How to Generate OpenVPN Client Configuration Files

A Virtual Private Network (VPN) is a physical trusted network in a remote location that you can virtually connect to and become part of as if you are physically present there. VPN has many use cases but it is mostly used to traverse untrusted networks as if you were on a private network. It gives you the freedom to access the internet safely and securely from your smartphone or laptop when connected to an untrusted network, like the WiFi at a hotel or coffee shop. More information about What is a virtual private network (VPN)?

OpenVPN is open-source commercial software that implements virtual private network (VPN) techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. More information about OpenVPN can be found on wikipedia.

Prerequisites:

Procedures:

Creating the Client Configuration Base File

OpenVPN has no wizard to create user configuration files, and to generate OpenVPN client configuration files for many users can be a headious task. We will use a script that will simplify the process. These procedures assume that you have used our guide on How To Set Up and Configure an OpenVPN Server on CentOS and have respected the location of the files used in the guide.

1.1. Build a base file for OpenVPN client configuration files, this file will contain common configuration that will be shared among the client generated files that this script will help us generate.

Copy the sample client configuration file as a starting point and amend it as necessary. You may replace the "*" with the version number. Just make sure you are copying from the latest OpenVPN release directory on your system.

sudo cp /usr/share/doc/openvpn*/sample/sample-config-files/client.conf /home/vpn/easy-rsa/base.conf

1.2. Copy the tls-crypt pre-shared key you created earlier in the guide on How To Set Up and Configure an OpenVPN Server on CentOS to the "/home/vpn/easy-rsa" directory because it will be needed by the OpenVPN client configuration generator.

sudo cp /etc/openvpn/server/tlscrypt.key /home/vpn/easy-rsa/tlscrypt.key

1.3. Just to be sure that ownership and permission problems or security leaks do not occur, we need to set the ownership and permissions again. Secure the directory by changing the ownership to the non root sudo user in this example greens247 and restrict access to the directory using chmod.

sudo chown -R greens247 /home/vpn/easy-rsa *
sudo chmod -R 700 /home/vpn/easy-rsa

1.4 Open the base config file with the vi text editor. Make sure you change the following variables in the file to match below, any variable having ";" gets disabled. Remember to press the insert button before you paste and the esc button once you complete.

vi /home/vpn/easy-rsa/base.conf

/home/vpn/easy-rsa/base.conf

;proto udp # Add ";" to disable this line. We will not use udp, we will be using tcp instead.
proto tcp # Change this to tcp, because port 443 is mostly open for tcp connections on firewalls and public internet.
remote 1.2.3.4 443 # Find the line "remote my-server-1 1194" and replace my-server-1 with your sever ip and use port 443.
;ca ca.crt             # Add ";" to disable this line.
;cert client.crt      # Add ";" to disable this line.
;key client.key     # Add ";" to disable this line.
;tls-auth ta.key 1 # Add ";" to disable this line.
tls-version-min 1.2 # Add this line right below the above line. This will force the client to use TLS 1.2 for more security.
;cipher AES-256-CBC # Add ";" to disable this line.
cipher AES-256-GCM # Add this line to use the most advanced cipher.
auth SHA512 # Add the following line.
key-direction 1 # Add this line at the end of the configuration file.

Save the file by pressing "shift+;" or ":" then typing "wq" (write and quit) and hit enter.

Creating the Client Configuration Scripts

2.1 In this section, we will build a script to add a new user and compile the base configuration file with the necessary certificates and keys. Create the a file "useradd" with the vi text editor. Remember to press the insert button before you paste and the esc button once you complete.

vi /home/vpn/easy-rsa/useradd

/home/vpn/easy-rsa/useradd

#!/bin/bash

# Path to client configuration files
CA_PATH=/home/vpn/easy-rsa/pki
CRT_PATH=/home/vpn/easy-rsa/pki/issued
KEY_PATH=/home/vpn/easy-rsa/pki/private
OUTPUT_DIR=/home/vpn
BASE_CONFIG=/home/vpn/easy-rsa/base.conf

# Adding a new user in linux
echo Adding user ${1} to the linux system
useradd ${1}

# Create user certificates
echo Generating certificates for user ${1}
./easyrsa build-client-full ${1} nopass

echo Generating OpenVpn configuration file
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${CA_PATH}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${CRT_PATH}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_PATH}/${1}.key \
<(echo -e '</key>\n<tls-crypt>') \
tlscrypt.key \
<(echo -e '</tls-crypt>') \
> ${OUTPUT_DIR}/${1}.ovpn

echo Configuration file generated successfully
echo ${OUTPUT_DIR}/${1}.ovpn

Save the file by pressing "shift+;" or ":" then typing "wq" (write and quit) and hit enter.

2.2 In this section, we will build a script to delete an existing user and revoke the user's existing certificates. Create the a file "userdel" with the vi text editor. Remember to press the insert button before you paste and the esc button once you complete.

vi /home/vpn/easy-rsa/userdel

/home/vpn/easy-rsa/userdel

#!/bin/bash

# Path to client configuration files
OUTPUT_DIR=/home/vpn

# Deleting an existing user from linux
echo Deleting user ${1} from the linux system
userdel ${1}
rm -rf /home/${1}

# Revoke user certificates
echo Revoking certificates for user ${1}
./easyrsa revoke ${1}

echo Deleting revoked certificates and configuration file
rm ${OUTPUT_DIR}/${1}.ovpn

echo User ${1} deleted successfully

Save the file by pressing "shift+;" or ":" then typing "wq" (write and quit) and hit enter.

 

Creating OpenVPN user and the Client Configuration file

3.1.  To create a VPN user and generate the configuration file using the script, simply use the command below using the non root sudo user. The configuration file will be generated and saved in "/home/vpn" directory. The below command will generate "mohamed.ovpn".

cd /home/vpn/easy-rsa/
sudo ./useradd mohamed

 

Revoke OpenVPN user and delete the Client certificates and files

4.1. To revoke access to a VPN user and delete files and certificates associated with user account, simply use the command below using the non root sudo user. 

cd /home/vpn/easy-rsa/
sudo ./userdel mohamed

 

Download the OpenVPN Client Configuration Files

5.1. To download and import the generated client configuration files, you will need to use SFTP on linux and MacOs. If you are using Windows or prefer a grafical user interface, an SFTP client will be required. Refer to our guide on How to SFTP to a server with a private key.

Congratulations you have successfully generated OpenVPN client configuration files. You can now proceed with importing them and enjoy your OpenVPN.

Last update: June 25th, 2020

  • OpenVPN, Security, VPN, Firewall
  • 113 Users Found This Useful
Was this answer helpful?

Related Articles

CLI CSF Firewall Whitelist an IP Address

ConfigServer Firewall (CSF) is a powerful software firewall. All managed servers at Greens247...

How to change Private Key Format to Use with PuTTY

This guide will show you how to change your private key format, to use with PuTTY, which is a...

How to Disable SELinux on CentOS

SELinux (Security Enhanced Linux) is a Linux kernel security module that allows administrators...

How To Set Up and Configure an OpenVPN Server on CentOS

A Virtual Private Network (VPN) is a physical trusted network in a remote location that you can...

How to ssh to a server with a private key using putty

This article will describe how to connect to your server using ssh and a private key on a windows...