OpenVPN custom certificates

From Amahi Wiki
Jump to: navigation, search

The default OpenVPN install for Amahi will work with the certificates provided on the wiki, however there are a couple of reasons you may not want to use these. One, you can only have one client connected to the VPN at a time with these certificates and two, security best practices would advise against allowing the same certificate for all devices. Follow the instructions below to reconfigure your OpenVPN instance for use with multiple certificates. Keep in mind that when new certificates are made for your Amahi server the default profile created by the OpenVPN app will no longer work. This process will give you the files and profiles that you need in the future.

All commands are issued from the CLI as the root user unless noted otherwise.

Getting Started

Install easyrsa (The latest installations of OpenVPN do not include it.)

dnf install easy-rsa

Create a directory for working with Easy-RSA in which you will store Server keys and Certificate files.

mkdir /etc/openvpn/easy-rsa

Copy the key/certificate generation scripts installed by Easy-RSA from the default directory to the directory created above.

cp -air /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa

Navigate to /etc/openvpn/easy-rsa directory and start new PKI.

cd /etc/openvpn/easy-rsa
./easyrsa init-pki

Build the CA certificate. This will prompt you for the encryption password and the server common name.


  • Set the PEM password and write it down. You will be asked to confirm it. You will need it later.
  • For the Common Name you can use "server," "Amahi" or the name you gave your HDA. Remember it. You will need it later.
./easyrsa build-ca

The CA certificate is stored at /etc/openvpn/easy-rsa/pki/ca.crt.

Generate Diffie-Hellman key file that can be used during the TLS handshake with connecting clients. (Depending on the speed of your server, this may take a while.)

./easyrsa gen-dh

This will generate the DH key and store as /etc/openvpn/easy-rsa/pki/dh.pem.

Generate a key and certificate file for the server. We use the name "Amahi-Server-OpenVPN" in this command so that the names for the server files match the OpenVPN config file (amahi.conf) for Amahi. When the process begins you will be prompted for a Common Name. Be sure to use the same common name you used when creating the CA certificate.

./easyrsa build-server-full Amahi-Server-OpenVPN nopass

Generating Client Keys

You will repeat this process until you have created all of the client keys you wish to have on hand.

Generate a key and certificate file for the client. In the code below, we are assuming that the client keys and certificates you wish to create follow the naming convention "client1, client2, client3," etc. You could name them anything you want as long as each name is unique.

Command for creating a client key and cert

./easyrsa build-client-full client1 nopass

You will be prompted to enter the pass phrase for the ca.cert you created earlier. Be sure to use that password.

Run the command for creating the "client2" key and cert, substituting "client2" (without the quotes) in the command. The revised command would look like this:

./easyrsa build-client-full client2 nopass

Repeat until all clients are created.

Continuing On

In case you need to invalidate a previously signed certificate, generate a revocation certificate.

./easyrsa gen-crl

This stores the revocation certificate under /etc/openvpn/easy-rsa/pki/crl.pem.

Generate TLS/SSL pre-shared authentication key

openvpn --genkey --secret /etc/openvpn/easy-rsa/pki/ta.key

This stores the ta key under /etc/openvpn/easy-rsa/pki/ta.key

Putting the New Files In Place

Backup Default files

mkdir /etc/openvpn/easy-rsa/amahi-backup
cp /etc/openvpn/amahi/* /etc/openvpn/easy-rsa/amahi-backup/

Copy files to the appropriate places. When asked if you want to overwrite the destination file, choose "y" for yes.

cp /ect/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/amahi/ca.crt
cp /ect/openvpn/easy-rsa/pki/issued/Amahi-Server-OpenVPN.crt /etc/openvpn/amahi/Amahi-Server-OpenVPN.crt
cp /ect/openvpn/easy-rsa/pki/private/Amahi-Server-OpenVPN.key /etc/openvpn/amahi/Amahi-Server-OpenVPN.key
cp /ect/openvpn/easy-rsa/pki/ph.pem /etc/openvpn/amahi/dh.pem

Create .ovpn files

There are scripts for doing this out there but the simplest way is to edit the following and save it as an .ovpn file. (Be sure that you save this file strictly as "client1.ovpn" (for example) and not "client1.ovpn.txt" or something like that. The easiest way I found was to use Notepad++ and, when finished editing the file, choose File > Save As and under "Save Type As" choose "All Types." Then name the file "client1.ovpn" (for example) and click save.)

dev tun
proto udp
resolv-retry infinite
ca ca.crt
cert client1.crt
key client1.key
verb 3
route-method exe
route-delay 2

Be sure to create one .ovpn file for each client you create. In addition,the lines "cert client1.crt" and "key client1.key" refer to the key and client certificate for a client you created. You need to change the .ovpn file to reflect the client which that .ovpn file references. (For example, if setting up client2, the lines would be "cert client2.crt" and "key client2.key" and the .ovpn file would be named "client2.ovpn". Make certain to spell the file names in the .ovpn exactly the same as the .crt and .key file names.)

Restart OpenVPN service

systemctl restart openvpn@amahi.service

Files Clients Need

Copy needed client files to an easy to access directory

mkdir [CHOSEN_LOCATION]/ovpn-clients
cp /ect/openvpn/easy-rsa/pki/issued/* [CHOSEN_LOCATION]/ovpn-clients/
cp /ect/openvpn/easy-rsa/pki/private/* [CHOSEN_LOCATION]/ovpn-clients/
cp /ect/openvpn/easy-rsa/pki/ca.crt [CHOSEN_LOCATION]/ovpn-clients/

Add your client .ovpn files that you created to the "[CHOSEN_LOCATION]/ovpn-clients/" directory.

VERY IMPORTANT: Compress that "ovpn-clients" directory (into a .zip file, for example) and set a password for the compressed file. This way, anyone wanting access to any keys or certifications will have to know that password. Once the compressed file is created, delete all of the files in the "[CHOSEN_LOCATION]/ovpn-clients/" directory except the compressed file.

Setting Up Clients for Windows

Each client that you setup to use the HDAConnect3 GUI will need one common file (ca.crt) and then its own unique set of files to make the connection work.

Be sure the HDAConnect GUI is not running.

Assuming we are setting up "Client1"

In Windows,

  • Go to the C:\Program Files (x86)\HDAConnect\config directory
  • Delete everything contained in that config directory.
  • Paste the ca.cert file to C:\Program Files (x86)\HDAConnect\config
  • Paste client1.ovpn, client1.key and client1.crt to C:\Program Files (x86)\HDAConnect\config

Start HDAConnect GUI and you should be ready to connect.

Client Key Encryption Option

One could change the encryption method of the client keys to be used. We will be using triple des in this tutorial, but you can use other encryption methods if you wish.

Create a new working directory to house all the files necessary for the process.

mkdir /etc/openvpn/easy-rsa/ovpn3des

Copy all the files needed to the new directory

cp /etc/openvpn/easy-rsa/pki/private/* /etc/openvpn/easy-rsa/ovpn3des/
cp /etc/openvpn/easy-rsa/pki/issued/* /etc/openvpn/easy-rsa/ovpn3des/
cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/easy-rsa/ovpn3des/
cp /etc/openvpn/easy-rsa/pki/ph.pem /etc/openvpn/easy-rsa/ovpn3des/

Move to the working directory

cd /etc/openvpn/easy-rsa/ovpn3des

This command creates an encrypted key. Keep in mind the original key will not be impacted when doing this. You will be asked for a pass phrase.

openssl rsa -in client1.key -des3 -out client1.3des.key

Repeat this command on each key you created.


The following link was used as a primary source for the bulk of this tutorial:

Raspberry Pi VPN Tutorial

Update to this wiki taken from [1] [2]