Josh: Major update - troubleshooting guide: OpenVPN User Management (58 sections)

2026-01-01T13:44:54Z

Major update - troubleshooting guide: OpenVPN User Management (58 sections)

Josh: Content removed - troubleshooting guide: OpenVPN User Management (12 sections)

2026-01-01T13:28:37Z

Content removed - troubleshooting guide: OpenVPN User Management (12 sections)

← Older revision		Revision as of 13:28, 1 January 2026
Line 6:		Line 6:

	OpenVPN uses certificate-based authentication. Each user (client) requires:		OpenVPN uses certificate-based authentication. Each user (client) requires:
	'' A unique client certificate		* A unique client certificate
	'' A client configuration file (<code>.ovpn</code>)
	'' Optionally, a static IP assignment via CCD file		* A client configuration file (<code>.ovpn</code>)

			* Optionally, a static IP assignment via CCD file

	== Current Users ==		== Current Users ==

	Client configuration files are stored in <code>/root/</code>:		Client configuration files are stored in <code>/root/</code>:
	'' <code>josh.ovpn</code>		* <code>josh.ovpn</code>
	'' <code>Work_MacBook_Air.ovpn</code>
	'' <code>StrawberryNAS.ovpn</code> (Synology NAS with static IP 10.8.0.2)		* <code>Work_MacBook_Air.ovpn</code>

			* <code>StrawberryNAS.ovpn</code> (Synology NAS with static IP 10.8.0.2)

	== Adding a New User ==		== Adding a New User ==
Line 56:		Line 60:

	You'll need to create a <code>.ovpn</code> file that combines:		You'll need to create a <code>.ovpn</code> file that combines:
	'' Client certificate		* Client certificate
	'' Client private key
	'' CA certificate		* Client private key
	'' TLS-Crypt key
	'' Connection settings		* CA certificate

			* TLS-Crypt key

			* Connection settings


	Use an existing <code>.ovpn</code> file as a template:		Use an existing <code>.ovpn</code> file as a template:
Line 274:		Line 283:
	tar -czf openvpn-users-backup-$(date +%Y%m%d).tar.gz \		tar -czf openvpn-users-backup-$(date +%Y%m%d).tar.gz \
	/etc/openvpn/server/easy-rsa/pki/ \		/etc/openvpn/server/easy-rsa/pki/ \
	/root/''.ovpn \		/root/*.ovpn \
	/etc/openvpn/ccd/		/etc/openvpn/ccd/
	</pre>		</pre>
Line 280:		Line 289:
	== Related Documentation ==		== Related Documentation ==

	'' [Server Configuration](server-configuration.md) - Server setup		* [Server Configuration](server-configuration.md) - Server setup
	'' [Client Configuration](client-configuration.md) - Client setup
	'' [Certificate Management](certificate-management.md) - Certificate details		* [Client Configuration](client-configuration.md) - Client setup
	'' [[Documentation:Index\|Troubleshooting]] - User management troubleshooting
			* [Certificate Management](certificate-management.md) - Certificate details

			* [[Documentation:Index\|Troubleshooting]] - User management troubleshooting

	[[Category:Documentation]]		[[Category:Documentation]]
	[[Category:Documentation/OpenVPN]]		[[Category:Documentation/OpenVPN]]

Josh: Added troubleshooting guide: OpenVPN User Management

2026-01-01T13:16:18Z

Added troubleshooting guide: OpenVPN User Management

New page

= OpenVPN User Management =

This document covers managing OpenVPN users (clients) including adding, removing, and managing client certificates.

== Overview ==

OpenVPN uses certificate-based authentication. Each user (client) requires:
'' A unique client certificate
'' A client configuration file (<code>.ovpn</code>)
'' Optionally, a static IP assignment via CCD file

== Current Users ==

Client configuration files are stored in <code>/root/</code>:
'' <code>josh.ovpn</code>
'' <code>Work_MacBook_Air.ovpn</code>
'' <code>StrawberryNAS.ovpn</code> (Synology NAS with static IP 10.8.0.2)

== Adding a New User ==

=== Method 1: Using the OpenVPN Install Script (Recommended) ===

If you have the <code>openvpn-install.sh</code> script available:

<pre class="lang-bash">
= Run the installer script =
bash /root/openvpn-install.sh

= Select option to add a new client =
= Follow the prompts to enter the client name =
= The script will automatically: =
= - Generate the client certificate =
= - Create the .ovpn configuration file =
= - Place it in /root/ =
</pre>

=== Method 2: Manual Certificate Creation with Easy-RSA ===

For manual certificate creation:

= '''Navigate to Easy-RSA directory''': =
<pre class="lang-bash">
cd /etc/openvpn/server/easy-rsa/
</pre>

= '''Generate client certificate and key''': =
<pre class="lang-bash">
./easyrsa build-client-full clientname nopass
</pre>

Replace <code>clientname</code> with the desired client name (e.g., <code>newuser</code>, <code>laptop-john</code>).

The <code>nopass</code> option creates a certificate without a password. Remove it if you want password protection.

= '''Create client configuration file''': =

You'll need to create a <code>.ovpn</code> file that combines:
'' Client certificate
'' Client private key
'' CA certificate
'' TLS-Crypt key
'' Connection settings

Use an existing <code>.ovpn</code> file as a template:
<pre class="lang-bash">
cp /root/josh.ovpn /root/newclient.ovpn
</pre>

Then extract and replace the certificate sections:
<pre class="lang-bash">
# Extract client certificate from Easy-RSA
cat /etc/openvpn/server/easy-rsa/pki/issued/clientname.crt

# Extract client key
cat /etc/openvpn/server/easy-rsa/pki/private/clientname.key

# Replace the <cert> and <key> sections in the .ovpn file
</pre>

= '''Verify the configuration''': =
<pre class="lang-bash">
# Test the .ovpn file syntax
openvpn --config /root/newclient.ovpn --test-crypto
</pre>

=== Method 3: Using Easy-RSA Helper Script ===

Create a helper script to automate the process:

<pre class="lang-bash">
#!/bin/bash
= /root/create-openvpn-client.sh =

CLIENT_NAME=$1

if [ -z "$CLIENT_NAME" ]; then
echo "Usage: $0 <client-name>"
exit 1
fi

cd /etc/openvpn/server/easy-rsa/

= Generate client certificate =
./easyrsa build-client-full "$CLIENT_NAME" nopass

= Create .ovpn file =
CLIENT_DIR="/root"
OVPN_FILE="$CLIENT_DIR/$CLIENT_NAME.ovpn"

= Start with common client configuration =
cat > "$OVPN_FILE" << EOF
client
dev tun
proto udp
remote 87.106.61.62 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
ignore-unknown-option block-outside-dns
verb 3
EOF

= Add CA certificate =
echo "<ca>" >> "$OVPN_FILE"
cat /etc/openvpn/server/ca.crt >> "$OVPN_FILE"
echo "</ca>" >> "$OVPN_FILE"

= Add client certificate =
echo "<cert>" >> "$OVPN_FILE"
cat "/etc/openvpn/server/easy-rsa/pki/issued/$CLIENT_NAME.crt" >> "$OVPN_FILE"
echo "</cert>" >> "$OVPN_FILE"

= Add client key =
echo "<key>" >> "$OVPN_FILE"
cat "/etc/openvpn/server/easy-rsa/pki/private/$CLIENT_NAME.key" >> "$OVPN_FILE"
echo "</key>" >> "$OVPN_FILE"

= Add TLS-Crypt key =
echo "<tls-crypt>" >> "$OVPN_FILE"
cat /etc/openvpn/server/tc.key >> "$OVPN_FILE"
echo "</tls-crypt>" >> "$OVPN_FILE"

echo "Client configuration created: $OVPN_FILE"
echo "Send this file securely to the client."
</pre>

Make it executable:
<pre class="lang-bash">
chmod +x /root/create-openvpn-client.sh
</pre>

Usage:
<pre class="lang-bash">
/root/create-openvpn-client.sh newclientname
</pre>

== Assigning Static IP Addresses ==

To assign a static IP address to a client:

= '''Create a CCD file''' in <code>/etc/openvpn/ccd/</code>: =
<pre class="lang-bash">
sudo nano /etc/openvpn/ccd/clientname
</pre>

= '''Add IP assignment''': =
<pre>
ifconfig-push 10.8.0.X 255.255.255.0
</pre>

Replace <code>X</code> with the desired IP (e.g., <code>10.8.0.10</code>).

