.ovpn to .apc Converter Revisited

The Astaro Security Gateway (ASG) is a great firewall and remote access solution. The only flaw of it being that Astaro, too, tries to build a walled garden around their suite of products. One major drawback here is that while the ASG has outstanding capabilities as a remote access server, there’s no easy way to use it as a client to connect to an OpenVPN SSL server. The main show stopper is that the ASG expects to get all it’s connection information from a .apc file while OpenVPN at best provides a .ovpn file which has a completely different structure.
Back in 2009 Patrick Schneider provided a simple bash script that would convert .ovpn files together with the needed certificates and key files into a .apc file the ASG could read. Unfortunately the script stopped working with newer ASG releases. Since I needed the functionality for a current project, I resurrected the code, polished and updated it a bit. The result can now be found on Gitorious: the new OVPN-to-APC converter script. Feel free to clone and enhance.

Update: Just pushed a new version to Gitorious that now handles the new .ovpn format provided by the OpenVPN Access Server as well.

63 thoughts on “.ovpn to .apc Converter Revisited

  1. John

    Hy Stefan.
    I am using ASG 9.111-7, and when I am trying to connect to my remote OpenVPN server I get the same error as Dan Q on ASG 9.2: Options error: No closing quotation (“) in /etc/openvpn/client/REF_SslCliOpenvClien/config:9 . I though theis problem is only on ASG version 9.2, not 9.1 too. Is there any solution to my problem?

    Thanks, John.

  2. Aaron

    Hi John –

    Did you see the reply I posted to Dan’s comment? I had the same issue, and at least in my case, was able to fix it by pulling out those extra characters.

    Aaron

  3. John

    Hi Aaron.
    I must say i didn’t notice your post (solution). I think I manage to slove that problem with editing the script in line 129:

    echo "tls-auth /etc/${tafile:2}" >> ${takey}

    But now, I’m getting this error in my log: [server] Inactivity timeout (–ping-restart), restarting. And I’m not sure what is the source of the problem here. Can you please tell me what exactly you changed in your edit of the script (pulling out extra characters), so I can try your way. Thanks.

  4. Aaron

    Hi John –

    If you scroll back, do you see any errors during execution? If so, that’s what tipped me off to look for the extra characters. i just edited the file in vi, and removed the extra non-readable characters at ~ line 125.

    That said, once I got past that, I still ran into a number of errors that I had to work through. I really recommend using the dummy.opvn file, and customizing it. It was much easier to edit that file and get it working, rather than tailoring the vendor supplied opvn file.

    Good Luck!

  5. Stefan Rubner Post author

    Aaron,

    I’d still be interested in the vendor supplied ovpn file so that I can see where the bash script went wrong and possible catch those cases in the Python version. So if you could send me an edited version with all sensible data removed, that would be great.

    -Stefan

  6. Aaron

    Stefan –

    Sure, I will reach out to you on G+ for contact info.

    Aaron

  7. Kristof

    Hi Stefan,

    I have same issue in line 9,
    “No closing quotation (“) in /etc/openvpn/client/REF_SslCliGts/config:9”
    and
    ERR_MGMT_ITF

    on ASG 9.203-3

    Any idea?

    Thank you.

    Kristof

  8. Stefan Rubner Post author

    Depends on what the Astaro thinks is on line 9. Without that information it’s pretty hard to guess. Could be some additional quotation character on the input or a real fault of the converter.

    -Stefan

  9. xianx

    Hi Stefan,

    Is there a place white an example how to run the script.

    Can u please provide me with instruction how to convert ovpn file to apc for use on Sophos UTM 9.3.

    Like an example which command i need to use to run the batch script in Windows or Linux (Ubuntu).

    For me also for using the privateinternetaccess

    Me verry NooB at this point.

    Thanks

  10. Stefan Rubner Post author

    What’s the problem you’re having? Maybe I can sort it out without providing an inherently insecure web interface.

Comments are closed.