The default [[OpenVPN ]] install for Amahi will work with the certificates provided on the wiki, however there are a couple of reasons you may not want to use these. One, you can only have one client connected to the VPN at a time with these certificates and two, security best practices would advise against allowing the same certificate for all devices. Follow the instructions below to reconfigure your OpenVPN instance for use with multiple certificates. All commands Keep in mind that when new certificates are issued from made for your Amahi server the default profile created by the OpenVPN app will no longer work. This process will give you the CLI as files and profiles that you need in the root user unless noted otherwisefuture.

Step 1: Copy All commands are issued from the necessary easy-rsa files to [[Open_Terminal_as_root|CLI as the openvpn directory in etcroot user]] unless noted otherwise.

<preh2>cp –r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsaGetting Started</preh2>Install easyrsa (The latest installations of OpenVPN do not include it.)

<pre>cd /etc/openvpn/easyCreate a directory for working with Easy-rsa</pre>RSA in which you will store Server keys and Certificate files.

<pre>cp vars varsCopy the key/certificate generation scripts installed by Easy-RSA from the default directory to the directory created above.backup</pre>

<pre>nano vars<Navigate to /pre>etc/openvpn/easy-rsa directory and start new PKI.

Suggestions:<ul><li>Set the PEM password and write it down. You want will be asked to change this variable to this:confirm it. You will need it later.</li><li>For the Common Name you can use "server," "Amahi" or the name you gave your HDA. Remember it. You will need it later.</li></ul>

<pre>export EASY_RSA=”./etc/openvpn/easyeasyrsa build-rsa”ca</pre>

You Generate Diffie-Hellman key file that can also change be used during the TLS handshake with connecting clients. (Depending on the cipher strength in speed of your server, this filemay take a while. If you wish to do this, the variable you are looking for is:)

<pre>export KEY_SIZE=1024./easyrsa gen-dh</pre>

You can bump this number up to 2048 to increase security, however you may notice a decrease in speeds over This will generate the VPN if you do soDH key and store as /etc/openvpn/easy-rsa/pki/dh.pem.

Step 4: The next step here is Generate a key and certificate file for the server. We use the name "Amahi-Server-OpenVPN" in this command so that the names for the server files match the OpenVPN config file (amahi.conf) for Amahi. When the process begins you will be prompted for a Common Name. Be sure to build your new use the same common name you used when creating the CA on your servercertificate. Issue the commands below:

First, be sure you are still in the <pre>./etc/openvpn/easyeasyrsa build-server-full Amahi-Server-rsa directory. Issuing the pwd command will display the directory you currently working in. If it is anything other than OpenVPN nopass</etc/openvpn/easy-rsa, issue the following command:pre>

<preh2>cd /etc/openvpn/easy-rsaGenerating Client Keys</preh2>You will repeat this process until you have created all of the client keys you wish to have on hand.

Now issue Generate a key and certificate file for the following commands client. In the code below, we are assuming that the client keys and certificates you wish to build create follow the new CA:naming convention "client1, client2, client3," etc. You could name them anything you want as long as each name is unique.

Command for creating a client key and cert<pre>source ./varseasyrsa build-client-full client1 nopass</pre>

This command loads You will be prompted to enter the vars file pass phrase for the ca.cert you modified in step 3created earlier. Be sure to use that password.

Run the command for creating the "client2" key and cert, substituting "client2" (without the quotes) in the command. The revised command would look like this:<pre>./cleaneasyrsa build-client-allfull client2 nopass</pre>

This command will remove anything in the /keys directory. There is most likely nothing in the directory at this point (if there is, back it up!)Repeat until all clients are created.

<preh2>./build-caContinuing On</preh2>In case you need to invalidate a previously signed certificate, generate a revocation certificate.

<pre>./easyrsa gen-crl</pre>This command will build stores the CArevocation certificate under /etc/openvpn/easy-rsa/pki/crl. You will be asked various questions, note that you do not need to modify any of these values. You can just hit enter and it will use the default displayed valuespem.

</pre>.openvpn --genkey --secret /etc/openvpn/buildeasy-rsa/pki/ta.key-server [HDA NAME HERE (no brackets)]</pre>

You will again be asked many questions. Default values should all be OK. Ensure that the 'common name' lines up with This stores the HDA name you typed previouslyta key under /etc/openvpn/easy-rsa/pki/ta.key

Copy files to the appropriate places. When asked if you want to sign overwrite the certificatedestination file, type choose "y" for yes.

