Generator of .ovpn files with hardened client config and embedded cert, key and ta.key.

ovpn_generator.conf

client
dev tun
proto udp
remote <SERVER> <PORT>
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1 # <-- DO NOT change this! (server.conf must have: tls-auth ta.key 0)
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
remote-cert-tls server # https://openvpn.net/howto.html#mitm
compress lzo
verb 3

ovpn_generator.sh

#!/bin/bash

if [ ! $# -eq 3 ]; then
  echo "Usage: ./ovpn_generator.sh [client_name] [server] [port]"
  exit 1
fi

client_name="$1"
filename="$client_name"".ovpn"
server="$2"
port="$3"

if [ ! -f $client_name".crt" ]; then
  echo "Error: $client_name.crt is missing. Have you generated the client cert and key?"
  exit 1
fi
if [ ! -f $client_name".key" ]; then
  echo "Error: $client_name.key is missing. Have you generated the client cert and key?"
  exit 1
fi
if [ ! -f ta.key ]; then
  echo "Error: ta.key is missing. Have you configured ta.key ?"
  echo "Check https://openvpn.net/howto.html#mitm for more information."
  exit 1
fi

echo "Building $filename ..."

cat ovpn_generator.conf > $filename
echo "<ca>" >> $filename
echo "</ca>" >> $filename
echo "<cert>" >> $filename
cat $client_name".crt" >> $filename
echo "</cert>" >> $filename
echo "<key>" >> $filename
cat $client_name".key" >> $filename
echo "</key>" >> $filename
echo "<tls-auth>" >> $filename
cat ta.key >> $filename
echo "</tls-auth>" >> $filename

sed -i "s/<SERVER>/$server/g" $filename
sed -i "s/<PORT>/$port/g" $filename

echo "Done!"