.ovpn to .apc Converter Revisited

The Astaro Security Gateway (ASG) is a great firewall and remote access solution. The only flaw of it being that Astaro, too, tries to build a walled garden around their suite of products. One major drawback here is that while the ASG has outstanding capabilities as a remote access server, there’s no easy way to use it as a client to connect to an OpenVPN SSL server. The main show stopper is that the ASG expects to get all it’s connection information from a .apc file while OpenVPN at best provides a .ovpn file which has a completely different structure.
Back in 2009 Patrick Schneider provided a simple bash script that would convert .ovpn files together with the needed certificates and key files into a .apc file the ASG could read. Unfortunately the script stopped working with newer ASG releases. Since I needed the functionality for a current project, I resurrected the code, polished and updated it a bit. The result can now be found on Gitorious: the new OVPN-to-APC converter script. Feel free to clone and enhance.

Update: Just pushed a new version to Gitorious that now handles the new .ovpn format provided by the OpenVPN Access Server as well.

63 thoughts on “.ovpn to .apc Converter Revisited

  1. Alois

    Hello,

    Thank you so much for reviving this script. I am not good at Linux, can you please tell me how to use the script. Where do I place it and run it.

    Thank you

  2. Alois

    I managed to use the script but when I execute,
    sudo sh ovpn-to-apc.sh client.ovpn atsaro.apc [myusername [mypassword]]
    I always get
    cat: : No such file or directory
    0:0:1

  3. Stefan Rubner Post author

    Alois,
    there’s no need to run the script as superuser using ‘sudo’. It is intended to be run on a local Linux workstation. For a successful run you need to have a .ovpn file (if you don’t have one, you can create one from the dummy.ovpn provided on Gitorious) as well as the ca.crt file and the key and the certificate referenced in the .ovpn file.
    Then you just run

    ./ovpn-to-apc.sh your.ovpn your.apc

    The “myusername” and “mypassword” parameters are optional. Be aware, however, that with the recent 8.303/8.304 updates Astaro changed the way TLS auth is done. I’ll provide an updated script to cater for that soon.

  4. Alois

    Thank you for taking time to help out.
    When I run the command on my Linux server (Ubuntu 10.04) the result is

    cat: : No such file or directory
    0:0:1
    ./ovpn-to-apc.sh: line 135: printf: missing hex digit for \x

    I got the client.ovpn file as a download from my OpenVPN Access Server and I have no idea where to get the certificates and keys from.
    I have opened the client.ovpn file with a text editor and copied the keys and certificates into the dummy.ovpn and when I run, it executes and the result reads

    703:2BF:3

    However on uploading the file to Astaro, it claims the file is corrupt. I am using Astaro
    8.202

    What could I be doing wrong?
    Again, thank you so much for the script and assistance

    Alois

  5. Stefan Rubner Post author

    I see. So you have a .ovpn file in the new XMLish format where the certificates and keys are part of the .ovpn file itself. Unfortunately I don’t have an Access Server available and thus I can’t provide a converter for those type of files. If you could send me the original .ovpn with the certs and keys (but only those, not the enclosing XML tags!) replaced with “XXXXXX” I’d be willing to see what I can do. Just drop me an email at stefan [at] whocares [dot] de.

  6. Stefan Rubner Post author

    Oops. Of course you can edit other sensitive information as well, as long as the general structure of the .ovpn file stays intact. So if you need to replace an IP address, replace with 12.34.56.78 for example or if it’s an URI use xxx.yyy.zzz.

  7. Alois

    Just sent you the files. I didn’t change a thing, they are from my dev server so no security risk.

    Thanks

  8. coewar

    What you stated about Astaro is dead on and something I’ve also been expressing in their forums. One of the biggest things that the router is fully capable of but their GUI totally puts a screeching halt to is certain standard IPSEC VPN features.

