Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
jb-vpn.uk Wiki
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
OpenVPN:User Management
Page
Discussion
English
Read
Edit
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
View history
General
What links here
Related changes
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
This document covers managing OpenVPN users (clients) including adding, removing, and managing client certificates. == Overview == OpenVPN uses certificate-based authentication. Each user (client) requires: * A unique client certificate * A client configuration file (<code>.ovpn</code>) * Optionally, a static IP assignment via CCD file == Current Users == Client configuration files are stored in <code>/root/</code>: * <code>josh.ovpn</code> * <code>Work_MacBook_Air.ovpn</code> * <code>StrawberryNAS.ovpn</code> (Synology NAS with static IP 10.8.0.2) == Adding a New User == === Method 1: Using the OpenVPN Install Script (Recommended) === If you have the <code>openvpn-install.sh</code> script available: <pre class="lang-bash"> ==== Run the installer script ==== bash /root/openvpn-install.sh == Select option to add a new client == == Follow the prompts to enter the client name == == The script will automatically: == == - Generate the client certificate == == - Create the .ovpn configuration file == == - Place it in /root/ == </pre> === Method 2: Manual Certificate Creation with Easy-RSA === For manual certificate creation: ==== '''Navigate to Easy-RSA directory''': ==== <pre class="lang-bash"> cd /etc/openvpn/server/easy-rsa/ </pre> == '''Generate client certificate and key''': == <pre class="lang-bash"> ./easyrsa build-client-full clientname nopass </pre> Replace <code>clientname</code> with the desired client name (e.g., <code>newuser</code>, <code>laptop-john</code>). The <code>nopass</code> option creates a certificate without a password. Remove it if you want password protection. == '''Create client configuration file''': == You'll need to create a <code>.ovpn</code> file that combines: * Client certificate * Client private key * CA certificate * TLS-Crypt key * Connection settings Use an existing <code>.ovpn</code> file as a template: <pre class="lang-bash"> cp /root/josh.ovpn /root/newclient.ovpn </pre> Then extract and replace the certificate sections: <pre class="lang-bash"> === Extract client certificate from Easy-RSA === cat /etc/openvpn/server/easy-rsa/pki/issued/clientname.crt === Extract client key === cat /etc/openvpn/server/easy-rsa/pki/private/clientname.key === Replace the <cert> and <key> sections in the .ovpn file === </pre> == '''Verify the configuration''': == <pre class="lang-bash"> === Test the .ovpn file syntax === openvpn --config /root/newclient.ovpn --test-crypto </pre> === Method 3: Using Easy-RSA Helper Script === Create a helper script to automate the process: <pre class="lang-bash"> #!/bin/bash == /root/create-openvpn-client.sh == CLIENT_NAME=$1 if [ -z "$CLIENT_NAME" ]; then echo "Usage: $0 <client-name>" exit 1 fi cd /etc/openvpn/server/easy-rsa/ == Generate client certificate == ./easyrsa build-client-full "$CLIENT_NAME" nopass == Create .ovpn file == CLIENT_DIR="/root" OVPN_FILE="$CLIENT_DIR/$CLIENT_NAME.ovpn" == Start with common client configuration == cat > "$OVPN_FILE" << EOF client dev tun proto udp remote 87.106.61.62 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server auth SHA512 ignore-unknown-option block-outside-dns verb 3 EOF == Add CA certificate == echo "<ca>" >> "$OVPN_FILE" cat /etc/openvpn/server/ca.crt >> "$OVPN_FILE" echo "</ca>" >> "$OVPN_FILE" == Add client certificate == echo "<cert>" >> "$OVPN_FILE" cat "/etc/openvpn/server/easy-rsa/pki/issued/$CLIENT_NAME.crt" >> "$OVPN_FILE" echo "</cert>" >> "$OVPN_FILE" == Add client key == echo "<key>" >> "$OVPN_FILE" cat "/etc/openvpn/server/easy-rsa/pki/private/$CLIENT_NAME.key" >> "$OVPN_FILE" echo "</key>" >> "$OVPN_FILE" == Add TLS-Crypt key == echo "<tls-crypt>" >> "$OVPN_FILE" cat /etc/openvpn/server/tc.key >> "$OVPN_FILE" echo "</tls-crypt>" >> "$OVPN_FILE" echo "Client configuration created: $OVPN_FILE" echo "Send this file securely to the client." </pre> Make