Build Configuration Files for Your OpenVPN Clients

Download a Config File From Your Router, If You Are Using a Router VPN Server

If you are using a router as your VPN server,

  • Browse to your router
  • Navigate to the VPN page >> OpenVPN Servers tab >> and click on Export.
  • This will download a client config file. The config file has a place for you to paste a client certificate and a client key. Fetch them from your easy-rsa/keys_router folder, and use copy/paste to add their content to the downloaded .ovpn file.
  • Continue editing your downloaded .ovpn file and:
    • Edit the "remote x.x.x.x 1194" line and replace x.x.x.x with your external IP address or your external DNS name.
  • You've now got a fully usable client config file.
  • Don't forget to update your readme.txt in your easy-rsa/keys_router folder, where you track to whom you assigned each certificate.
  • If you are using a router as your VPN server, you're done with this page. Return to Surf Safe at Starbucks

Build Config Files If You Are Using a Pi VPN Server

Building a config file is hard. Here's a script to help build it.

On your key generation machine, put this in a file named ~/Packages/easy-rsa/build-client-config.sh (maybe just ~/easy-rsa for you). It is based on a script found here, written by Eric Jodoin. Be sure to edit EXTERNALIP.

#!/bin/bash
DEFAULT="Default.txt"
FILEEXT=".ovpn"
KEY=".key"
CA="ca.crt"
TA="ta.key"
NAME="${1%.*}"

# Substitute your external IP address or the DNS name for the external IP address of your VPN server.
# Consider registering a domain name specifically for this purpose.  If your IP address changes, you'll wish you had.
# TODO: CHANGEME - Your external IP or DNS name here
EXTERNALIP="vpn.example.com"

if [ -z "${NAME}" ]; then
    echo "Please enter an existing Client Name:"
    read NAME
fi

while [ ! -f $NAME.crt ] ; do
    echo "[ERROR]: Client Public Key Certificate not found: $NAME.crt"
    echo "Please enter an existing Client Name:"
    read NAME
done

if [ ! -f $NAME$KEY ]; then
    echo "[Error]: Client Private Key not found: $NAME$KEY."
    exit -1
fi

if [ ! -f $CA ]; then
    echo "[ERROR]: CA Public Key not found: $CA"
    exit -1
fi
echo "CA public Key found: $CA"

if [ ! -f $TA ]; then
    echo "[ERROR]: tls-auth Key not found: $TA"
    exit -1
fi

#Ready to make a new .opvn file - Start by populating with static content.
#Make sure that you get the EOF outdented all the way
cat <<-EOF > $NAME$FILEEXT
    client
    dev tun
    proto tcp
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    mute-replay-warnings
    ns-cert-type server
    key-direction 1
    cipher AES-256-CBC
    auth SHA256
    comp-lzo no
    verb 1
    mute 20
EOF
echo "remote $EXTERNALIP 443" >> $NAME$FILEEXT

#append the CA Public Cert
echo "<ca>" >> $NAME$FILEEXT
cat $CA >> $NAME$FILEEXT
echo "</ca>" >> $NAME$FILEEXT

#append the client Public Cert
echo "<cert>" >> $NAME$FILEEXT
cat $NAME.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $NAME$FILEEXT
echo "</cert>" >> $NAME$FILEEXT

#append the client Private Key
echo "<key>" >> $NAME$FILEEXT
cat $NAME$KEY >> $NAME$FILEEXT
echo "</key>" >> $NAME$FILEEXT

#append the TA Private Key
echo "<tls-auth>" >> $NAME$FILEEXT
cat $TA >> $NAME$FILEEXT
echo "</tls-auth>" >> $NAME$FILEEXT

echo "Done! $NAME$FILEEXT created."

Note: Setting "comp-lzo no" does not permanently disable comp-lzo. It merely makes no compression the default behavior for the client. You can override this by pushing comp-lzo from the server. Confusingly, if you specify nothing about comp-lzo, it is disabled and the server cannot override it with a push. i.e. In order to allow the server to enable comp-lzo, you must first disable it (or enable it) on the client!

Mark it executable:

chmod ugo+rx ~/easy-rsa/build-client-config.sh

Note: Before proceeding you must load the easy-rsa environment variables and set your working directory to /home/pi/easy-rsa-keys. If you defined an alias as suggested here, you can execute these bash statements (choosing keys_raspivpn, when asked):

easy-rsa
cd $KEY_DIR

You'll need to run build-client-config.sh script for each client key. Because all of your client keys are named user-something.key, you can run:

for f in user-*.key ; do ~/Packages/easy-rsa/build-client-config.sh $f ; done

When you're done, you'll have a collection of .ovpn files -- one for each client key. These files contain your keys, your certificates, and the settings necessary to access your VPN. Guard them. Keep them safe!

Create a readme.txt file in your ~/easy-rsa/keys directory to track who gets what .ovpn file. For example, you might put something similar to the following in your readme.txt:

  • Dad's Macbook = user-key1.ovpn
  • Dad's iPhone = user-key2.ovpn
  • Mom's Laptop = user-key3.ovpn
  • Billy's Android = user-key4.ovpn

Return to Surf Safe at Starbucks