= '''Set proper permissions''': =
<pre class="lang-bash">
sudo chown nobody:nogroup /etc/openvpn/ccd/clientname
sudo chmod 600 /etc/openvpn/ccd/clientname
</pre>

= '''Restart OpenVPN''' (if needed): =
<pre class="lang-bash">
sudo systemctl restart openvpn
</pre>

'''Example''': The Synology NAS has a CCD file at <code>/etc/openvpn/ccd/StrawberryNAS</code> with:
<pre>
ifconfig-push 10.8.0.2 255.255.255.0
</pre>

== Listing Active Users ==

To see which users are currently connected:

<pre class="lang-bash">
= View IP persistence file (shows last assigned IPs) =
cat /etc/openvpn/server/ipp.txt

= Check active connections via system logs =
journalctl -u openvpn | grep "Peer Connection Initiated"

= Or check the VPN interface =
ip addr show tun0
</pre>

== Revoking a User Certificate ==

When a user should no longer have access:

= '''Navigate to Easy-RSA directory''': =
<pre class="lang-bash">
cd /etc/openvpn/server/easy-rsa/
</pre>

= '''Revoke the certificate''': =
<pre class="lang-bash">
./easyrsa revoke clientname
</pre>

You'll be prompted to confirm. Type <code>yes</code>.

= '''Update the Certificate Revocation List (CRL)''': =
<pre class="lang-bash">
./easyrsa gen-crl
</pre>

= '''Copy the updated CRL to the server directory''': =
<pre class="lang-bash">
cp pki/crl.pem /etc/openvpn/server/crl.pem
</pre>

= '''Restart OpenVPN''' to apply the revocation: =
<pre class="lang-bash">
systemctl restart openvpn
</pre>

= '''Remove client files''' (optional but recommended): =
<pre class="lang-bash">
# Remove .ovpn file
rm /root/clientname.ovpn

# Remove CCD file if it exists
rm /etc/openvpn/ccd/clientname
</pre>

'''Note''': The revoked certificate will be immediately rejected. The user will not be able to connect even if they still have the <code>.ovpn</code> file.

== Security Best Practices ==

= '''Use descriptive client names''': Use names that identify the device/user (e.g., <code>laptop-john</code>, <code>phone-mary</code>, <code>nas-synology</code>) =

= '''Regular certificate rotation''': Renew certificates before expiration (typically annually) =

= '''Revoke unused certificates''': Remove access for users who no longer need VPN access =

= '''Secure .ovpn file distribution''': Use secure channels (encrypted email, secure file transfer) when sending <code>.ovpn</code> files to clients =

= '''Limit static IP assignments''': Only assign static IPs when necessary (e.g., for services like the Synology NAS) =

= '''Monitor active connections''': Regularly check who is connected and verify it's expected =

= '''Keep Easy-RSA secure''': The Easy-RSA directory contains sensitive keys - restrict access: =
<pre class="lang-bash">
chmod 700 /etc/openvpn/server/easy-rsa/
</pre>

== Backup User Certificates ==

Before making changes, backup user certificates:

<pre class="lang-bash">
= Backup all certificates and keys =
tar -czf openvpn-users-backup-$(date +%Y%m%d).tar.gz \
/etc/openvpn/server/easy-rsa/pki/ \
/root/''.ovpn \
/etc/openvpn/ccd/
</pre>

== Related Documentation ==

'' [Server Configuration](server-configuration.md) - Server setup
'' [Client Configuration](client-configuration.md) - Client setup
'' [Certificate Management](certificate-management.md) - Certificate details
'' [[Documentation:Index|Troubleshooting]] - User management troubleshooting

[[Category:Documentation]]
[[Category:Documentation/OpenVPN]]

OpenVPN:User Management - Revision history

Josh: Major update - troubleshooting guide: OpenVPN User Management (58 sections)

Josh: Content removed - troubleshooting guide: OpenVPN User Management (12 sections)

Josh: Added troubleshooting guide: OpenVPN User Management