New client for openvpn server


I have openvpn server in use on my router. (WRT3200ACM / OpenWrt 21.02.1 r16325-88151b8303)

I followed this link and it works fine. But now I want to add extra clients (ovpn files) but I have no idea how.

When I do:

# Generate client keys and certificate
easyrsa build-client-full clientname nopass
openvpn --tls-crypt-v2 ${EASYRSA_PKI}/private/server.pem \
--genkey tls-crypt-v2-client ${EASYRSA_PKI}/private/client.pem`

It claims:

root@OpenWrt:~# easyrsa build-client-full client nopass

Note: using Easy-RSA configuration from: /usr/lib/easy-rsa/vars

Easy-RSA error:

EASYRSA_PKI does not exist (perhaps you need to run init-pki)?
Expected to find the EASYRSA_PKI at: /root/pki
Run easyrsa without commands for usage and command help.

It says it does not exist, but I used It before to make a client ovpn file.

Or do I need to use this complete lines? (doesn't this overwrite my existing keys?

# Configuration parameters
export EASYRSA_REQ_CN="ovpnca"
export EASYRSA_BATCH="1"
# Remove and re-initialize PKI directory
easyrsa init-pki
# Generate DH parameters
easyrsa gen-dh
# Create a new CA
easyrsa build-ca nopass
# Generate server keys and certificate
easyrsa build-server-full server nopass
openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/private/server.pem
# Generate client keys and certificate
easyrsa build-client-full client nopass
openvpn --tls-crypt-v2 ${EASYRSA_PKI}/private/server.pem \
--genkey tls-crypt-v2-client ${EASYRSA_PKI}/private/client.pem
1 Like

When did you do it last? Have you upgraded to 21.02.1 since the last time you generated the keys? If so, did you reinstall the necessary packages?

Side note: you can also create the keys on a regular computer. This is much much faster than doing it I. A resource constrained device like a consumer router.

No it was installed on 21.02.1 two days ago. And after all was working on my test pc, I wanted to create new user ovpn files for two clients.

Add more VPN clients like this:

Then generate the configs:

cat << EOF >
$(uclient-fetch -O - "${URL}/server?codeblock=0" | sed -e "/^opkg\s/s/^/#/")
$(uclient-fetch -O - "${URL}/server?codeblock=2")
$(uclient-fetch -O - "${URL}/server?codeblock=3")

To sign additional new client certificates into the existing deployed CA, you need the CA certificate and the CA private key. I'm not sure how easyrsa stores them but I'm guessing you need to point to a directory containing them. Do not remove that directory! Start from like the fourth step where you make client certificates. It's not necessary to do any server related stuff over again, including the time-consuming DH creation.

You can of course start over by generating a new CA chain, of course that will require replacing the CA and certificate on the server and all existing clients.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.