https://halfface.se/wiki/index.php?action=history&feed=atom&title=OpenVPNOpenVPN - Revision history2026-04-19T07:26:47ZRevision history for this page on the wikiMediaWiki 1.43.1https://halfface.se/wiki/index.php?title=OpenVPN&diff=11067&oldid=prevEkaanbj: /* Generate certificates & keys for client */2010-09-05T04:24:13Z<p><span class="autocomment">Generate certificates & keys for client</span></p>
<p><b>New page</b></p><div>==Generate the master Certificate Authority (CA) certificate & key==<br />
<br />
sudo rsync -a /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/easy-rsa/<br />
<br />
/etc/openvpn/easy-rsa/vars<br />
set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. <br />
. ./vars<br />
./clean-all<br />
./build-ca<br />
<br />
Answer yes on everything exept:<br />
<br />
==Generate certificate & key for server==<br />
<br />
When the Common Name is queried, enter "server"<br />
./build-key-server server<br />
<br />
Generate Diffie Hellman parameters<br />
./build-dh<br />
<br />
HMAC firewall<br />
cd /etc/openvpn/easy-rsa/keys && openvpn --genkey --secret ta.key<br />
<br />
==Generate certificates & keys for client==<br />
Howto create a new client config.<br />
cd /etc/openvpn/easy-rsa/<br />
. vars<br />
./build-key rollewrt<br />
cp keys/rollewrt.* /etc/openvpn/blt/<br />
cd /etc/openvpn/blt<br />
cp blt_olle.ovpn blt_rollewrt.ovpn<br />
vim blt_rollewrt.ovpn<br />
for i in rollewrt ;do echo $i ;tar czf /tmp/openvpn-client-$i-blt.homeip.net.tar.gz $i.* ca.crt ta.key blt_$i.ovpn;done<br />
<br />
for i in bob ;do echo $i ;tar czf /tmp/openvpn-client-$i-www.halfface.se.tar.gz $i.* ca.crt ta.key halfface_$i.ovpn;done<br />
<br />
==Key Files==<br />
<br />
Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files:<br />
Filename Needed By Purpose Secret<br />
ca.crt server + all clients Root CA certificate NO<br />
ca.key key signing machine only Root CA key YES<br />
dh{n}.pem server only Diffie Hellman parameters NO<br />
server.crt server only Server Certificate NO<br />
server.key server only Server Key YES<br />
client1.crt client1 only Client1 Certificate NO<br />
client1.key client1 only Client1 Key YES<br />
<br />
==setup server and client==<br />
===server===<br />
Copy example configuration files.<br />
mkdir /etc/openvpn/config; cp /usr/share/doc/openvpn-2.1/sample-config-files/{client,server}.conf /etc/openvpn/config<br />
Copy keys to location.<br />
cp -p ca.crt server.crt server.key dh1024.pem ta.key ../..<br />
Edit server.conf<br />
# change this value to the network behind the openvpn server<br />
push "route 192.168.0.0 255.255.255.0"<br />
# Enable clients to comunicate with each other.<br />
client-to-client<br />
# Enable hmac firewall.<br />
tls-auth ta.key 0 # This file is secret<br />
<br />
Copy server.conf to location:<br />
cp /etc/openvpn/config/server.conf /etc/openvpn<br />
<br />
Edit client.conf and save as /etc/openvpn/blt<br />
# Change to name of openvpn server.<br />
remote blt.homeip.net 1194<br />
# Change path to certificates.<br />
ca blt/ca.crt<br />
cert blt/bjorklun.crt<br />
key blt/bjorklun.key<br />
# Enable hmac firewall.<br />
tls-auth ta.key 1<br />
<br />
Copy certificates.<br />
cp -p /etc/openvpn/easy-rsa/keys/{ca.crt,bjorklun.*,ta.key} /etc/openvpn/blt/<br />
<br />
Create openvpn config to transfer to client.<br />
for i in rolle olle strate;do echo $i ;tar czf /install/program/windows/openvpn/openvpn-client-$i-blt.homeip.net.tar.gz $i.* ca.crt ta.key blt_$i.ovpn;done<br />
<br />
==Route a client network.==<br />
/etc/openvpn/server.conf:route 192.168.10.0 255.255.255.0<br />
/etc/openvpn/server.conf:push "route 192.168.10.0 255.255.255.0"<br />
/etc/openvpn/ccd/rollewrt:iroute 192.168.10.0 255.255.255.0<br />
<br />
[[Category:Applications]]<br />
[[Category:Unix]]<br />
[[Category:Vpn]]</div>Ekaanbj