    I have posted several feature requests and comments to existing ones regarding these things:
    http://feature.astaro.com/forums/17359-astaro-security-gateway-feature-requests/suggestions/2506490-expand-ipsec-conf-control-to-webadmin
    http://feature.astaro.com/forums/17359-astaro-security-gateway-feature-requests/suggestions/2479510-can-change-the-local-vpn-id-in-psk

    http://feature.astaro.com/forums/17359-astaro-security-gateway-feature-requests/suggestions/2716772-networking-server-load-balancing-to-one-ip

  9. Pingback: Astaro ASG as OpenVPN Access Server client | WhoCares?

  10. Kinthamen

    So did you ever fix the error Alois had, and if so, how? I’m getting a very similar
    error.

    cat: : No such file or directory
    ./ovpn-to-apc.sh: line 308: printf: missing hex digit for \x

    I also don’t know if it matters but even though I leave the user and pass blank when i run the script it later prompts me for a password. I don’t really have a password unless I am missing it on the .ovpn file.

    Can you help?

    Kinthamen

  11. Stefan Rubner Post author

    No I didn’t fix it for lack of time. Since your error is a bit different I suspect your problem is that the cert/key files aren’t in the path that is given in the .ovpn file. Check the locations there and fix the pathes if needed.
    As for the user/password thing: Although you may not have one set, the Astaro *requires* one to be present – even if it’s not needed later on. That’s why youre being asked to provide some, which of course can be made up ;)

  12. Shaun Mccullagh

    Hi Stefan,

    Thank you writing the convertor, which executes perfectly on my Debian Squeeze machine.

    However when I load it into my Astaro, I get this error:

    2012:08:06-16:07:44 fw-1 openvpn[12364]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    2012:08:06-16:07:44 fw-1 openvpn[12364]: TLS Error: TLS object -> incoming plaintext read error
    2012:08:06-16:07:44 fw-1 openvpn[12364]: TLS Error: TLS handshake failed

    My Astaro is running 8.203

    My ovpn file look like this:

    client
    dev tun
    proto udp
    remote 7.18.16.1 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client.crt
    key client.key
    ns-cert-type server
    cipher AES-128-CBC
    comp-lzo
    verb 3
    mute 10

    I created my ca,crt and key files using easy-rsa 2.0 distributed with OpenVPN v2.1.3

    Please could you tell me where I am going wrong?

    TIA

    Shaun

  13. Shaun Mccullagh

    Just checked my certificates as follows:

    openssl verify -CAfile ca.crt /opt/rsa/keys/server.crt
    /opt/rsa/keys/server.crt: OK

    openssl x509 -subject -issuer -noout -in client.crt
    subject= /C=NL/ST=NH/L=Amsterdam/O=ohpen.nl/CN=astaro-den-haag.foo.nl/emailAddress=shaun.mccullagh@blah.nl
    issuer= /C=NL/ST=NH/L=Amsterdam/O=ohpen.nl/CN=ap.rs.robeco.mgmt.foo.nl/emailAddress=shaun.mccullagh@blah.com

    openssl verify -CAfile ca.crt client.crt
    client.crt: OK

  14. Pingback: Computers behind OpenVPN Client cannot reach Clients behind Astaro - Astaro User Bulletin Board

  15. Kevin Morse

    I’m attempting to use this to convert a .ovpn to .apc for Sophos UTM 9.

    I have all of the files in the same directory as the shell script and it runs properly however the output file is “corrupt” according to UTM 9.

    When I created an .apc file on the UTM and downloaded it I noticed what I think is the problem. The .apc I downloaded had characters such as EOT BEL EOT whereas the output.apc from the shell script has \x04 \x06 \x04

    This appears to be some sort of encoding error. Do you have any suggestions as to why this is happening and how I could resolve it?

  16. Pingback: Requesting votes for OpenVPN Feature - Astaro User Bulletin Board

  17. Jared

    I’m having trouble getting a connection to convert that doesn’t use user certs. The contents of the ovpn file are below.

