SupereasyRSA - the easiest way to get an OpenVPN configuration using easyrsa3
update: While this was "supereasy" a few years ago, Wireguard is now out and has replaced OpenVPN in all my setups.
I recently had to reinstall a VPN on the latest OpenBSD, using the latest easyRSA.
As I had to fiddle to things to get everything to work, please find my solution hereby.
I you just want to get things going, you can get my summary script at: supereasyrsa on github
git clone git://github.com/OpenVPN/easy-rsa
mv vars.examples vars
mkdir -p VPN_test/server VPN_test/clients
cp -R easy-rsa/easyrsa3/* VPN_test/clients
cp -R easy-rsa/easyrsa3/* VPN_test/server
cd VPN_test/clients
./easyrsa init-pki
./easyrsa gen-req Client_01
./easyrsa gen-req Client_02
./easyrsa gen-req Backup nopass
#You will be prompted to give a password for Client_01 and Client_02, while Backup is assumed to be another server that needs authentication without someone typing a passwordcd ../VPN_test/server
./easyrsa init-pki
./easyrsa build-ca
#set a STRONG passphrase for this PEM – it will be required to accept requests later./easyrsa gen-req MyServer nopass
./easyrsa sign-req server MyServer
openssl dhparam -out dh4096.pem 4096
/usr/sbin/openvpn –genkey –secret ta.key
for cliient in $(ls ../clients/pki/reqs/|sed -e ‘s/.req//g’); do
./easyrsa import-req ../clients/pki/reqs/$cliient.req $cliient
./easyrsa sign-req client $cliient
done
local 10.10.10.2
port 1194
proto udp
dev tun0
daemon
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/TR_Server.crt
key /etc/openvpn/keys/TR_Server.key
dh /etc/openvpn/keys/dh4096.pem
tls-auth /etc/openvpn/keys/ta.key 0 #0 for server
remote-cert-tls client #very important
server 10.5.2.0 255.255.255.0 #the range that will be given to vpn clients
ifconfig-pool-persist ipp.txt
push “route 192.168.1.0 255.255.255.0” #the internal network they will have access to
push “dhcp-options DNS 192.168.1.15” #the internal dns they will use
keepalive 10 120
cipher BF-CBC
comp-lzo
max-clients 10
user _openvpn
group _openvpn
persist-key
persist-tun
status openvpn-status.log
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log
verb 1
client-config-dir /etc/openvpn/ccd
ls keys/
MyServer.crt # from server/pki/issed/
MyServer.key # from server/pki/private/
ca.crt # from server/pki/
dh4096.pem # from server/
ta.key # from server/
#You can also push the routes through having a ccd dir with the right definitions:
cat ccd/client_01
iroute 10.5.2.0 255.255.255.0
cat client.conf
client
remote 1.2.3.4 1194
proto udp
dev tun0
keepalive 10 120
nobind
persist-key
persist-tun
cipher BF-CBC
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
dh keys/dh4096.pem
tls-auth keys/ta.key 1
remote-cert-tls server
comp-lzo
status openvpn-status.log
verb 1
log openvpn.log
ls keys/
ca.crt # from server/pki/
client.crt # the right one from server/pki/issued/
client.key # the right one from clients/pki/private/
dh4096.pem from server/
ta.key from server/
/usr/local/sbin/openvpn –config /etc/openvpn/server.conf >/dev/null 2>&1 # on the server
openvpn –config client.conf # on the client