Jump to content

OpenVPN:User Management

From jb-vpn.uk Wiki
Revision as of 13:44, 1 January 2026 by Josh (talk | contribs) (Major update - troubleshooting guide: OpenVPN User Management (58 sections))
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This document covers managing OpenVPN users (clients) including adding, removing, and managing client certificates.

Overview

OpenVPN uses certificate-based authentication. Each user (client) requires:

  • A unique client certificate
  • A client configuration file (.ovpn)
  • Optionally, a static IP assignment via CCD file

Current Users

Client configuration files are stored in /root/:

  • josh.ovpn
  • Work_MacBook_Air.ovpn
  • StrawberryNAS.ovpn (Synology NAS with static IP 10.8.0.2)

Adding a New User

Method 1: Using the OpenVPN Install Script (Recommended)

If you have the openvpn-install.sh script available: 

==== Run the installer script ====
bash /root/openvpn-install.sh

== Select option to add a new client ==
== Follow the prompts to enter the client name ==
== The script will automatically: ==
== - Generate the client certificate ==
== - Create the .ovpn configuration file ==
== - Place it in /root/ ==

Method 2: Manual Certificate Creation with Easy-RSA

For manual certificate creation: 

   cd /etc/openvpn/server/easy-rsa/

Generate client certificate and key:

   ./easyrsa build-client-full clientname nopass

  Replace clientname with the desired client name (e.g., newuser, laptop-john).
  
  The nopass option creates a certificate without a password. Remove it if you want password protection.

Create client configuration file:

  You'll need to create a .ovpn file that combines:
  * Client certificate

  * Client private key

  * CA certificate

  * TLS-Crypt key

  * Connection settings



  Use an existing .ovpn file as a template:

   cp /root/josh.ovpn /root/newclient.ovpn

  Then extract and replace the certificate sections:

=== Extract client certificate from Easy-RSA ===
   cat /etc/openvpn/server/easy-rsa/pki/issued/clientname.crt
   
=== Extract client key ===
   cat /etc/openvpn/server/easy-rsa/pki/private/clientname.key
   
=== Replace the <cert> and <key> sections in the .ovpn file ===

Verify the configuration:

=== Test the .ovpn file syntax ===
   openvpn --config /root/newclient.ovpn --test-crypto

Method 3: Using Easy-RSA Helper Script

Create a helper script to automate the process: 

#!/bin/bash
== /root/create-openvpn-client.sh ==

CLIENT_NAME=$1

if [ -z "$CLIENT_NAME" ]; then
    echo "Usage: $0 <client-name>"
    exit 1
fi

cd /etc/openvpn/server/easy-rsa/

== Generate client certificate ==
./easyrsa build-client-full "$CLIENT_NAME" nopass

== Create .ovpn file ==
CLIENT_DIR="/root"
OVPN_FILE="$CLIENT_DIR/$CLIENT_NAME.ovpn"

== Start with common client configuration ==
cat > "$OVPN_FILE" << EOF
client
dev tun
proto udp
remote 87.106.61.62 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
ignore-unknown-option block-outside-dns
verb 3
EOF

== Add CA certificate ==
echo "<ca>" >> "$OVPN_FILE"
cat /etc/openvpn/server/ca.crt >> "$OVPN_FILE"
echo "</ca>" >> "$OVPN_FILE"

== Add client certificate ==
echo "<cert>" >> "$OVPN_FILE"
cat "/etc/openvpn/server/easy-rsa/pki/issued/$CLIENT_NAME.crt" >> "$OVPN_FILE"
echo "</cert>" >> "$OVPN_FILE"

== Add client key ==
echo "<key>" >> "$OVPN_FILE"
cat "/etc/openvpn/server/easy-rsa/pki/private/$CLIENT_NAME.key" >> "$OVPN_FILE"
echo "</key>" >> "$OVPN_FILE"

== Add TLS-Crypt key ==
echo "<tls-crypt>" >> "$OVPN_FILE"
cat /etc/openvpn/server/tc.key >> "$OVPN_FILE"
echo "</tls-crypt>" >> "$OVPN_FILE"

echo "Client configuration created: $OVPN_FILE"
echo "Send this file securely to the client."

Make it executable: 

chmod +x /root/create-openvpn-client.sh

Usage: 

/root/create-openvpn-client.sh newclientname

Assigning Static IP Addresses

To assign a static IP address to a client:

Create a CCD file in /etc/openvpn/ccd/:

   sudo nano /etc/openvpn/ccd/clientname

Add IP assignment:

   ifconfig-push 10.8.0.X 255.255.255.0

  Replace X with the desired IP (e.g., 10.8.0.10).

Set proper permissions:

   sudo chown nobody:nogroup /etc/openvpn/ccd/clientname
   sudo chmod 600 /etc/openvpn/ccd/clientname

Restart OpenVPN (if needed):

   sudo systemctl restart openvpn

Example: The Synology NAS has a CCD file at /etc/openvpn/ccd/StrawberryNAS with: 

ifconfig-push 10.8.0.2 255.255.255.0

Listing Active Users

To see which users are currently connected: 

=== View IP persistence file (shows last assigned IPs) ===
cat /etc/openvpn/server/ipp.txt

== Check active connections via system logs ==
journalctl -u openvpn | grep "Peer Connection Initiated"

== Or check the VPN interface ==
ip addr show tun0

Revoking a User Certificate

When a user should no longer have access: 

   cd /etc/openvpn/server/easy-rsa/

Revoke the certificate:

   ./easyrsa revoke clientname

  You'll be prompted to confirm. Type yes.

Update the Certificate Revocation List (CRL):

   ./easyrsa gen-crl

Copy the updated CRL to the server directory:

   cp pki/crl.pem /etc/openvpn/server/crl.pem

Restart OpenVPN to apply the revocation:

   systemctl restart openvpn

Remove client files (optional but recommended):

=== Remove .ovpn file ===
   rm /root/clientname.ovpn
   
=== Remove CCD file if it exists ===
   rm /etc/openvpn/ccd/clientname

Note: The revoked certificate will be immediately rejected. The user will not be able to connect even if they still have the .ovpn file.

Security Best Practices

Use descriptive client names: Use names that identify the device/user (e.g., laptop-john, phone-mary, nas-synology)

Regular certificate rotation: Renew certificates before expiration (typically annually)

Revoke unused certificates: Remove access for users who no longer need VPN access

Secure .ovpn file distribution: Use secure channels (encrypted email, secure file transfer) when sending .ovpn files to clients

Limit static IP assignments: Only assign static IPs when necessary (e.g., for services like the Synology NAS)

Monitor active connections: Regularly check who is connected and verify it's expected

Keep Easy-RSA secure: The Easy-RSA directory contains sensitive keys - restrict access:

   chmod 700 /etc/openvpn/server/easy-rsa/

Backup User Certificates

Before making changes, backup user certificates: 

=== Backup all certificates and keys ===
tar -czf openvpn-users-backup-$(date +%Y%m%d).tar.gz \
  /etc/openvpn/server/easy-rsa/pki/ \
  /root/*.ovpn \
  /etc/openvpn/ccd/
  • [Server Configuration](server-configuration.md) - Server setup
  • [Client Configuration](client-configuration.md) - Client setup
  • [Certificate Management](certificate-management.md) - Certificate details
Retrieved from "https://wiki.jb-vpn.uk/index.php?title=OpenVPN:User_Management&oldid=243"