Whether you want to access the Internet safely and securely while connected on an untrusty public Wi-Fi network, bypass Geo-restricted content or allow your coworkers to connect securely to your company network when working remotely, using a VPN is the best solution.<\/p>\n
VPN allows you to connect to remote VPN servers, making your connection encrypted and secure and surf the web anonymously by keeping your traffic data private.<\/p>\n
There are many commercial VPN providers you can choose from, but you can never be truly sure that the provider is not logging your activity. The safest option is to set up your own VPN server.<\/p>\n
This tutorial will walk you through the process of setting up your own VPN server by installing and configuring OpenVPN. We will also show you how to generate clients certificates and create configuration files<\/p>\n
OpenVPN is a fully featured, open-source Secure Socket Layer (SSL) VPN solution. It implements OSI layer 2 or 3 secure network extension using the SSL\/TLS protocol.<\/p>\n
To complete this tutorial, you will need:<\/p>\n
This tutorial assumes that the CA is on a separate Ubuntu 18.04 machine. The same steps (with small modifications) will apply if you\u2019re using your server as a CA.<\/p>\n
The reason why we are using a separate CA machine, is to prevent attackers to infiltrate the server. If an attacker manages to access the CA private key they could use it to sign new certificates, which will give them access to the VPN server.<\/p>\n
When setting up a new OpenVPN server the first step is to build a Public Key Infrastructure (PKI<\/a>). To do so we\u2019ll need to create the following:<\/p>\n As mentioned in the prerequisites for security reasons, we\u2019ll build the CA on a standalone machine.<\/p>\n To create CA, certificates requests and sign certificates we will use a CLI utility named EasyRSA.<\/p>\n Perform the following steps on your CA machine.<\/p>\n cd && wget https:\/\/github.com\/OpenVPN\/easy-rsa\/releases\/download\/v3.0.5\/EasyRSA-nix-3.0.5.tgz<\/li>\n tar xzf EasyRSA-nix-3.0.5.tgz<\/li>\n cd ~\/EasyRSA-3.0.5\/ nano ~\/EasyRSA-3.0.5\/vars<\/p>\n ~\/EasyRSA-3.0.5\/vars<\/p>\n set_var EASYRSA_REQ_COUNTRY “US” init-pki complete; you may now create a CA or requests. If you don\u2019t want to be prompted for a password each time you sign your certificates, run the build-ca command using the nopass option: .\/easyrsa build-ca nopass.<\/p>\n … CA creation complete and you may now import and sign cert requests. You\u2019ll be asked to set a password for the CA key and enter a common name for your CA.<\/p>\n Once completed, the script will create two files \u2014 CA public certificate ca.crt and CA private key ca.key.<\/p>\n Now that the Certificate Authority (CA) is created, you can use it to sign certificate requests for one or multiple OpenVPN servers and clients.<\/li>\n<\/ol>\n Our next step is to install the OpenVPN package which is available in Ubuntu\u2019s repositories and download the latest version of EasyRSA.<\/p>\n The following steps are performed on the OpenVPN server.<\/p>\n sudo apt update cd && wget https:\/\/github.com\/OpenVPN\/easy-rsa\/releases\/download\/v3.0.5\/EasyRSA-nix-3.0.5.tgz<\/p>\n Once the download is completed type the following command to extract the archive:<\/p>\n tar xzf EasyRSA-nix-3.0.5.tgz<\/p>\n Although we have already initialized a PKI on the CA machine, we also need to create a new PKI on the OpenVPN server. To do so, use the same commands as before:<\/p>\n cd ~\/EasyRSA-3.0.5\/ If you still wonder why we need two EasyRSA installations, it is because we will use this EasyRSA instance to generate certificate requests which will be signed using the EasyRSA instance on the CA machine.<\/p>\n It may sound complicated, and little confusing but once you read the whole tutorial you\u2019ll see that it really isn\u2019t complicated.<\/li>\n<\/ol>\n In this section we will generate a strong Diffie-Hellman key which will be used during the key exchange and a HMAC signature file to add an additional layer of security to the connection.<\/p>\n The script will generate 2048-bit long DH parameters. This can take some time, especially on servers with little resources. Once completed the following message will be printed on your screen:<\/p>\n DH parameters of size 2048 created at \/home\/serveruser\/EasyRSA-3.0.5\/pki\/dh.pem<\/p>\n Copy the dh.pem file to the \/etc\/openvpn directory:<\/p>\n sudo cp ~\/EasyRSA-3.0.5\/pki\/dh.pem \/etc\/openvpn\/<\/li>\n sudo openvpn –genkey –secret ta.key<\/p>\n Once completed copy the ta.key file to the \/etc\/openvpn directory:<\/p>\n sudo cp ~\/EasyRSA-3.0.5\/ta.key \/etc\/openvpn\/<\/li>\n<\/ol>\n This section describes how to generate a private key and certificate request for the OpenVPN server.<\/p>\n cd ~\/EasyRSA-3.0.5\/ We are using the nopass argument because we want to start the OpenVPN server without a password input. Also in this example we are using server1 as a server name (entity) identifier. If you choose a different name for your server don\u2019t forget to adjust the instructions below where the server name is used.<\/p>\n The command will create two files, a private key (server1.key) and a certificate request file (server1.req).<\/p>\n —– Keypair and certificate request completed. Your files are: sudo cp ~\/EasyRSA-3.0.5\/pki\/private\/server1.key \/etc\/openvpn\/<\/li>\n In this example we are using scp<\/a> to transfer the file, you can also use rsync<\/a> over ssh or any other secure method.<\/li>\n cd ~\/EasyRSA-3.0.5 The first argument is the path to the certificate request file and the second one is the server short (entity) name. In our case the server name is server1.<\/p>\n The request has been successfully imported with a short name of: server1 This command just copies the request file into the pki\/reqs directory.<\/li>\n cd ~\/EasyRSA-3.0.5 The first argument can either be server or client and the second one is the server short (entity) name.<\/p>\n You\u2019ll be prompted to verify that the request comes from a trusted source. Type yes and press enter to confirm:<\/p>\n You are about to sign the following certificate. Request subject, to be signed as a server certificate for 1080 days:<\/p>\n subject= Type the word ‘yes’ to continue, or any other input to abort. If your CA key is password protected, you\u2019ll be prompted to enter the password. Once verified the script will generate the SSL certificate and print the full path to it.<\/p>\n … Write out database with 1 new entries Certificate created at: \/home\/causer\/EasyRSA-3.0.5\/pki\/issued\/server1.crt<\/li>\n sudo mv \/tmp\/.crt \/etc\/openvpn\/<\/li>\n<\/ol>\n Upon completing the steps outlined in this section, you should have the following new files on your OpenVPN server:<\/p>\n Now that you have the server certificate signed by your CA and transferred to your OpenVPN server, it\u2019s time to configure the OpenVNP service.<\/p>\n We will use the sample configuration file provided with OpenVNP installation package as a starting point and then add our own custom configuration options to it.<\/p>\n Start by extracting the configuration file to the \/etc\/openvpn\/ directory:<\/p>\n sudo sh -c “gunzip -c \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/server.conf.gz > \/etc\/openvpn\/server1.conf”<\/p>\n Open the file with your favorite text editor<\/a>:<\/p>\n sudo nano \/etc\/openvpn\/server1.conf<\/p>\n \/etc\/openvpn\/server1.conf<\/p>\n cert server1.crt dh dh.pem<\/li>\n \/etc\/openvpn\/server1.conf<\/p>\n push “redirect-gateway def1 bypass-dhcp”<\/p>\n push “dhcp-option DNS 208.67.222.222” By default OpenDNS resolvers are used. You can change it and use CloudFlare, Google or any other DNS resolvers you want.<\/li>\n \/etc\/openvpn\/server1.conf<\/p>\n user nobody \/etc\/openvpn\/server1.conf<\/li>\n<\/ul>\n Once you are done, the server configuration file (excluding comments) should look something like this:<\/p>\n \/etc\/openvpn\/server1.conf<\/p>\n port 1194 In this tutorial we\u2019ve used server1.conf as a configuration file. To start the OpenVPN service with this configuration we need to specify the configuration file name after the systemd unit file name:<\/p>\n On your OpenVPN server run the following command to start the OpenVPN service:<\/p>\n Verify whether the service has started successfully by typing:<\/p>\n If the service is active and running, the output will look something like this:<\/p>\n \u25cf [email protected]<\/a> – OpenVPN connection to server1 Enable the service to automatically start on boot with:<\/p>\n If the OpenVPN service fails to s tart check the logs with sudo journalctl -u [email protected]<\/a><\/p>\n When starting, the OpenVPN Server creates a tun device tun0. To check if the device is available type:<\/p>\n The output should look something like this:<\/p>\n 4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq state UNKNOWN group default qlen 100 At this point, your OpenVPN server is configured and running properly.<\/p>\n In order to forward network packets properly we need to enable IP forwarding.<\/p>\n The following steps are performed on the OpenVPN server.<\/p>\n Open the \/etc\/sysctl.conf file and add or uncomment the line which reads net.ipv4.ip_forward = 0:<\/p>\n sudo nano \/etc\/sysctl.conf<\/p>\n \/etc\/sysctl.conf<\/p>\n # Uncomment the next line to enable packet forwarding for IPv4 Once you are finished, save and close the file.<\/p>\n Apply the new settings by running the following command:<\/p>\n If you followed the prerequisites, you should already have a UFW firewall<\/a> running on your server.<\/p>\n Now we need to add firewall rules to enable masquerading. This will allow traffic to leave the VPN, giving your VPN clients access to the Internet.<\/p>\n Before adding the rules you need to know the public network interface of your Ubuntu OpenVPN Server. You can easily find the interface by running the following command:<\/p>\n ip -o -4 route show to default | awk ”<\/p>\n In our case the interface is named ens3 as shown on the output bellow. Your interface will probably have a different name.<\/p>\n By default, when using UFW the forwarded packets are dropped. We\u2019ll need to change that and instruct our firewall to allow forwarded packets.<\/p>\n Open the UFW configuration file, locate the DEFAULT_FORWARD_POLICY key and change the value from DROP to ACCEPT:<\/p>\n sudo nano \/etc\/default\/ufw<\/p>\n \/etc\/default\/ufw<\/p>\n … Next, we need to set the default policy for the POSTROUTING chain in the nat table and set the masquerade rule.<\/p>\n To do so, open the \/etc\/ufw\/before.rules file and append the lines highlighted in yellow as shown below.<\/p>\n sudo nano \/etc\/ufw\/before.rules<\/p>\n Don\u2019t forget to replace ens3 in the -A POSTROUTING line to match the name of public network interface you found in the previous command. Paste the lines after the last line starting with COMMIT.<\/p>\n \/etc\/ufw\/before.rules<\/p>\n … #NAT table rules # Forward traffic through ens3 – Change to public network interface # don’t delete the ‘COMMIT’ line or these rules won’t be processed When you are done, save and close the file.<\/p>\n We also need to open UDP traffic on port 1194 which is the default OpenVPN port. To do so, run the following command:<\/p>\n In case you forgot to open the SSH port, to avoid being locked out run the following command to open the port:<\/p>\n Finally reload the UFW rules by disabling and re-enabling UFW:<\/p>\n sudo ufw disable To verify the changes run the following command to list the POSTROUTING rules:<\/p>\n sudo iptables -nvL POSTROUTING -t natChain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) In this tutorial we\u2019ll create a separate SSL certificate and generate a different configuration file for each VPN client.<\/p>\n The client private key and certificate request can be generated either on the client machine or on the server. For simplicity we will generate the certificate request on the server and then send it to the CA to be signed.<\/p>\n The whole process of generating the client certificate and configuration file is as follows:<\/p>\n Start by creating a set of directories to store the clients files:<\/p>\n mkdir -p ~\/openvpn-clients\/<\/p>\n Copy the ca.crt and ta.key files to the ~\/openvpn-clients\/base directory:<\/p>\n cp ~\/EasyRSA-3.0.5\/ta.key ~\/openvpn-clients\/base\/ Next copy the sample VPN client configuration file into the client-~\/openvpn-clients\/base directory. We will use this file as a base configuration:<\/p>\n cp \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/client.conf ~\/openvpn-clients\/base\/<\/p>\n Now we need to edit the file to match our server settings and configuration. Open the configuration file with your text editor:<\/p>\n nano ~\/openvpn-clients\/base.conf<\/p>\n ~\/openvpn-clients\/base.conf<\/p>\n # The hostname\/IP and port of the server. ~\/openvpn-clients\/base.conf<\/p>\n # SSL\/TLS parms. ~\/openvpn-clients\/base.conf<\/li>\n<\/ul>\n Once you are done, the server configuration file should look something like this:<\/p>\n ~\/openvpn-clients\/base.conf<\/p>\n client Next, create a simple bash script that will merge the base configuration and files with the client certificate and key, and store the generated configuration in the ~\/openvpn-clients\/configs directory.<\/p>\n Open your text editor and create the following script:<\/p>\n nano ~\/openvpn-clients\/gen_config.sh<\/p>\n ~\/openvpn-clients\/gen_config.sh<\/p>\n #!\/bin\/bash<\/p>\n FILES_DIR=$HOME\/openvpn-clients\/files BASE_CONF=$\/client.conf CLIENT_CERT=$\/$.crt # Test for files if [[ ! -r $i ]]; then # Generate client config Save the file and make it executable by running:<\/p>\n chmod u+x ~\/openvpn-clients\/gen_config.sh<\/p>\n The process of generating a client private key and certificate request is same as we did when generating a server key and certificate request.<\/p>\n As we already mentioned in the previous section, we\u2019ll generate the client private key and certificate request on the OpenVPN server. In this example the name of or firs VPN client will be client1.<\/p>\n cd ~\/EasyRSA-3.0.5\/ The command will create two files, a private key (client1.key) and a certificate request file (client1.req).<\/p>\n Common Name (eg: your user, host, or server name) [client1]:<\/p>\n Keypair and certificate request completed. Your files are: cp ~\/EasyRSA-3.0.5\/pki\/private\/client1.key ~\/openvpn-clients\/files\/<\/li>\n In this example we are using scp<\/a> to transfer the file, you can also use rsync<\/a> over ssh or any other secure method.<\/li>\n cd ~\/EasyRSA-3.0.5 The first argument is the path to the certificate request file and the second one is the client name.<\/p>\n The request has been successfully imported with a short name of: client1 cd ~\/EasyRSA-3.0.5 You\u2019ll be prompted to verify that the request comes from a trusted source. Type yes and press enter to confirm:<\/p>\n If your CA key is password protected, you\u2019ll be prompted to enter the password. Once verified the script will generate the SSL certificate and print the full path to it.<\/p>\n … mv \/tmp\/client1.crt ~\/openvpn-clients\/files<\/li>\n cd ~\/openvpn-clients The script will create a file named client1.ovpn in the ~\/client-configs\/configs directory. You can check by listing the directory:<\/p>\n ls ~\/client-configs\/configs<\/li>\n<\/ol>\n At this point the client configuration is created. You can now transfer the configuration file to the device you intend to use as a client.<\/p>\n For example to transfer the configuration file to your local machine with scp you should run the following command:<\/p>\n sftp ~\/client-configs\/files\/client1.ovpn your_local_ip:\/<\/p>\n To add additional clients, just repeat the same steps.<\/p>\n Your distribution or desktop environment may provide a tool or graphic user interface to connect to OpenVPN servers. In this turtorial we will show you how to connect to the server using the openvpn tool.<\/p>\n sudo apt update sudo yum install epel-release Once the package is installed, to connect to the VPN server use the openvpn command and specify the client configuration file:<\/p>\n sudo openvpn –config client1.ovpn<\/p>\n Tunnelblick<\/a> is a free, open source graphic user interface for OpenVPN on OS X and macOS.<\/p>\n Download and install the latest build of OpenVPN application the OpenVPN\u2019s Downloads page<\/a>.<\/p>\n Copy the .ovpn file to to the OpenVPN config folder (Users<Name>OpenVPNConfig or Program FilesOpenVPNconfig).<\/p>\n Launch the OpenVPN application.<\/p>\n Right click on the OpenVPN system tray icon and the name of OpenVPN configiration file you copied will be listed on the menu. Click Connect.<\/p>\n A VPN application developed by OpenVPN is available for both Android and iOS. Install the application and import the client .ovp file.<\/p>\n Revoking a certificate means to invalidate a signed certificate so that it can no longer be used for accessing the OpenVPN server.<\/p>\n To revoke a client certificate follow the steps below:<\/p>\n You\u2019ll be prompted to verify that you wish to revoke the certificate. Type yes and press enter to confirm:<\/p>\n Please confirm you wish to revoke the certificate with the following subject:<\/p>\n subject= Type the word ‘yes’ to continue, or any other input to abort. If your CA key is password protected, you\u2019ll be prompted to enter the password. Once verified the script will revoke the certificate.<\/p>\n … An updated CRL has been created. sudo mv \/tmp\/crl.pem \/etc\/openvpn<\/li>\n sudo nano \/etc\/openvpn\/server1.conf<\/p>\n Paste the following line at the end of the file<\/p>\n ~\/openvpn-clients\/gen_config.sh<\/p>\n Save and close the file.<\/li>\n At this point the client should no longer be able to access the OpenVPN server using the revoked certificate.<\/li>\n<\/ol>\n If you need revoke additional client certificates just repeat the same steps.<\/p>\n In this tutorial you learned how to install and configure an OpenVPN server on an Ubuntu 18.04 machine.<\/p>\n\n
\n
\ncp vars.example vars<\/li>\n
\nset_var EASYRSA_REQ_PROVINCE “Pennsylvania”
\nset_var EASYRSA_REQ_CITY “Pittsburgh”
\nset_var EASYRSA_REQ_ORG “Linuxize”
\nset_var EASYRSA_REQ_EMAIL “[email protected]<\/a>”
\nset_var EASYRSA_REQ_OU “Community”<\/li>\n
\nYour newly created PKI dir is: \/home\/causer\/EasyRSA-3.0.5\/pki<\/li>\n
\nEnter PEM pass phrase:
\nVerifying – Enter PEM pass phrase:
\n—–
\n…
\n—–
\nCommon Name (eg: your user, host, or server name) [Easy-RSA CA]:<\/p>\n
\nYour new CA certificate file for publishing is at:
\n\/home\/causer\/EasyRSA-3.0.5\/pki\/ca.crt<\/p>\nInstalling OpenVPN and EasyRSA<\/h2>\n
\n
\nsudo apt install openvpn<\/li>\n
\n.\/easyrsa init-pki<\/p>\nCreating Diffie-Hellman and HMAC keys<\/h2>\n
\n
Creating Server Certificate and Private Key<\/h2>\n
\n
\n.\/easyrsa gen-req server1 nopass<\/p>\n
\nCommon Name (eg: your user, host, or server name) [server1]:<\/p>\n
\nreq: \/home\/serveruser\/EasyRSA-3.0.5\/pki\/reqs\/server1.req
\nkey: \/home\/serveruser\/EasyRSA-3.0.5\/pki\/private\/server1.key<\/li>\n
\n.\/easyrsa import-req \/tmp\/server1.req server1<\/p>\n
\nYou may now use this name to perform signing operations on this request.<\/p>\n
\n.\/easyrsa sign-req server server1<\/p>\n
\nPlease check over the details shown below for accuracy. Note that this request
\nhas not been cryptographically verified. Please be sure it came from a trusted
\nsource or that you have verified the request checksum with the sender.<\/p>\n
\ncommonName = server1<\/p>\n
\nConfirm request details: yes
\n…<\/p>\n
\nCertificate is to be certified until Sep 17 10:54:48 2021 GMT (1080 days)<\/p>\n
\nData Base Updated<\/p>\n\n
Configuring the OpenVPN Service<\/h2>\n
\n
\nkey server1.key<\/p>\n
\npush “dhcp-option DNS 208.67.220.220”<\/p>\n
\ngroup nogroup<\/li>\n
\nproto udp
\ndev tun
\nca ca.crt
\ncert server1.crt
\nkey server1.key # This file should be kept secret
\ndh dh.pem
\nserver 10.8.0.0 255.255.255.0
\nifconfig-pool-persist \/var\/log\/openvpn\/ipp.txt
\npush “redirect-gateway def1 bypass-dhcp”
\npush “dhcp-option DNS 208.67.222.222”
\npush “dhcp-option DNS 208.67.220.220”
\nkeepalive 10 120
\ntls-auth ta.key 0 # This file is secret
\ncipher AES-256-CBC
\nuser nobody
\ngroup nogroup
\npersist-key
\npersist-tun
\nstatus \/var\/log\/openvpn\/openvpn-status.log
\nverb 3
\nexplicit-exit-notify 1
\nauth SHA256<\/p>\nStarting OpenVPN Service<\/h2>\n
\nLoaded: loaded (\/lib\/systemd\/system\/[email protected]<\/a>; disabled; vendor preset: enabled)
\nActive: active (running) since Mon 2018-10-08 20:11:57 UTC; 6min ago
\nDocs: man:openvpn(8)
\nhttps:\/\/community.openvpn.net\/openvpn\/wiki\/Openvpn24ManPage
\nhttps:\/\/community.openvpn.net\/openvpn\/wiki\/HOWTO
\nMain PID: 26739 (openvpn)
\nStatus: “Initialization Sequence Completed”<\/p>\n
\nlink\/none
\ninet 10.8.0.1 peer 10.8.0.2\/32 scope global tun0
\nvalid_lft forever preferred_lft forever
\ninet6 fe80::1627:9a20:bca8:e6a5\/64 scope link stable-privacy
\nvalid_lft forever preferred_lft forever<\/p>\nFirewall and Server Networking Configuration<\/h2>\n
\nnet.ipv4.ip_forward=1<\/p>\n
\n# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
\n# if you change this you will most likely want to adjust your rules
\nDEFAULT_FORWARD_POLICY=”ACCEPT”
\n…<\/p>\n
\n# don’t delete the ‘COMMIT’ line or these rules won’t be processed
\nCOMMIT<\/p>\n
\n*nat
\n:POSTROUTING ACCEPT [0:0]<\/p>\n
\n-A POSTROUTING -s 10.8.0.0\/16 -o ens3 -j MASQUERADE<\/p>\n
\nCOMMIT<\/p>\n
\nsudo ufw enable<\/p>\n
\npkts bytes target prot opt in out source destination
\n0 0 MASQUERADE all — * ens3 10.8.0.0\/16 0.0.0.0\/0<\/p>\nCreating the Client Configuration Infrastructure<\/h2>\n
\n
\n
\ncp \/etc\/openvpn\/ca.crt ~\/openvpn-clients\/base\/<\/p>\n\n
\n# You can have multiple remote entries
\n# to load balance between the servers.
