OpenVPN server with several clients


I am trying set up OpenWrt as a VPN server. So I followed the steps from:

I was finally able to get the server up and running and also I can connect a client to the VPN. But:

A) how can I now create another ovpn file for another client?

B) And can I create another ovpn file with another passphrase, so that each connection (or each client) has its own passphrase?

Also I found that there is a package openvpn-easy-rsa. easyrsa seems to be able to generate diferent ovpn files. But this is different from the steps explained in the openwrt user guide mentioned above.

C) Would it be wiser to create all the certificates with this package instead?

Thank you very much for your help



When you are generating your client certs, you can make as many as you want -- each one should just be done with a different name and you'll have unique certs for each device/person, etc, and each one can have its own passphrase. You would want to do this with the same CA as you used to generate your initial keys. If that's not possible (i.e. you no longer have access to your original CA or you made incompatible changes to the CA server), you'll probably need to regenerate all keys/certs if you want to make new ones.

EasyRSA will work fine from a functionality perspective, but there are some warnings about using this package from a security perspective. Instead, it is recommended that you use OpenSSL. But the same thing should apply.

Alternatively, there is a directive in OpenVPN that allows the same client certs to be used on multiple client devices simultaneously. This is not recommended since it is considered dangerous from a security perspective, but if you don't mind the security risk, you can enable this feature.

Actually it's possible to update OpenVPN Basic guide to use Easy-RSA.
It should make PKI-management easier.
If there's no strong reason against, then it would be for the better.

Okay, that is what I also got from reading, that EasyRSA does the job easier but with a certain security risk.

And all the provided scripts from the OpenWRT user guide are using openssl. So let's try it with openssl... What I use is something like the following two lines:

# Generating Client Cert & Key
openssl req -batch -new -keyout "user-1.key" -out "user-1.csr" -subj "/CN=vpnclient" -config "$PKI_CONF"

# Signing Client Cert
openssl ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "user-1.csr" -out "user-1.crt" -config "$PKI_CONF" -extensions "vpnclient"

do I need the parameters -subj -extensions ?

And after that just run again to create the config files.

Are those warnings still relevant?

Are you sure?
Official OpenVPN How-To uses Easy-RSA:

Full disclosure, I have been using certs generated by Easy-RSA. As such, I cannot speak to the OpenSSL process from any personal experience.

Regarding security, though, in this thread, @JW0914 was pretty emphatic that Easy-RSA should not be used.

So I created a new script, based on the which creates new users:


# Using openssl.cnf

# Show error message
if [ $# != 1 ]
    echo "Please provide a user name with this script:"
    echo "Example: ./ john"

# Creating new user
cd "$PKI_DIR"

# Generating Client Cert & Key
# PASSPHRASE MUST BE SET (4 chars minimum, 16+ chars recommended)
openssl req -batch -new -keyout "$1.key" -out "$1.csr" -subj "/CN=$1" -config "$PKI_CONF"
# Signing Client Cert
openssl ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "$1.csr" -out "$1.crt" -config "$PKI_CONF" -extensions

# Correcting Permissions
chmod 600 "$1.key"

# Copying Certs & Keys to $VPN_DIR
cp "$1.*" "$VPN_DIR"

# Returning to initial working directory
cd -

Just not quite sure if I am using -subj and -extensions parameter correctly here.

Yesterday I went through all the steps to set up a OpenVPN server with several clients using EasyRSA. I can share my steps and help to write this down if this is in general interest.

According to our last discussion on that topic we've come to agreement that security issues have already been resolved: