OpenVPN:User Management: Difference between revisions
Added troubleshooting guide: OpenVPN User Management |
Content removed - troubleshooting guide: OpenVPN User Management (12 sections) |
||
| Line 6: | Line 6: | ||
OpenVPN uses certificate-based authentication. Each user (client) requires: | OpenVPN uses certificate-based authentication. Each user (client) requires: | ||
* A unique client certificate | |||
* A client configuration file (<code>.ovpn</code>) | |||
* Optionally, a static IP assignment via CCD file | |||
== Current Users == | == Current Users == | ||
Client configuration files are stored in <code>/root/</code>: | Client configuration files are stored in <code>/root/</code>: | ||
* <code>josh.ovpn</code> | |||
* <code>Work_MacBook_Air.ovpn</code> | |||
* <code>StrawberryNAS.ovpn</code> (Synology NAS with static IP 10.8.0.2) | |||
== Adding a New User == | == Adding a New User == | ||
| Line 56: | Line 60: | ||
You'll need to create a <code>.ovpn</code> file that combines: | You'll need to create a <code>.ovpn</code> file that combines: | ||
* Client certificate | |||
* Client private key | |||
* CA certificate | |||
* TLS-Crypt key | |||
* Connection settings | |||
Use an existing <code>.ovpn</code> file as a template: | Use an existing <code>.ovpn</code> file as a template: | ||
| Line 274: | Line 283: | ||
tar -czf openvpn-users-backup-$(date +%Y%m%d).tar.gz \ | tar -czf openvpn-users-backup-$(date +%Y%m%d).tar.gz \ | ||
/etc/openvpn/server/easy-rsa/pki/ \ | /etc/openvpn/server/easy-rsa/pki/ \ | ||
/root/ | /root/*.ovpn \ | ||
/etc/openvpn/ccd/ | /etc/openvpn/ccd/ | ||
</pre> | </pre> | ||
| Line 280: | Line 289: | ||
== Related Documentation == | == Related Documentation == | ||
* [Server Configuration](server-configuration.md) - Server setup | |||
* [Client Configuration](client-configuration.md) - Client setup | |||
* [Certificate Management](certificate-management.md) - Certificate details | |||
* [[Documentation:Index|Troubleshooting]] - User management troubleshooting | |||
[[Category:Documentation]] | [[Category:Documentation]] | ||
[[Category:Documentation/OpenVPN]] | [[Category:Documentation/OpenVPN]] | ||
Revision as of 13:28, 1 January 2026
OpenVPN User Management
This document covers managing OpenVPN users (clients) including adding, removing, and managing client certificates.
Overview
OpenVPN uses certificate-based authentication. Each user (client) requires:
- A unique client certificate
- A client configuration file (
.ovpn)
- Optionally, a static IP assignment via CCD file
Current Users
Client configuration files are stored in /root/:
josh.ovpn
Work_MacBook_Air.ovpn
StrawberryNAS.ovpn(Synology NAS with static IP 10.8.0.2)
Adding a New User
Method 1: Using the OpenVPN Install Script (Recommended)
If you have the openvpn-install.sh script available:
= Run the installer script = bash /root/openvpn-install.sh = Select option to add a new client = = Follow the prompts to enter the client name = = The script will automatically: = = - Generate the client certificate = = - Create the .ovpn configuration file = = - Place it in /root/ =
Method 2: Manual Certificate Creation with Easy-RSA
For manual certificate creation:
Navigate to Easy-RSA directory:
cd /etc/openvpn/server/easy-rsa/
Generate client certificate and key:
./easyrsa build-client-full clientname nopass
Replaceclientnamewith the desired client name (e.g.,newuser,laptop-john). Thenopassoption creates a certificate without a password. Remove it if you want password protection.
