On the server 🔗

Generate a new key 🔗

On the VPN server:

sudo su ca
easyrsa build-client-full CLIENT_NAME nopass

Send the client the files it needs 🔗

The client will need:

  • CA certificate: /home/ca/pki/ca.crt
  • Client certificate: /home/ca/pki/issued/CLIENT_NAME.crt
  • Client key: /home/ca/pki/private/CLIENT_NAME.key

On the client 🔗

Set up openvpn 🔗

sudo pacman -S openvpn

Client conf 🔗

Create a directory /etc/openvpn/client/peori, we'll store there all the stuff for the client.

Create /etc/openvpn/client/peori.conf:

remote vpn.peori.space

# Auth
ca   peori/ca.crt
cert peori/client.crt
key  peori/client.key

# Net
dev tun1

# Sending all the traffic through this interface
#route-method exe

# Technical details
proto udp
port 1194

auth SHA1       # Only for HMAC
ns-cert-type server

log-append /var/log/openvpn.peori
verb 3
#verb 4 # Verbose logging

Next copy the keys the client needs to /etc/openvpn/client/peori and run:

sudo systemctl start openvpn-client@peori

peoro's shortcut 🔗

create-client-certificate.sh CLIENT_NAME

All the needed files will be in ~/tmp/openvpn-key.CLIENT_NAME