Notice: Make sure you have openssl available.
Build CA and client certificate:
cp -a /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/ cd /etc/openvpn/easy-rsa/ vim vars # adjust as needed source vars mkdir keys touch keys/index.txt echo "01" > keys/serial ./build-ca ./build-key-server server ./build-key client1 # set common name to a useful value! ./build-dh cd /etc/openvpn/easy-rsa/keys/ && openvpn --genkey --secret ta.key mkdir /etc/openvpn/keys/ cp /etc/openvpn/easy-rsa/keys/dh1024.pem /etc/openvpn/keys/ cd /etc/openvpn/easy-rsa/keys/ && cp ta.key ca.crt server.crt server.key /etc/openvpn/keys/
zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/openvpn.conf vim /etc/openvpn/openvpn.conf
Reference: /etc/openvpn/openvpn.conf on server:
port 1194 proto udp dev tun ca keys/ca.crt cert keys/something.crt key keys/something.key dh keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 tls-auth keys/ta.key 0 comp-lzo persist-key persist-tun status openvpn-status.log verb 4 crl-verify crl.pem # management 127.0.0.1 1234
cd /etc/openvpn/easy-rsa/keys && cp ta.key ca.crt client1.crt client1.key $USBSTICK/
# Start openvpn
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/openvpn.conf vim /etc/openvpn/openvpn.conf
… and adjust 'remote $IP 1194', activate 'tls-auth ta.key 1' and 'ns-cert-type server' and adjust ca/cert/key stuff
Reference: /etc/openvpn/openvpn.conf on client:
client dev tun proto udp remote 10.12.240.44 1194 resolv-retry infinite nobind persist-key persist-tun ca keys/ca.crt cert keys/somethingclient2.crt key keys/somethingclient2.key ns-cert-type server tls-auth keys/ta.key 1 comp-lzo verb 3 # mssfix 1200 # fragment 1200
cd /etc/openvpn openvpn --genkey --secret secret.key
Reference: /etc/openvpn/openvpn.conf on server:
dev tun proto udp remote 10.12.240.44 1194 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 secret secret.key 1
Reference: /etc/openvpn/openvpn.conf on client:
dev tun proto udp remote 10.12.240.44 1194 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 secret secret.key 1 # mssfix 1200 # fragment 1200
cd /etc/openvpn/easy-rsa && ./revoke-full client2 cp keys/crl.pem /etc/openvpn/