80raIgWUEvUoFzD6CgSmHbXpqfD8yDTyU1di9
f0maN7p+FW1XPIdYyIbYyFvZ+tBTsc2RxCRuUYG0AGcDXwyxLMl0DDddstmGtrVn
FcUA2RRusYxESOfOM9XWu4GLgd8CgYEA0/7uwhu/xZH1Q/2HSPGSYcOM5tMkAmUM
HYnp0oco9egJoAsYyRMHPzqCh0FLLLHqt2Z03SFNgQNp41IIfa21V5f3u92aGmtJ
/+Qw2juO1Yr13m239+MSfo0+UH/8+c7chlLl0SxUvVvLGv/kTu1qvKHPERke8/CU
zIAxbBiY4mUCgYAvWUIk2rT9W6XLx5Ck2sYo/Gusn2AwH4pKnZw0oj5lXCKsZEjg
/bAYui27CIshY9gxquLI5v93uNA/gwYZoVvddAdRYYbYEn9oQ25GTC+DQcitIqM+
luKwGxfZ5Dix8qUrVu2326n0SZKIU3yMr2Bk7ChNjElZ82EolIhM7Qcj/QKBgE+i
5bf/SpQCV3taAvcQ4GdfWU/goxdPNDToePDAG0/9AZigcogeYMuMxDng+kdo8n5A
u8fR2daMHLvrNgtYNNYZ3VMyVNB120+IPh3M38QyNlh/KOuy3mCx2GXPHo4M+mRv
QavJFnAnym1zESXhJAaGVk3a/PiwOIV15prvxobNAoGBAJnomqvnSs9jCKznUJTT
WyH/HDeBW0dSiu6j8sUqT8aBgoMgv3E/tp4Oi/w9a6JPDOgxEI1tcGQDWUTOb7M4
M0jTWOz6QCMV5qOwbiwk0UV6A2BokCZuH5k4p2ZZzhtjOD4caZ3sN6lJpsa3vfBa
dxclHQ+uusQgrAXxPo6bBwPq
-----END PRIVATE KEY-----
</key> |
All done, now you could just import this client.ovpn
file into the phone, no need to pack the files to a .tar file.
Please note that if you use password authentication at the same time, the authenticate information file, e.g., auth.txt
cannot be attached to the client.ovpn
.
You still need to use a line in client.ovpn
to point to its path auth-user-pass /hlfs/vpn/auth.txt.
And you still need to pack the client.ovpn
and auth.txt
to a .tar file.