Create client configuration file:
You'll need to create a .ovpn file that combines:
* Client certificate
* Client private key
* CA certificate
* TLS-Crypt key
* Connection settings
Use an existing .ovpn file as a template:
cp /root/josh.ovpn /root/newclient.ovpn
Then extract and replace the certificate sections:
# Extract client certificate from Easy-RSA cat /etc/openvpn/server/easy-rsa/pki/issued/clientname.crt # Extract client key cat /etc/openvpn/server/easy-rsa/pki/private/clientname.key # Replace the <cert> and <key> sections in the .ovpn file
Verify the configuration:
# Test the .ovpn file syntax openvpn --config /root/newclient.ovpn --test-crypto
Method 3: Using Easy-RSA Helper Script
Create a helper script to automate the process:
#!/bin/bash
= /root/create-openvpn-client.sh =
CLIENT_NAME=$1
if [ -z "$CLIENT_NAME" ]; then
echo "Usage: $0 <client-name>"
exit 1
fi
cd /etc/openvpn/server/easy-rsa/
= Generate client certificate =
./easyrsa build-client-full "$CLIENT_NAME" nopass
= Create .ovpn file =
CLIENT_DIR="/root"
OVPN_FILE="$CLIENT_DIR/$CLIENT_NAME.ovpn"
= Start with common client configuration =
cat > "$OVPN_FILE" << EOF
client
dev tun
proto udp
remote 87.106.61.62 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
ignore-unknown-option block-outside-dns
verb 3
EOF
= Add CA certificate =
echo "<ca>" >> "$OVPN_FILE"
cat /etc/openvpn/server/ca.crt >> "$OVPN_FILE"
echo "</ca>" >> "$OVPN_FILE"
= Add client certificate =
echo "<cert>" >> "$OVPN_FILE"
cat "/etc/openvpn/server/easy-rsa/pki/issued/$CLIENT_NAME.crt" >> "$OVPN_FILE"
echo "</cert>" >> "$OVPN_FILE"
= Add client key =
echo "<key>" >> "$OVPN_FILE"
cat "/etc/openvpn/server/easy-rsa/pki/private/$CLIENT_NAME.key" >> "$OVPN_FILE"
echo "</key>" >> "$OVPN_FILE"
= Add TLS-Crypt key =
echo "<tls-crypt>" >> "$OVPN_FILE"
cat /etc/openvpn/server/tc.key >> "$OVPN_FILE"
echo "</tls-crypt>" >> "$OVPN_FILE"
echo "Client configuration created: $OVPN_FILE"
echo "Send this file securely to the client."
Make it executable:
chmod +x /root/create-openvpn-client.sh
Usage:
/root/create-openvpn-client.sh newclientname
Assigning Static IP Addresses
To assign a static IP address to a client:
Create a CCD file in /etc/openvpn/ccd/:
sudo nano /etc/openvpn/ccd/clientname
Add IP assignment:
ifconfig-push 10.8.0.X 255.255.255.0
ReplaceXwith the desired IP (e.g.,10.8.0.10).
Set proper permissions:
sudo chown nobody:nogroup /etc/openvpn/ccd/clientname sudo chmod 600 /etc/openvpn/ccd/clientname
Restart OpenVPN (if needed):
sudo systemctl restart openvpn
Example: The Synology NAS has a CCD file at /etc/openvpn/ccd/StrawberryNAS with:
ifconfig-push 10.8.0.2 255.255.255.0
Listing Active Users
To see which users are currently connected:
= View IP persistence file (shows last assigned IPs) = cat /etc/openvpn/server/ipp.txt = Check active connections via system logs = journalctl -u openvpn | grep "Peer Connection Initiated" = Or check the VPN interface = ip addr show tun0
Revoking a User Certificate
When a user should no longer have access:
Navigate to Easy-RSA directory:
cd /etc/openvpn/server/easy-rsa/
Revoke the certificate:
./easyrsa revoke clientname
You'll be prompted to confirm. Type yes.
Update the Certificate Revocation List (CRL):
./easyrsa gen-crl
Copy the updated CRL to the server directory:
cp pki/crl.pem /etc/openvpn/server/crl.pem
Restart OpenVPN to apply the revocation:
systemctl restart openvpn
Remove client files (optional but recommended):
# Remove .ovpn file rm /root/clientname.ovpn # Remove CCD file if it exists rm /etc/openvpn/ccd/clientname
Note: The revoked certificate will be immediately rejected. The user will not be able to connect even if they still have the .ovpn file.
Security Best Practices
Use descriptive client names: Use names that identify the device/user (e.g., laptop-john, phone-mary, nas-synology)
Regular certificate rotation: Renew certificates before expiration (typically annually)
Revoke unused certificates: Remove access for users who no longer need VPN access
Secure .ovpn file distribution: Use secure channels (encrypted email, secure file transfer) when sending .ovpn files to clients
Limit static IP assignments: Only assign static IPs when necessary (e.g., for services like the Synology NAS)
Monitor active connections: Regularly check who is connected and verify it's expected
Keep Easy-RSA secure: The Easy-RSA directory contains sensitive keys - restrict access:
chmod 700 /etc/openvpn/server/easy-rsa/
Backup User Certificates
Before making changes, backup user certificates:
= Backup all certificates and keys = tar -czf openvpn-users-backup-$(date +%Y%m%d).tar.gz \ /etc/openvpn/server/easy-rsa/pki/ \ /root/*.ovpn \ /etc/openvpn/ccd/
Related Documentation
- [Server Configuration](server-configuration.md) - Server setup
- [Client Configuration](client-configuration.md) - Client setup
- [Certificate Management](certificate-management.md) - Certificate details
- Troubleshooting - User management troubleshooting