RiseupVPN-OpenVPN icon indicating copy to clipboard operation
RiseupVPN-OpenVPN copied to clipboard
verified publisher icon BarbossHack

Convert .conf to .ovpn

Open k3nsh1nta opened this issue 11 months ago • 19 comments

Hello comrade. I managed to used your script and generate a file. I'm trying to connect riseup into my mikrotik router which supports to upload ovpn files. I tried to rename the .conf to .ovpn as others mentioned online but router returns an error. Amy suggestions or instructions on how I could make it work?

k3nsh1nta avatar Apr 01 '25 02:04 k3nsh1nta

Hello!

Could you provide the error logs, please? I’ll look into it.

BarbossHack avatar Apr 01 '25 07:04 BarbossHack

This is the message

invalid protocol value '#'

Can i get something else on Mikrotik to help you?

k3nsh1nta avatar Apr 01 '25 12:04 k3nsh1nta

Could you try replacing

proto tcp

by

proto udp

in the .ovpn conf

BarbossHack avatar Apr 01 '25 14:04 BarbossHack

And also try to remove all comments starting by "#" in the generated .ovpn conf

BarbossHack avatar Apr 01 '25 14:04 BarbossHack

thanks comrade for the reply, after doing what you told me and trying to import it, i received this

invalid protocol value 'vpn01-sea.riseup.net'

k3nsh1nta avatar Apr 01 '25 14:04 k3nsh1nta

Ok, please try with this conf (just rename it to .ovpn before)

riseup-ovpn.txt

BarbossHack avatar Apr 01 '25 15:04 BarbossHack

Thanks again, it took some time to load and then gave this

error importing cert, please make sure certificate is valid and is not already imported

k3nsh1nta avatar Apr 01 '25 16:04 k3nsh1nta

Ok lets try with this one

riseup-ovpn.txt

BarbossHack avatar Apr 01 '25 17:04 BarbossHack

To explain a bit: It looks like MikroTik has its own OpenVPN implementation, so your router doesn’t support all the standard OpenVPN configuration parameters. That’s why we have to experiment a bit ^^

BarbossHack avatar Apr 01 '25 17:04 BarbossHack

No problem comrade, if you want me to read any guide or something, im willing to do so. now it returns this

configuration error - missing client certificate

P.S Im copy pasting the entire thing into the generated config cause, if i rename the txt it doesnt change into ovpn

k3nsh1nta avatar Apr 01 '25 18:04 k3nsh1nta

Okay, now I have no idea what to do next. You'll have to try modifying the config and experimenting on your own, I won’t be able to help you further with this one srry

But if you find a working config, I’d love to know 👍

BarbossHack avatar Apr 01 '25 18:04 BarbossHack

Do you ve knowledge on Mikrotik to point me any guides?

k3nsh1nta avatar Apr 01 '25 18:04 k3nsh1nta

Nope sorry I know nothing about Mikrotik 😬

BarbossHack avatar Apr 01 '25 18:04 BarbossHack

The key and cert fingerprints should be different, no?

k3nsh1nta avatar Apr 04 '25 04:04 k3nsh1nta

To simplify the script, I include both the certificate and the key within each <cert> and <key> block. So maybe Mikrotik doesn't understand it, lets try with this one :

riseup-ovpn.txt

BarbossHack avatar Apr 05 '25 07:04 BarbossHack

Yeah this was better, this was that log gave, at the import the info was that there is a warning, but no errors appeared. This time the certificates appeared automatically, but still they are two and not three. CA and CERT are loaded. I tried to create a .key file with the fingerprint you gave me, but still couldnt import it. Another thing is that never picks a random ip, its always the one at the end of the list, should i drop some parameter in there? Another case its that at least in mikrotik? it needs auth to be sha1. I wonder maybe in terms of certificates, is there any way to combine those three into a single file? Cause when you adjust the info at the setup that provided after you import the .ovpn, at the sector of certificates it drops all the available ones and lets you pick only one, shouldnt be all of them?

device added by (*14 = /interface ovpn-client add auth=null certificate=cert_ovpn-import1743842631 cipher=aes256-gcm connect-to=89.187.173.174 disabled=yes disconnect-notify=yes max-mtu=1500 mode=ip name=ovpn-import1743842631 port=1194 protocol=udp route-nopull=no tls-version=any use-peer-dns=yes user=ovpnuser verify-server-certificate=yes)

k3nsh1nta avatar Apr 05 '25 08:04 k3nsh1nta

in user importing .ovpn gives ovpnuser, is that correct? no password applicable

k3nsh1nta avatar Apr 05 '25 09:04 k3nsh1nta

Sorry, I don't have a MikroTik router to test all this or to fully understand what the real issue is... Maybe you could try asking ChatGPT — it might not give you a perfect answer, but it could still help. Here's a quote from its response:

✅ Requirements:

Make sure you already have the following:

  1. ca.crt – the Certificate Authority file.
  2. client.crt – the client certificate.
  3. client.key – the client's private key.
  4. An OpenVPN server that's configured to accept connections using certificates only (no auth-user-pass, no tls-auth or tls-crypt).

1. 📁 Upload the certificates to the MikroTik router

You can use Winbox, WebFig, or the terminal.

Method 1: Winbox / WebFig

  • Open Winbox.
  • Go to Files and drag & drop your .crt and .key files into the router.

Method 2: via SCP or FTP

scp ca.crt client.crt client.key [email protected]:/

2. 🔐 Import the certificates into MikroTik

Use the MikroTik terminal:

/certificate import file-name=ca.crt
/certificate import file-name=client.crt
/certificate import file-name=client.key

If the client.key is password-protected, MikroTik will prompt you for it. If it’s unencrypted, it will import directly.

Then verify the certificates:

/certificate print

Make sure the client cert has the flags KT (meaning it has a private key and is trusted/usable).

3. 🌐 Configure the OpenVPN client interface

Here’s an example configuration:

/interface ovpn-client add \
    name=ovpn-out1 \
    connect-to=your.server.ovpn.net \
    port=80 \
    mode=ip \
    user="" \
    password="" \
    certificate=client.crt_0 \
    auth=sha1 \
    cipher=aes256 \
    require-client-certificate=yes \
    ca=ca.crt_0 \
    disabled=no

⚠️ Important: Make sure the values for certificate= and ca= match the actual names shown in /certificate print.

4. 📡 Check if the connection is working

To view logs:

/log print where message~"ovpn"

To check the interface status:

/interface ovpn-client print

If everything is working, the interface should say “running” and you’ll have a tunnel IP.

🧪 Debug Tips:

If the connection fails:

  • Check the server logs.
  • The server must require client certificates (client-cert-not-required must be no).

BarbossHack avatar Apr 05 '25 23:04 BarbossHack

I ll see it. Thanks brother

On Sun, Apr 6, 2025, 2:36 AM BarbossHack @.***> wrote:

Sorry, I don't have a MikroTik router to test all this or to fully understand what the real issue is... Maybe you could try asking ChatGPT — it might not give you a perfect answer, but it could still help. Here's a quote from its response:

✅ Requirements:

Make sure you already have the following:

  1. ca.crt – the Certificate Authority file.
  2. client.crt – the client certificate.
  3. client.key – the client's private key.
  4. An OpenVPN server that's configured to accept connections using certificates only (no auth-user-pass, no tls-auth or tls-crypt).
  1. 📁 Upload the certificates to the MikroTik router

You can use Winbox, WebFig, or the terminal.

Method 1: Winbox / WebFig

  • Open Winbox.
  • Go to Files and drag & drop your .crt and .key files into the router.

Method 2: via SCP or FTP

scp ca.crt client.crt client.key @.***:/

  1. 🔐 Import the certificates into MikroTik

Use the MikroTik terminal:

/certificate import file-name=ca.crt /certificate import file-name=client.crt /certificate import file-name=client.key

If the client.key is password-protected, MikroTik will prompt you for it. If it’s unencrypted, it will import directly.

Then verify the certificates:

/certificate print

Make sure the client cert has the flags KT (meaning it has a private key and is trusted/usable).

