Table of Contents


OpenVPN server with client certificate and password authentication.



sudo -s
cd /root
apt update
apt upgrade
apt install openvpn easy-rsa
/etc/init.d/openvpn stop
update-rc.d openvpn disable

Certificate Store


Create the certificate folder and intialise it.

make-cadir easy-rsa
cd easy-rsa
./easyrsa init-pki hard-reset

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /root/ovpn/pki

Edit the `vars' file changing organisational data.


set_var EASYRSA_REQ_PROVINCE    "England"
set_var EASYRSA_REQ_CITY        "London"
set_var EASYRSA_REQ_ORG         "OVPN"
set_var EASYRSA_REQ_EMAIL       ""
set_var EASYRSA_REQ_OU          "CA"

The CA expiry date defaults to 10 years (3650 days) and certificates to 825 days. Change this to your preferred timespan.

set_var EASYRSA_CA_EXPIRE   3650
Create Certificate Authority

Create a CA for managing certificates. Choose a secret passphrase.

./easyrsa --vars=./vars build-ca
Enter New CA Key Passphrase:
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
Create Server Certificate

The server certificate will be utilised by the OpenVPN daemon, sign it with the CA passphrase.

./easyrsa --vars=./vars build-server-full server nopass
Enter pass phrase for /root/ovpn/pki/private/ca.key:
Create DH Certificate
./easyrsa --vars=./vars gen-dh
Create TA Certificate

Shared secret key.

openvpn --genkey secret pki/ta.key

Example configuration on server.

tls-auth ta.key 0

On the client, the shared secret may be inline in the connection profile.

Create Client Certificate
./easyrsa --vars=./vars build-client-full vpn nopass
Bundle Client Certificate
openssl pkcs12 -export -inkey vpn.key -in vpn.crt -certfile ca.crt -out vpn.p12 -passout pass:
Unbundle Client Certificate
openssl pkcs12 -in vpn.p12 -nocerts -out vpn.key -nodes -passin pass:
openssl pkcs12 -in vpn.p12 -nokeys -clcerts -out vpn.crt -passin pass:
openssl pkcs12 -in vpn.p12 -nokeys -cacerts -out ca.crt -passin pass:
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies