diff --git a/src/config.c b/src/config.c
index 14349641cb03f2abf826585614e6c5b9b5431b54..f20af0a2718249ea865fde22d725d1f39b8ef947 100644
--- a/src/config.c
+++ b/src/config.c
@@ -84,7 +84,7 @@ static int strtob(const char* str)
  */
 int load_config(struct vpn_config *cfg, const char *filename)
 {
-	int ret = -1;
+	int ret = ERR_CFG_UNKNOWN;
 	FILE *file;
 	struct stat stat;
 	char *buffer, *line;
@@ -204,6 +204,13 @@ int load_config(struct vpn_config *cfg, const char *filename)
 			if (add_trusted_cert(cfg, val))
 				log_warn("Could not add certificate digest to "
 				         "whitelist.\n");
+
+		} else if (strcmp(key, "ca-file") == 0) {
+			cfg->ca_file = strdup(val);
+		} else if (strcmp(key, "user-cert") == 0) {
+			cfg->user_cert = strdup(val);
+		} else if (strcmp(key, "user-key") == 0) {
+			cfg->user_key = strdup(val);
 		} else {
 			log_warn("Bad key in config file: \"%s\".\n", key);
 			goto err_free;
diff --git a/src/config.h b/src/config.h
index 5e1295a8159cd37ec5f320c003a658f624658a1e..2d6fa4f10d0b7d6c65e9c801a8e16a152a6a8fba 100644
--- a/src/config.h
+++ b/src/config.h
@@ -22,9 +22,10 @@
 #include <netinet/in.h>
 #include <string.h>
 
-#define ERR_CFG_SEE_ERRNO	-1
-#define ERR_CFG_EMPTY_FILE	-2
-#define ERR_CFG_NO_MEM		-3
+#define ERR_CFG_UNKNOWN		-1
+#define ERR_CFG_SEE_ERRNO	-2
+#define ERR_CFG_EMPTY_FILE	-3
+#define ERR_CFG_NO_MEM		-4
 #define ERR_CFG_CANNOT_READ	-4
 
 static inline const char *err_cfg_str(int code)
@@ -94,7 +95,10 @@ struct vpn_config {
 		struct x509_digest *tmp = (cfg)->cert_whitelist->next; \
 		free((cfg)->cert_whitelist); \
 		(cfg)->cert_whitelist = tmp; \
-	}
+	} \
+	free((cfg)->ca_file); \
+	free((cfg)->user_cert); \
+	free((cfg)->user_key);
 
 int add_trusted_cert(struct vpn_config *cfg, const char *digest);
 
diff --git a/src/main.c b/src/main.c
index 88ea109d560833b6fc2359b6f1ee38314a8a2f94..f16e526ad31a5c2b8eb917fa6277e28921685c8b 100644
--- a/src/main.c
+++ b/src/main.c
@@ -169,17 +169,17 @@ int main(int argc, char **argv)
 			}
 			if (strcmp(long_options[option_index].name,
 			           "ca-file") == 0) {
-				cfg.ca_file = optarg;
+				cfg.ca_file = strdup(optarg);
 				break;
 			}
 			if (strcmp(long_options[option_index].name,
 			           "user-cert") == 0) {
-				cfg.user_cert = optarg;
+				cfg.user_cert = strdup(optarg);
 				break;
 			}
 			if (strcmp(long_options[option_index].name,
 			           "user-key") == 0) {
-				cfg.user_key = optarg;
+				cfg.user_key = strdup(optarg);
 				break;
 			}
 			if (strcmp(long_options[option_index].name,
diff --git a/src/tunnel.c b/src/tunnel.c
index 8968b1ca18ab82fb365dcd9e26abf5925e3116f1..8787e04620ca8cfc9a5cdf4650694dbd7103c321 100644
--- a/src/tunnel.c
+++ b/src/tunnel.c
@@ -179,7 +179,7 @@ static int get_gateway_host_ip(struct tunnel *tunnel)
 {
 	struct hostent *host = gethostbyname(tunnel->config->gateway_host);
 	if (host == NULL) {
-		log_error("gethostbyname: %s\n", strerror(h_errno));
+		log_error("gethostbyname: %s\n", hstrerror(h_errno));
 		return 1;
 	}