Step 6: <h2>Create certificates .ovpn files</h2>There are scripts for each of your clients with doing this out there but the commands below:simplest way is to edit the following and save it as an .ovpn file. (Be sure that you save this file strictly as "client1.ovpn" (for example) and not "client1.ovpn.txt" or something like that. The easiest way I found was to use Notepad++ and, when finished editing the file, choose File > Save As and under "Save Type As" choose "All Types." Then name the file "client1.ovpn" (for example) and click save.)<pre>clientdev tunproto udpresolv-retry infinitenobindpersist-keypersist-tunca ca.crtcert client1.crtkey client1.keycomp-lzoverb 3auth-user-passroute-method exeroute-delay 2</pre>

<pre>Be sure to create one ./build-ovpn file for each client you create. In addition,the lines "cert client1.crt" and "key client1.key" refer to the key-pass UserName(or and client name, or whatever will identify this certificate for a client youcreated. You need to change the .ovpn file to reflect the client which that .ovpn file references. (For example, if setting up client2, the lines would be "cert client2.crt" and "key client2.key" and the .ovpn file would be named "client2.ovpn". Make certain to spell the file names in the .ovpn exactly the same as the .crt and .key file names.)</pre>

Enter a PEM password and confirm. This can be whatever you wantRestart OpenVPN service<pre>systemctl restart openvpn@amahi.service</pre>

You will be asked many questions again<h2>Files Clients Need</h2>Copy needed client files to an easy to access directory<pre>mkdir [CHOSEN_LOCATION]/ovpn-clientscp /ect/openvpn/easy-rsa/pki/issued/* [CHOSEN_LOCATION]/ovpn-clients/cp /ect/openvpn/easy-rsa/pki/private/* [CHOSEN_LOCATION]/ovpn-clients/cp /ect/openvpn/easy-rsa/pki/ca. You can leave these at crt [CHOSEN_LOCATION]/ovpn-clients/</pre>Add your client .ovpn files that you created to the default values or modify them if you wish"[CHOSEN_LOCATION]/ovpn-clients/" directory.

When asked VERY IMPORTANT: Compress that "ovpn-clients" directory (into a .zip file, for example) and set a challenge passwordfor the compressed file. This way, anyone wanting access to any keys or certifications will have to know that password. Once the compressed file is created, leave this field blankdelete all of the files in the "[CHOSEN_LOCATION]/ovpn-clients/" directory except the compressed file.

When asked <h2>Setting Up Clients for Windows</h2>Each client that you setup to sign use the certificate, type y[http://dl.amahi.org/HDAConnect3.exe HDAConnect3] GUI will need one common file (ca.crt) and then its own unique set of files to make the connection work.

Step 6: The next step is In Windows, <ul><li>Go to change the encryption method of C:\Program Files (x86)\HDAConnect\config directory</li><li>Delete everything contained in that config directory.</li><li>Paste the client keys ca.cert file to be usedC:\Program Files (x86)\HDAConnect\config</li><li>Paste client1. We will be using triple des in this tutorialovpn, but you can use other encryption methods if you wishclient1.key and client1.crt to C:\Program Files (x86)\HDAConnect\config</li></ul>

This command moves us Start HDAConnect GUI and you should be ready to the keys directoryconnect.

<preh2>Openssl rsa -in KEYNAMEFROMSTEP6.key -des3 -out KEYNAMEFROMSTEP6.3des.keyClient Key Encryption Option</preh2>One could change the encryption method of the client keys to be used. We will be using triple des in this tutorial, but you can use other encryption methods if you wish.

This command creates an encrypted key. Keep in mind Create a new working directory to house all the original key will not be impacted when doing this. You will be asked files necessary for a pass phrase. Use whatever you wish here, but do not leave this blankthe process.

Once you have created your 3des keys, move on Copy all the files needed to the next step.new directory

Step 7: This step will be to build the diffie<pre>cp /etc/openvpn/easy-hellman key exchange for the serverrsa/pki/private/* /etc/openvpn/easy-rsa/ovpn3des/cp /etc/openvpn/easy-rsa/pki/issued/* /etc/openvpn/easy-rsa/ovpn3des/cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/easy-rsa/ovpn3des/cp /etc/openvpn/easy-rsa/pki/ph.pem /etc/openvpn/easy-rsa/ovpn3des/</pre>

This moves us back to the <pre>cd /etc/openvpn/easy-rsa directory./ovpn3des</pre>

This command creates an encrypted key. Keep in mind the original key will not be impacted when doing this. You will be asked for a pass phrase.<pre>openssl rsa -in client1./buildkey -des3 -dhout client1.3des.key</pre>Repeat this command on each key you created.