    I made some changes to the script to skip over the cert and key sections if they don’t exist but astaro say the config is corrupted. Any ideas? Does astaro require the connection to use user certs?

    client
    dev tun
    proto udp
    remote example.com 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    tls-client
    remote-cert-tls server
    auth-user-pass
    comp-lzo
    verb 1
    reneg-sec 0
  18. Stefan Rubner Post author

    Exactly, Astaro requires the use of certificates.

  19. Medric

    I don’t have access to linux could you convert my file for me please or give me the details need to create my own from an ovpn to apc manually.

  20. Medric

    i got access to a centos 6.3 box and i get error when i run ./ i get permission denied even in root and if i do sh ./ or sh .ovpn-to-apc.sh i get error
    line 2 !DOCTYPE No shuch File or Directory
    line 3 syntx error near unexpected token `newline’
    and line 3 “http://www.w3.org/TR/html4/strict.dtd”>

  21. Stefan Rubner Post author

    That’s because you downloaded the HTML page instead of the actual file. Try to switch to the “raw” display and download that one.

  22. Medric

    I have download the raw and downloaded the dummy ovpn and edit with my info and ran the script the new apc file loaded into astaro but still did not work?

  23. Johan

    I get the same problem as Kinthamen –

    cat: : No such file or directory
    ./ovpn-to-apc.sh: line 308: printf: missing hex digit for \x

    I have the ca.cert and tls.key in the same dir.

    The ovpn file looks like this:

    client
    dev tun
    proto udp
    xxx.xxx.com xxxx
    xxx.xxx.com xxxx
    remote-random
    resolv-retry infinite
    reneg-sec 0
    nobind
    persist-key
    persist-tun
    ca ca.crt
    ns-cert-type server
    tls-auth tls.key 1
    comp-lzo
    verb 3
    mute 10
    auth-user-pass
    explicit-exit-notify 2
    cipher aes-256-cbc

    Thanks for any help!

  24. Stefan Rubner Post author

    I just updated the Gitorious repo, could you please try with the new version from there?

    -Stefan

  25. johan

    sudo: ./ovpn-to-apc.sh: command not found

    not sure why i get command not found…

  26. Stefan Rubner Post author

    Johan,

    What operating system are you using? Just so I know where to test on ;)

    -Stefan

  27. Stefan Rubner Post author

    Ok, on closer inspection of your .ovpn file I noted some things:

    1) there’s no cert for the user specified. This will break the script, it expects to find a line of the form “cert <name of user cert file>”
    2) the script currently can’t deal with “remote-random”, it expects the remote side to be defined in one line like “remote <ip address or hostname> <port>”

    So it’d be nice if you could tell me on what version of OpenVPN you created the script and how you did it so I can generate and test a matching config on my box here.

    -Stefan

  28. Johan

    OSX it gives me command no found

    KALI Linux gives me – line 323: printf: missing hex digit for \x

    I can send you the package with the files if you want…

  29. Stefan Rubner Post author

    No need to send me the files. I guess I’m going to rewrite the stuff in Python anyway ;) But the main problem with your setup seems to be what I outlined in my last post above: The Astaro can’t deal with remote-random anyway, so you’d have to select a host. And specify a user certificate file. If you could do that for a test and see whether it at least produces some output without error, that would be great.

    -Stefan

  30. Johan

    More info…

    Getting CA information: ca.crt
    Getting Key Information:
    Getting Cert information:

    I have a tls.key but I dont have a cert. However the script cant find the Key….hm…

    The line in the ovpn file is – tls-auth tls.key 1

    Any ideas?

  31. Stefan Rubner Post author

    Ok, my fault. The config is missing *both*, the user’s key file and the user’s certificate file. While not needed by OpenVPN since you can simply do a Username/Password authentication, both are required on the Astaro/Sophos side of the equation. So you need to set up the connection on the OpenVPN side to use a key/certificate pair that *may* additionally be secured by a Username/Password combination.