\nremote 45.76.22.45 1194<\/li>\n
\n# See the server config file for more
\n# description. It’s best to use
\n# a separate .crt\/.key file pair
\n# for each client. A single ca
\n# file can be used for all clients.
\n# ca ca.crt
\n# cert client.crt
\n# key client.key<\/li>\n
\ndev tun
\nproto udp
\nremote 45.76.22.45 1194
\nresolv-retry infinite
\nnobind
\npersist-key
\npersist-tun
\nremote-cert-tls server
\ntls-auth ta.key 1
\ncipher AES-256-CBC
\nverb 3
\nauth SHA256
\nkey-direction 1<\/p>\n
\nBASE_DIR=$HOME\/openvpn-clients\/base
\nCONFIGS_DIR=$HOME\/openvpn-clients\/configs<\/p>\n
\nCA_FILE=$\/ca.crt
\nTA_FILE=$\/ta.key<\/p>\n
\nCLIENT_KEY=$\/$.key<\/p>\n
\nfor i in “$BASE_CONF” “$CA_FILE” “$TA_FILE” “$CLIENT_CERT” “$CLIENT_KEY”; do
\nif [[ ! -f $i ]]; then
\necho ” The file $i does not exist”
\nexit 1
\nfi<\/p>\n
\necho ” The file $i is not readable.”
\nexit 1
\nfi
\ndone<\/p>\n
\ncat > $\/$.ovpn <<EOF
\n$(cat $)
\n<key>
\n$(cat $)
\n<\/key>
\n<cert>
\n$(cat $)
\n<\/cert>
\n<ca>
\n$(cat $)
\n<\/ca>
\n<tls-auth>
\n$(cat $)
\n<\/tls-auth>
\nEOF<\/p>\nCreating Client Certificate Private Key and Configuration<\/h2>\n
\n
\n.\/easyrsa gen-req client1 nopass<\/p>\n
\nreq: \/home\/serveruser\/EasyRSA-3.0.5\/pki\/reqs\/client1.req
\nkey: \/home\/serveruser\/EasyRSA-3.0.5\/pki\/private\/client1.key<\/li>\n
\n.\/easyrsa import-req \/tmp\/client1.req client1<\/p>\n
\nYou may now use this name to perform signing operations on this request.<\/li>\n
\n.\/easyrsa sign-req client client1<\/p>\n
\nCertificate created at: \/home\/causer\/EasyRSA-3.0.5\/pki\/issued\/client1.crt<\/li>\n
\n.\/gen_config.sh client1<\/p>\nConnecting Clients<\/h2>\n
Linux<\/h3>\n
\n
\nsudo apt install openvpn<\/li>\n
\nsudo yum install openvpn<\/li>\n<\/ul>\nmacOS<\/h3>\n
Windows<\/h3>\n
Android & iOS<\/h3>\n
\n
Revoking Client Certificates<\/h2>\n
\n
\ncommonName = client1<\/p>\n
\nContinue with revocation: yes
\n…<\/p>\n
\nRevocation was successful. You must run gen-crl and upload a CRL to your
\ninfrastructure in order to prevent the revoked cert from being accepted.<\/li>\n
\nCRL file: \/home\/causer\/EasyRSA-3.0.5\/pki\/crl.pem<\/li>\nConclusion<\/h2>\n