The Astaro Security Gateway (ASG) is a great firewall and remote access solution. The only flaw of it being that Astaro, too, tries to build a walled garden around their suite of products. One major drawback here is that while the ASG has outstanding capabilities as a remote access server, there’s no easy way to use it as a client to connect to an OpenVPN SSL server. The main show stopper is that the ASG expects to get all it’s connection information from a .apc file while OpenVPN at best provides a .ovpn file which has a completely different structure.
Back in 2009 Patrick Schneider provided a simple bash script that would convert .ovpn files together with the needed certificates and key files into a .apc file the ASG could read. Unfortunately the script stopped working with newer ASG releases. Since I needed the functionality for a current project, I resurrected the code, polished and updated it a bit. The result can now be found on Gitorious: the new OVPN-to-APC converter script. Feel free to clone and enhance.
Update: Just pushed a new version to Gitorious that now handles the new .ovpn format provided by the OpenVPN Access Server as well.
Hello,
Thank you so much for reviving this script. I am not good at Linux, can you please tell me how to use the script. Where do I place it and run it.
Thank you
I managed to use the script but when I execute,
sudo sh ovpn-to-apc.sh client.ovpn atsaro.apc [myusername [mypassword]]
I always get
cat: : No such file or directory
0:0:1
Alois,
there’s no need to run the script as superuser using ‘sudo’. It is intended to be run on a local Linux workstation. For a successful run you need to have a .ovpn file (if you don’t have one, you can create one from the dummy.ovpn provided on Gitorious) as well as the ca.crt file and the key and the certificate referenced in the .ovpn file.
Then you just run
The “myusername” and “mypassword” parameters are optional. Be aware, however, that with the recent 8.303/8.304 updates Astaro changed the way TLS auth is done. I’ll provide an updated script to cater for that soon.
Thank you for taking time to help out.
When I run the command on my Linux server (Ubuntu 10.04) the result is
cat: : No such file or directory
0:0:1
./ovpn-to-apc.sh: line 135: printf: missing hex digit for \x
I got the client.ovpn file as a download from my OpenVPN Access Server and I have no idea where to get the certificates and keys from.
I have opened the client.ovpn file with a text editor and copied the keys and certificates into the dummy.ovpn and when I run, it executes and the result reads
703:2BF:3
However on uploading the file to Astaro, it claims the file is corrupt. I am using Astaro
8.202
What could I be doing wrong?
Again, thank you so much for the script and assistance
Alois
I see. So you have a .ovpn file in the new XMLish format where the certificates and keys are part of the .ovpn file itself. Unfortunately I don’t have an Access Server available and thus I can’t provide a converter for those type of files. If you could send me the original .ovpn with the certs and keys (but only those, not the enclosing XML tags!) replaced with “XXXXXX” I’d be willing to see what I can do. Just drop me an email at stefan [at] whocares [dot] de.
Oops. Of course you can edit other sensitive information as well, as long as the general structure of the .ovpn file stays intact. So if you need to replace an IP address, replace with 12.34.56.78 for example or if it’s an URI use xxx.yyy.zzz.
Just sent you the files. I didn’t change a thing, they are from my dev server so no security risk.
Thanks
What you stated about Astaro is dead on and something I’ve also been expressing in their forums. One of the biggest things that the router is fully capable of but their GUI totally puts a screeching halt to is certain standard IPSEC VPN features.
I have posted several feature requests and comments to existing ones regarding these things:
http://feature.astaro.com/forums/17359-astaro-security-gateway-feature-requests/suggestions/2506490-expand-ipsec-conf-control-to-webadmin
http://feature.astaro.com/forums/17359-astaro-security-gateway-feature-requests/suggestions/2479510-can-change-the-local-vpn-id-in-psk
http://feature.astaro.com/forums/17359-astaro-security-gateway-feature-requests/suggestions/2716772-networking-server-load-balancing-to-one-ip
Pingback: Astaro ASG as OpenVPN Access Server client | WhoCares?