    -Stefan

  32. Johan

    Using input file : client.ovpn

    Getting CA information : ca.crt
    Getting Key information :
    Getting Cert information: ca.cert

    But why doesnt it find the key?

  33. Stefan Rubner Post author

    Contact me on Skype if possible, I sent you the information by email.

    -Stefan

  34. Dan Q

    The script isn’t pulling the remote port in to the apc. Any manual entry I’ve made leads to a corrupt file.
    Using standard character representation, the final lines look like this:

    ^@^K^@^@^@server_port
    ^\openvpn.host.com^N^@^@^@server_address

    Suggestions?

  35. Stefan Rubner Post author

    I’d be more interested in the original line(s) with the remote site and port specification ;) You can change the values there if you want, I just need to see the line(s) in the exact format as produced by whatever export function you were using.

    -Stefan

  36. Dan Q

    foo.ovpn:

    client
    remote foo.bar.com 9081
    dev tun
    proto udp
    auth-user-pass

    I figured out the issue, in the get_host_proto function my ovpn config isn’t meeting the isxml condition, yet my config should be handled the “old way”. The following edit to the function gets the job done.

    get_host_port_proto() {
            if [ -z "${isxml}" ]; then
                    # do it the old way
                    RemHost=`grep "^remote " ${OvpnFile} | cut -d ' ' -f2 |tr -d '\r\n'`
                    RemPort=`grep "^remote " ${OvpnFile} | cut -d ' ' -f3 |tr -d '\r\n'`
                    RemProto=`grep "^proto " ${OvpnFile} | cut -d ' ' -f2 |tr -d '\r\n'`
            else
                    # Check whether we have a protocol statement
                    RemLine=`grep "^proto " ${OvpnFile}`
                    if [ -z "${RemLine}" ]; then
                            # Ok, looks like a load balancing setup
                            # So we just pick the first of the UDP lines since
                            # Access Server seems to like those better
                            RemHost=`grep "^remote .*udp" ${OvpnFile} | head -n1 | awk '{ print $2 }'`
                            RemPort=`grep "^remote .*udp" ${OvpnFile} | head -n1 | awk '{ print $3 }'`
                            RemProto="udp"
                    else
                            # Check whether we have a port statement
                            # We may need to fail back to the "old" way anyway...
                            RemLine2=`grep "^port " ${OvpnFile}`
                            if [ -z "${RemLine2}" ]; then
                                    RemHost=`grep "^remote " ${OvpnFile} | cut -d ' ' -f2 |tr -d '\r\n'`
                                    RemPort=`grep "^remote" ${OvpnFile} | cut -d ' ' -f3 |tr -d '\r\n'`
                                    RemProto=`grep "^proto " ${OvpnFile} | cut -d ' ' -f2 |tr -d '\r\n'`
                            else

                                    RemHost=`grep "^remote " ${OvpnFile} | cut -d ' ' -f2 |tr -d '\r\n'`
                                    RemPort=`grep "^port" ${OvpnFile} | cut -d ' ' -f2 |tr -d '\r\n'`
                                    RemProto=`grep "^proto " ${OvpnFile} | cut -d ' ' -f2 |tr -d '\r\n'`
                            fi
                    fi
            fi
    }
  37. Stefan Rubner Post author

    Great that it works for you. But what I’d be interested in is why it fails the first [ -z “${isxml}” ] condition. Because that’s where your config should be handled. For some reason the script handles you .ovpn as if it were an XML file which it clearly isn’t.

