Linux/OpenVPN/EasyRSA

From Wiki
< Linux‎ | OpenVPN

Required key files

Server:

  • ca.crt
  • dh.pem
  • server.crt
  • server.key
  • ta.key

Clients:

  • ca.crt
  • client1.crt
  • client1.key
  • ta.key

EasyRSA 3.x

Initial setup

  • Create new dir and add EasyRSA symlinks
make-cadir certificates
cd certificates
  • Initialize CA (Certificate Authority)
./easyrsa init-pki
./easyrsa build-ca
  • Create DH-key
./easyrsa gen-dh

Create server keys

./easyrsa build-server-full <SERVER_NAME> nopass

Create/Add client keys

./easyrsa build-client-full <CLIENT_NAME>

EasyRSA 2.x

Initial setup

make-cadir certificates && cd certificates
  • edit "vars":
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key

Create client keys

source vars
./build-key client1
./build-key --batch client1

Auto generate user config packages

  • create $vpnname-client.ovpn template with:
    • %usercrt
    • %userkey
    • %cacrt
    • %tlskey
  • /etc/openvpn/certificates/create_user.sh
#!/bin/bash

user="$1"
vpnname="myvpn"

source vars
./build-key --batch $user

mkdir -p temp/$vpnname
cp keys/$user.crt temp/$vpnname
cp keys/$user.key temp/$vpnname
cp keys/ca.crt temp/$vpnname
cp keys/ta.key temp/$vpnname
cp client.ovpn temp/$vpnname-client.ovpn

sed -i -e "s:%usercrt:$vpnname/$user.crt:g" temp/$vpnname-client.ovpn
sed -i -e "s:%userkey:$vpnname/$user.key:g" temp/$vpnname-client.ovpn
sed -i -e "s:%cacrt:$vpnname/ca.crt:g" temp/$vpnname-client.ovpn
sed -i -e "s:%tlskey:$vpnname/ta.key:g" temp/$vpnname-client.ovpn

cd temp
zip -r $vpnname-$user.zip *
cd ..

cp temp/$vpnname-$user.zip /srv/openvpn/userconfigs

rm -r temp