So did you ever fix the error Alois had, and if so, how? I’m getting a very similar
error.
cat: : No such file or directory
./ovpn-to-apc.sh: line 308: printf: missing hex digit for \x
I also don’t know if it matters but even though I leave the user and pass blank when i run the script it later prompts me for a password. I don’t really have a password unless I am missing it on the .ovpn file.
Can you help?
Kinthamen
No I didn’t fix it for lack of time. Since your error is a bit different I suspect your problem is that the cert/key files aren’t in the path that is given in the .ovpn file. Check the locations there and fix the pathes if needed.
As for the user/password thing: Although you may not have one set, the Astaro *requires* one to be present – even if it’s not needed later on. That’s why youre being asked to provide some, which of course can be made up ;)
Hi Stefan,
Thank you writing the convertor, which executes perfectly on my Debian Squeeze machine.
However when I load it into my Astaro, I get this error:
2012:08:06-16:07:44 fw-1 openvpn[12364]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2012:08:06-16:07:44 fw-1 openvpn[12364]: TLS Error: TLS object -> incoming plaintext read error
2012:08:06-16:07:44 fw-1 openvpn[12364]: TLS Error: TLS handshake failed
My Astaro is running 8.203
My ovpn file look like this:
client
dev tun
proto udp
remote 7.18.16.1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 3
mute 10
I created my ca,crt and key files using easy-rsa 2.0 distributed with OpenVPN v2.1.3
Please could you tell me where I am going wrong?
TIA
Shaun
Just checked my certificates as follows:
openssl verify -CAfile ca.crt /opt/rsa/keys/server.crt
/opt/rsa/keys/server.crt: OK
openssl x509 -subject -issuer -noout -in client.crt
subject= /C=NL/ST=NH/L=Amsterdam/O=ohpen.nl/CN=astaro-den-haag.foo.nl/emailAddress=shaun.mccullagh@blah.nl
issuer= /C=NL/ST=NH/L=Amsterdam/O=ohpen.nl/CN=ap.rs.robeco.mgmt.foo.nl/emailAddress=shaun.mccullagh@blah.com
openssl verify -CAfile ca.crt client.crt
client.crt: OK
Pingback: Computers behind OpenVPN Client cannot reach Clients behind Astaro - Astaro User Bulletin Board
I’m attempting to use this to convert a .ovpn to .apc for Sophos UTM 9.
I have all of the files in the same directory as the shell script and it runs properly however the output file is “corrupt” according to UTM 9.
When I created an .apc file on the UTM and downloaded it I noticed what I think is the problem. The .apc I downloaded had characters such as EOT BEL EOT whereas the output.apc from the shell script has \x04 \x06 \x04
This appears to be some sort of encoding error. Do you have any suggestions as to why this is happening and how I could resolve it?
Pingback: Requesting votes for OpenVPN Feature - Astaro User Bulletin Board
I’m having trouble getting a connection to convert that doesn’t use user certs. The contents of the ovpn file are below.
I made some changes to the script to skip over the cert and key sections if they don’t exist but astaro say the config is corrupted. Any ideas? Does astaro require the connection to use user certs?
dev tun
proto udp
remote example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
Exactly, Astaro requires the use of certificates.
I don’t have access to linux could you convert my file for me please or give me the details need to create my own from an ovpn to apc manually.
i got access to a centos 6.3 box and i get error when i run ./ i get permission denied even in root and if i do sh ./ or sh .ovpn-to-apc.sh i get error
line 2 !DOCTYPE No shuch File or Directory
line 3 syntx error near unexpected token `newline’
and line 3 “http://www.w3.org/TR/html4/strict.dtd”>
That’s because you downloaded the HTML page instead of the actual file. Try to switch to the “raw” display and download that one.
I have download the raw and downloaded the dummy ovpn and edit with my info and ran the script the new apc file loaded into astaro but still did not work?
i am running astaro 9.1 and astaro 9.0