Build Configuration Files for Your OpenVPN Clients

Building a config file is hard. Here's a script to help build it. On the machine where you built your keys, put this in a file named ~/easy-rsa/build-client.sh. It is based on a script found here, written by Eric Jodoin. Be sure to edit EXTERNALIP.

#!/bin/bash
DEFAULT="Default.txt"
FILEEXT=".ovpn"
KEY=".key"
CA="ca.crt"
TA="ta.key"
NAME="${1}"

# Substitute your external IP address or the DNS name for the external IP address of your VPN server.
# Consider registering a domain name specifically for this purpose.  If your IP address changes, you'll wish you had.
EXTERNALIP="vpn.example.com"

if [ -z "${NAME}" ]; then
    echo "Please enter an existing Client Name:"
    read NAME
fi

while [ ! -f $NAME.crt]; do
    echo "[ERROR]: Client Public Key Certificate not found: $NAME.crt"
    echo "Please enter an existing Client Name:"
    read NAME
done
echo "Client's cert found: $NAME.crt"

if [ ! -f $NAME$KEY ]; then
    echo "[Error]: Client Private Key not found: $NAME$KEY."
    exit -1
fi
echo "Client's Private Key found: $NAME$KEY"

while [ ! -f $CA ]; do
    echo "[ERROR]: CA Public Key not found: $CA"
done
echo "CA public Key found: $CA"

while [ ! -f $TA ]; do
    echo "[ERROR]: tls-auth Key not found: $TA"
done
echo "tls-auth Private Key found: $TA"

#Ready to make a new .opvn file - Start by populating with static content.
#Make sure that you get the EOF outdented all the way
cat <<-EOF > $NAME$FILEEXT
    client
    dev tun
    proto tcp
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    mute-replay-warnings
    ns-cert-type server
    key-direction 1
    cipher AES-256-CBC
    auth SHA256
    comp-lzo
    verb 1
    mute 20 
EOF
echo "remote $EXTERNALIP 443" >> $NAME$FILEEXT

#append the CA Public Cert
echo "<ca>" >> $NAME$FILEEXT
cat $CA >> $NAME$FILEEXT
echo "</ca>" >> $NAME$FILEEXT

#append the client Public Cert
echo "<cert>" >> $NAME$FILEEXT
cat $NAME.crt | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $NAME$FILEEXT
echo "</cert>" >> $NAME$FILEEXT

#append the client Private Key
echo "<key>" >> $NAME$FILEEXT
cat $NAME$KEY >> $NAME$FILEEXT
echo "</key>" >> $NAME$FILEEXT

#append the TA Private Key
echo "<tls-auth>" >> $NAME$FILEEXT
cat $TA >> $NAME$FILEEXT
echo "</tls-auth>" >> $NAME$FILEEXT

echo "Done! $NAME$FILEEXT created."

Mark it executable:

chmod ugo+rx ~/easy-rsa/build-client.sh

Note: Before proceeding you must load the easy-rsa environment variables and set your working directory to /home/pi/easy-rsa-keys. If you defined an alias as suggested here, you can execute these bash statements:

easy-rsa
cd keys

You'll need to run build-client.sh script for each client certificate. For example, if you created certificates name user-key01.key, user-key02.key and user-key03.key, you'll run:

for i in {01..30} 01-bogus 02-bogus ; do ~/easy-rsa/build-client.sh user-key$i ; done

Return to Surf Safe at Starbucks