OpenVPN client setup requires multiple files apart from the config: CA, client certificate, and client key, in case of certificate authentication. With login/password authentication it’s not just one file either, you still need a CA.
Having to deal with just one file is obviously more convenient for both the user and the admin. OpenVPN in fact can do that, even though it’s rarely mentioned in HOWTOs for some reason. You just need to include them in the config file enclosed in <ca>, <cert>, and <key> XML-like tags respectively.
Like this:
client
nobind
remote vpn.example.com 1194 udp
remote-cert-tls server
dev tun
dev-type tun
persist-key
persist-tun
verb 3<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca><cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert><key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
To simplify the task I made a simple script that takes the files in “config, CA, cert, key” order and writes the bundled config to stdout: ovpnbundle.pl. This is for the case of certificate auth, but I guess it’s trivial to adapt to only include a CA etc.