  1. 🌐 Configure the OpenVPN client interface

Here’s an example configuration:

/interface ovpn-client add
name=ovpn-out1
connect-to=your.server.ovpn.net
port=1194
mode=ip
user=""
password=""
certificate=client.crt_0
auth=sha1
cipher=aes256
require-client-certificate=yes
ca=ca.crt_0
disabled=no

⚠️ Important: Make sure the values for certificate= and ca= match the actual names shown in /certificate print.

  1. 📡 Check if the connection is working

To view logs:

/log print where message~"ovpn"

To check the interface status:

/interface ovpn-client print

If everything is working, the interface should say “running” and you’ll have a tunnel IP.

🧪 Debug Tips:

If the connection fails:

  • Check the server logs.
  • The server must require client certificates ( client-cert-not-required must be no).
  • Make sure TCP port 1194 is open and reachable from the MikroTik.

— Reply to this email directly, view it on GitHub https://github.com/BarbossHack/RiseupVPN-OpenVPN/issues/9#issuecomment-2781133437, or unsubscribe https://github.com/notifications/unsubscribe-auth/BM6IMD37GDZBKEODJRUNOI32YBSITAVCNFSM6AAAAAB2FWEXSWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDOOBRGEZTGNBTG4 . You are receiving this because you authored the thread.Message ID: @.***> [image: BarbossHack]BarbossHack left a comment (BarbossHack/RiseupVPN-OpenVPN#9) https://github.com/BarbossHack/RiseupVPN-OpenVPN/issues/9#issuecomment-2781133437

Sorry, I don't have a MikroTik router to test all this or to fully understand what the real issue is... Maybe you could try asking ChatGPT — it might not give you a perfect answer, but it could still help. Here's a quote from its response:

✅ Requirements:

Make sure you already have the following:

  1. ca.crt – the Certificate Authority file.
  2. client.crt – the client certificate.
  3. client.key – the client's private key.
  4. An OpenVPN server that's configured to accept connections using certificates only (no auth-user-pass, no tls-auth or tls-crypt).
  1. 📁 Upload the certificates to the MikroTik router

You can use Winbox, WebFig, or the terminal.

Method 1: Winbox / WebFig

  • Open Winbox.
  • Go to Files and drag & drop your .crt and .key files into the router.

Method 2: via SCP or FTP

scp ca.crt client.crt client.key @.***:/

  1. 🔐 Import the certificates into MikroTik

Use the MikroTik terminal:

/certificate import file-name=ca.crt /certificate import file-name=client.crt /certificate import file-name=client.key

If the client.key is password-protected, MikroTik will prompt you for it. If it’s unencrypted, it will import directly.

Then verify the certificates:

/certificate print

Make sure the client cert has the flags KT (meaning it has a private key and is trusted/usable).

  1. 🌐 Configure the OpenVPN client interface

Here’s an example configuration:

/interface ovpn-client add
name=ovpn-out1
connect-to=your.server.ovpn.net
port=1194
mode=ip
user=""
password=""
certificate=client.crt_0
auth=sha1
cipher=aes256
require-client-certificate=yes
ca=ca.crt_0
disabled=no

⚠️ Important: Make sure the values for certificate= and ca= match the actual names shown in /certificate print.

  1. 📡 Check if the connection is working

To view logs:

/log print where message~"ovpn"

To check the interface status:

/interface ovpn-client print

If everything is working, the interface should say “running” and you’ll have a tunnel IP.

🧪 Debug Tips:

If the connection fails:

  • Check the server logs.
  • The server must require client certificates ( client-cert-not-required must be no).
  • Make sure TCP port 1194 is open and reachable from the MikroTik.

— Reply to this email directly, view it on GitHub https://github.com/BarbossHack/RiseupVPN-OpenVPN/issues/9#issuecomment-2781133437, or unsubscribe https://github.com/notifications/unsubscribe-auth/BM6IMD37GDZBKEODJRUNOI32YBSITAVCNFSM6AAAAAB2FWEXSWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDOOBRGEZTGNBTG4 . You are receiving this because you authored the thread.Message ID: @.***>

k3nsh1nta avatar Apr 05 '25 23:04 k3nsh1nta