it executable: <pre class="lang-bash"> chmod +x /root/create-openvpn-client.sh </pre> Usage: <pre class="lang-bash"> /root/create-openvpn-client.sh newclientname </pre> == Assigning Static IP Addresses == To assign a static IP address to a client: === '''Create a CCD file''' in <code>/etc/openvpn/ccd/</code>: === <pre class="lang-bash"> sudo nano /etc/openvpn/ccd/clientname </pre> == '''Add IP assignment''': == <pre> ifconfig-push 10.8.0.X 255.255.255.0 </pre> Replace <code>X</code> with the desired IP (e.g., <code>10.8.0.10</code>). == '''Set proper permissions''': == <pre class="lang-bash"> sudo chown nobody:nogroup /etc/openvpn/ccd/clientname sudo chmod 600 /etc/openvpn/ccd/clientname </pre> == '''Restart OpenVPN''' (if needed): == <pre class="lang-bash"> sudo systemctl restart openvpn </pre> '''Example''': The Synology NAS has a CCD file at <code>/etc/openvpn/ccd/StrawberryNAS</code> with: <pre> ifconfig-push 10.8.0.2 255.255.255.0 </pre> == Listing Active Users == To see which users are currently connected: <pre class="lang-bash"> === View IP persistence file (shows last assigned IPs) === cat /etc/openvpn/server/ipp.txt == Check active connections via system logs == journalctl -u openvpn | grep "Peer Connection Initiated" == Or check the VPN interface == ip addr show tun0 </pre> == Revoking a User Certificate == When a user should no longer have access: === '''Navigate to Easy-RSA directory''': === <pre class="lang-bash"> cd /etc/openvpn/server/easy-rsa/ </pre> == '''Revoke the certificate''': == <pre class="lang-bash"> ./easyrsa revoke clientname </pre> You'll be prompted to confirm. Type <code>yes</code>. == '''Update the Certificate Revocation List (CRL)''': == <pre class="lang-bash"> ./easyrsa gen-crl </pre> == '''Copy the updated CRL to the server directory''': == <pre class="lang-bash"> cp pki/crl.pem /etc/openvpn/server/crl.pem </pre> == '''Restart OpenVPN''' to apply the revocation: == <pre class="lang-bash"> systemctl restart openvpn </pre> == '''Remove client files''' (optional but recommended): == <pre class="lang-bash"> === Remove .ovpn file === rm /root/clientname.ovpn === Remove CCD file if it exists === rm /etc/openvpn/ccd/clientname </pre> '''Note''': The revoked certificate will be immediately rejected. The user will not be able to connect even if they still have the <code>.ovpn</code> file. == Security Best Practices == === '''Use descriptive client names''': Use names that identify the device/user (e.g., <code>laptop-john</code>, <code>phone-mary</code>, <code>nas-synology</code>) === == '''Regular certificate rotation''': Renew certificates before expiration (typically annually) == == '''Revoke unused certificates''': Remove access for users who no longer need VPN access == == '''Secure .ovpn file distribution''': Use secure channels (encrypted email, secure file transfer) when sending <code>.ovpn</code> files to clients == == '''Limit static IP assignments''': Only assign static IPs when necessary (e.g., for services like the Synology NAS) == == '''Monitor active connections''': Regularly check who is connected and verify it's expected == == '''Keep Easy-RSA secure''': The Easy-RSA directory contains sensitive keys - restrict access: == <pre class="lang-bash"> chmod 700 /etc/openvpn/server/easy-rsa/ </pre> == Backup User Certificates == Before making changes, backup user certificates: <pre class="lang-bash"> === Backup all certificates and keys === tar -czf openvpn-users-backup-$(date +%Y%m%d).tar.gz \ /etc/openvpn/server/easy-rsa/pki/ \ /root/*.ovpn \ /etc/openvpn/ccd/ </pre> == Related Documentation == * [Server Configuration](server-configuration.md) - Server setup * [Client Configuration](client-configuration.md) - Client setup * [Certificate Management](certificate-management.md) - Certificate details * [[Documentation:Index|Troubleshooting]] - User management troubleshooting [[Category:Documentation]] [[Category:Documentation/OpenVPN]]
Summary:
Please note that all contributions to jb-vpn.uk Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Jb-vpn.uk Wiki:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Search
Search
Editing
OpenVPN:User Management
Add topic
