OpenVPN User Management

This document covers managing OpenVPN users (clients) including adding, removing, and managing client certificates.

Overview

OpenVPN uses certificate-based authentication. Each user (client) requires: A unique client certificate A client configuration file (.ovpn) Optionally, a static IP assignment via CCD file

Current Users

Client configuration files are stored in /root/: josh.ovpn Work_MacBook_Air.ovpn StrawberryNAS.ovpn (Synology NAS with static IP 10.8.0.2)

Adding a New User

Method 1: Using the OpenVPN Install Script (Recommended)

If you have the openvpn-install.sh script available:

= Run the installer script =
bash /root/openvpn-install.sh

= Select option to add a new client =
= Follow the prompts to enter the client name =
= The script will automatically: =
=   - Generate the client certificate =
=   - Create the .ovpn configuration file =
=   - Place it in /root/ =

Method 2: Manual Certificate Creation with Easy-RSA

For manual certificate creation:

Navigate to Easy-RSA directory:

   cd /etc/openvpn/server/easy-rsa/

Generate client certificate and key:

   ./easyrsa build-client-full clientname nopass

  Replace clientname with the desired client name (e.g., newuser, laptop-john).
  
  The nopass option creates a certificate without a password. Remove it if you want password protection.

Create client configuration file:

  You'll need to create a .ovpn file that combines:
   Client certificate
   Client private key
   CA certificate
   TLS-Crypt key
   Connection settings
  
  Use an existing .ovpn file as a template:

   cp /root/josh.ovpn /root/newclient.ovpn

  Then extract and replace the certificate sections:

   # Extract client certificate from Easy-RSA
   cat /etc/openvpn/server/easy-rsa/pki/issued/clientname.crt
   
   # Extract client key
   cat /etc/openvpn/server/easy-rsa/pki/private/clientname.key
   
   # Replace the <cert> and <key> sections in the .ovpn file

Verify the configuration:

   # Test the .ovpn file syntax
   openvpn --config /root/newclient.ovpn --test-crypto

Method 3: Using Easy-RSA Helper Script

Create a helper script to automate the process:

#!/bin/bash
= /root/create-openvpn-client.sh =

CLIENT_NAME=$1

if [ -z "$CLIENT_NAME" ]; then
    echo "Usage: $0 <client-name>"
    exit 1
fi

cd /etc/openvpn/server/easy-rsa/

= Generate client certificate =
./easyrsa build-client-full "$CLIENT_NAME" nopass

= Create .ovpn file =
CLIENT_DIR="/root"
OVPN_FILE="$CLIENT_DIR/$CLIENT_NAME.ovpn"

= Start with common client configuration =
cat > "$OVPN_FILE" << EOF
client
dev tun
proto udp
remote 87.106.61.62 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
ignore-unknown-option block-outside-dns
verb 3
EOF

= Add CA certificate =
echo "<ca>" >> "$OVPN_FILE"
cat /etc/openvpn/server/ca.crt >> "$OVPN_FILE"
echo "</ca>" >> "$OVPN_FILE"

= Add client certificate =
echo "<cert>" >> "$OVPN_FILE"
cat "/etc/openvpn/server/easy-rsa/pki/issued/$CLIENT_NAME.crt" >> "$OVPN_FILE"
echo "</cert>" >> "$OVPN_FILE"

= Add client key =
echo "<key>" >> "$OVPN_FILE"
cat "/etc/openvpn/server/easy-rsa/pki/private/$CLIENT_NAME.key" >> "$OVPN_FILE"
echo "</key>" >> "$OVPN_FILE"

= Add TLS-Crypt key =
echo "<tls-crypt>" >> "$OVPN_FILE"
cat /etc/openvpn/server/tc.key >> "$OVPN_FILE"
echo "</tls-crypt>" >> "$OVPN_FILE"

echo "Client configuration created: $OVPN_FILE"
echo "Send this file securely to the client."

Make it executable:

chmod +x /root/create-openvpn-client.sh

Usage:

/root/create-openvpn-client.sh newclientname

Assigning Static IP Addresses

To assign a static IP address to a client:

Create a CCD file in `/etc/openvpn/ccd/`:

   sudo nano /etc/openvpn/ccd/clientname

Add IP assignment:

   ifconfig-push 10.8.0.X 255.255.255.0

  Replace X with the desired IP (e.g., 10.8.0.10).

Set proper permissions:

   sudo chown nobody:nogroup /etc/openvpn/ccd/clientname
   sudo chmod 600 /etc/openvpn/ccd/clientname

Restart OpenVPN (if needed):

   sudo systemctl restart openvpn

Example: The Synology NAS has a CCD file at /etc/openvpn/ccd/StrawberryNAS with:

ifconfig-push 10.8.0.2 255.255.255.0

Listing Active Users

To see which users are currently connected:

= View IP persistence file (shows last assigned IPs) =
cat /etc/openvpn/server/ipp.txt

= Check active connections via system logs =
journalctl -u openvpn | grep "Peer Connection Initiated"

= Or check the VPN interface =
ip addr show tun0

Revoking a User Certificate

When a user should no longer have access:

Navigate to Easy-RSA directory:

   cd /etc/openvpn/server/easy-rsa/

Revoke the certificate:

   ./easyrsa revoke clientname

  You'll be prompted to confirm. Type yes.

Update the Certificate Revocation List (CRL):

   ./easyrsa gen-crl

Copy the updated CRL to the server directory:

   cp pki/crl.pem /etc/openvpn/server/crl.pem

Restart OpenVPN to apply the revocation:

   systemctl restart openvpn

Remove client files (optional but recommended):

   # Remove .ovpn file
   rm /root/clientname.ovpn
   
   # Remove CCD file if it exists
   rm /etc/openvpn/ccd/clientname

Note: The revoked certificate will be immediately rejected. The user will not be able to connect even if they still have the .ovpn file.

Security Best Practices

Use descriptive client names: Use names that identify the device/user (e.g., `laptop-john`, `phone-mary`, `nas-synology`)

Regular certificate rotation: Renew certificates before expiration (typically annually)

Revoke unused certificates: Remove access for users who no longer need VPN access

Secure .ovpn file distribution: Use secure channels (encrypted email, secure file transfer) when sending `.ovpn` files to clients

Limit static IP assignments: Only assign static IPs when necessary (e.g., for services like the Synology NAS)

Monitor active connections: Regularly check who is connected and verify it's expected

Keep Easy-RSA secure: The Easy-RSA directory contains sensitive keys - restrict access:

   chmod 700 /etc/openvpn/server/easy-rsa/

Backup User Certificates

Before making changes, backup user certificates:

= Backup all certificates and keys =
tar -czf openvpn-users-backup-$(date +%Y%m%d).tar.gz \
  /etc/openvpn/server/easy-rsa/pki/ \
  /root/''.ovpn \
  /etc/openvpn/ccd/

OpenVPN:User Management

OpenVPN User Management

Overview

Current Users

Adding a New User

Method 1: Using the OpenVPN Install Script (Recommended)

Method 2: Manual Certificate Creation with Easy-RSA

Navigate to Easy-RSA directory:

Generate client certificate and key:

Create client configuration file:

Verify the configuration:

Method 3: Using Easy-RSA Helper Script

Assigning Static IP Addresses

Create a CCD file in `/etc/openvpn/ccd/`:

Add IP assignment:

Set proper permissions:

Restart OpenVPN (if needed):

Listing Active Users

Revoking a User Certificate

Navigate to Easy-RSA directory:

Revoke the certificate:

Update the Certificate Revocation List (CRL):

Copy the updated CRL to the server directory:

Restart OpenVPN to apply the revocation:

Remove client files (optional but recommended):

Security Best Practices

Use descriptive client names: Use names that identify the device/user (e.g., `laptop-john`, `phone-mary`, `nas-synology`)

Regular certificate rotation: Renew certificates before expiration (typically annually)

Revoke unused certificates: Remove access for users who no longer need VPN access

Secure .ovpn file distribution: Use secure channels (encrypted email, secure file transfer) when sending `.ovpn` files to clients

Limit static IP assignments: Only assign static IPs when necessary (e.g., for services like the Synology NAS)

Monitor active connections: Regularly check who is connected and verify it's expected

Keep Easy-RSA secure: The Easy-RSA directory contains sensitive keys - restrict access:

Backup User Certificates

Related Documentation

OpenVPN User Management

Overview

Current Users

Adding a New User

Method 1: Using the OpenVPN Install Script (Recommended)

Method 2: Manual Certificate Creation with Easy-RSA

Navigate to Easy-RSA directory:

Generate client certificate and key:

Create client configuration file:

Verify the configuration:

Method 3: Using Easy-RSA Helper Script

Assigning Static IP Addresses

Create a CCD file in /etc/openvpn/ccd/:

Add IP assignment:

Set proper permissions:

Restart OpenVPN (if needed):

Listing Active Users

Revoking a User Certificate

Navigate to Easy-RSA directory:

Revoke the certificate:

Update the Certificate Revocation List (CRL):

Copy the updated CRL to the server directory:

Restart OpenVPN to apply the revocation:

Remove client files (optional but recommended):

Security Best Practices

Use descriptive client names: Use names that identify the device/user (e.g., laptop-john, phone-mary, nas-synology)

Regular certificate rotation: Renew certificates before expiration (typically annually)

Revoke unused certificates: Remove access for users who no longer need VPN access

Secure .ovpn file distribution: Use secure channels (encrypted email, secure file transfer) when sending .ovpn files to clients

Limit static IP assignments: Only assign static IPs when necessary (e.g., for services like the Synology NAS)

Monitor active connections: Regularly check who is connected and verify it's expected

Keep Easy-RSA secure: The Easy-RSA directory contains sensitive keys - restrict access:

Backup User Certificates

Related Documentation

Create a CCD file in `/etc/openvpn/ccd/`:

Use descriptive client names: Use names that identify the device/user (e.g., `laptop-john`, `phone-mary`, `nas-synology`)

Secure .ovpn file distribution: Use secure channels (encrypted email, secure file transfer) when sending `.ovpn` files to clients