    -Stefan

  38. Dan Q

    The check for xml is based on the grep for . In my ovpn the ca, cert, and key elements are tagged.
    Here’s the anonymized ovpn.


    client
    remote foo.bar.com 9081
    dev tun
    proto udp
    auth-user-pass

    dhcp-renew
    dhcp-release

    resolv-retry infinite
    redirect-gateway def1
    persist-key
    persist-tun
    nobind
    cipher AES-256-CBC
    auth MD5
    ping 5
    ping-exit 60
    ping-timer-rem
    explicit-exit-notify 2
    script-security 2
    remote-cert-tls server
    route-delay 5
    tun-mtu 1500
    fragment 1300
    mssfix 1300
    verb 4
    comp-lzo

    -----BEGIN CERTIFICATE-----
    CUTCERTIFICATE
    -----END CERTIFICATE-----

    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: CUT ISSUER
    Validity
    Not Before: Mar 6 02:36:02 2014 GMT
    Not After : Mar 3 02:36:02 2024 GMT
    Subject: CUT SUBJECT
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    Public-Key: (2048 bit)
    Modulus:
    CUT MODULUS
    Exponent: 65537 (0x10001)
    X509v3 extensions:
    X509v3 Basic Constraints:
    CA:FALSE
    X509v3 Subject Key Identifier:
    CUT ID
    X509v3 Authority Key Identifier:
    CUT ID

    X509v3 Subject Alternative Name:

    Signature Algorithm: sha1WithRSAEncryption
    CUT ALGORITHM
    -----BEGIN CERTIFICATE-----
    CUT CERTIFICATE
    -----END CERTIFICATE-----

    -----BEGIN PRIVATE KEY-----
    CUT KEY
    -----END PRIVATE KEY-----

    </code

  39. Stefan Rubner Post author

    Oh well, I admit that the “XML detection” is rather crude to begin with. So I guess I need to rewrite the whole thing to have better XML detection and fix some other things while I’m on it.

  40. Dan Q

    While you’re at it… ;). The new 9.2 asg breaks the config. It musses up the tls-auth line and ovpn complains about no closing quote.

  41. Dan Q

    Sure. The applicable lines from the .apc

    MyPasswordpassword
    .tls-auth /etc/ta_foobar.key
    key-direction "1    server_dn

    Import to the ASG (9.2 Beta)
    It spits out the following config to /var/chroot-openvpn/etc/openvpn/client/REF_SslCliName/config

    remote 1111.222.111.222 9081
    tls-remote "tls-auth /etc/ta_foobar.key
    key-direction &quot;1"

    Note tls-remote is followed by a quote, then the tls-auth line.
    Also the key-direction now has the html compliant &quot rather than the quotation.
    This seems like the location where the ASG is being tricked in to adding a few extra lines…and they just aren’t coming out right in the new release.

  42. Stefan Rubner Post author

    Great, thanks a lot! Unfortunately I can’t currently afford to upgrade to 9.2 beta for I need the Astaro up and running but I’ll have a look on a VM if I find the time.

  43. Aaron

    Hi Dan –

    Check your script… I had the same issue, and found some extra hex characters that came down via copy/paste at around line 125/126, which when removed, pulls the beginning ” out of line 9.

    Now that I’ve gotten past that, I’m having issues with an empty key file, and Sophos choking on that. I’ve tried manually updating the key file, but so far, I haven’t had much luck. Anyone else seen that, or have an example of what a key file should look like (without providing any passwords, etc.. of course).

    Thanks,

    Aaron

  44. Aaron

    Looks like a lot of my issues have to do with the opvn file(s) I have. They’re missing certain data that the script is looking for, and causing issues. I’ll keep researching, but if anyone has any thoughts or suggestions, or experience with HMA openvpn files, I’d appreciate any feedback.

    Thanks in advance.

  45. Stefan Rubner Post author

    I’m currently rewriting the whole thing in Python and I already found some bugs and inconsistencies that will get fixed. However, for the time being I suggest to use the dummy.ovpn as a general guideline for what is needed in the .ovpn file.
    The key file is the key that belongs to the user certificate and as such is a standard openssl key file.

    -Stefan

  46. Aaron

    Great, thanks for the guidance, as well as your efforts around this! Let me know if you would like any assistance in testing, or if I may be able to help at all.

    Aaron

Comments are closed.