This procedure does not apply to the Blue Light OpenVPN network.
This procedure assumes that the OpenVPN server has already been set up. Only the per-client server procedure is described here.
This procedure was developed and tested using:
- Server: Debian 6.0 (Squeeze) with OpenVPN 2.1.3
- Windows (XP, Vista and 7) with OpenVPN 2.2.0
- Linux (Slackware 13.1 and 13.37) with OpenVPN 2.1.3
What is the client's name? Typically the name of the user is chosen.
Is the user going to be required to enter a password when making the OpenVPN connection? This is a good choice when the client computer is a portable device or in a multi-user office (so unintended users are more likely to be using it).
Choose a password for the archive (.zip) to be generated on the server and used when configuring the client.
On the server – create client certificates and keys
The commands are customised by setting the name of the client, typically the user's name, for example
Once that is set, create the client's certificates and keys ...
cd /etc/openvpn/easy-rsa && . vars && ./build-key "$client"
[use Enter to take the default answer for all questions until ...]
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
... and create an archive (.zip) containing the certificates and keys required on the client:
dir=$(mktemp --directory /tmp/XXXX); \
server=$(hostname --short); \
[[ $dir =~ ^/tmp/ ]] \
&& cd "$dir" \
&& chmod 755 "$dir" \
&& cp /etc/openvpn/easy-rsa/keys/ca.crt $server.ca.crt \
&& cp /etc/openvpn/easy-rsa/keys/$client.crt $client.$server.crt \
&& cp /etc/openvpn/easy-rsa/keys/$client.key $client.$server.key \
&& zip "$zip" * --encrypt \
&& echo "ZIP is $dir/$zip
Temporary directory $dir best removed after ZIP copied"
Record the password used, copy the .zip ready for installing on the client
To be continued when JIRA AVE-35 is progressed.