[Solved] OpenVPN - Create OVPN file for the second user

vanst · September 10, 2020, 2:51pm

Hi everyone,

I followed the OpenVPN guide, last edited by @vgaetera. This is the link to the documentation https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic. The OpenVPN server is running without an issue.
I have also followed the below guide to generate the key file for the second user (https://openwrt.org/docs/guide-user/services/vpn/openvpn/extra) but I have no idea how to export the ovpn file. Could you assist me with that.

Thank you!

faser · September 10, 2020, 2:55pm

What do you mean with "export"?
Based on that documentation you would have created a key/cert for each user. You then would need to create OVPN config file for the respective users and copy that conf and the key/cert on the client machine.

vanst · September 10, 2020, 3:11pm

The guide provided a script, I have no idea how to seperate it for my usage:


# Configuration parameters
OVPN_DH="$(cat ${OVPN_PKI}/dh.pem)"
OVPN_TC="$(sed -e "/^#/d;/^\w/N;s/\n//" ${OVPN_PKI}/tc.pem)"
OVPN_CA="$(openssl x509 -in ${OVPN_PKI}/ca.crt)"
NL=$'\n'
 
# Configure VPN server and generate client profiles
umask go=
ls ${OVPN_PKI}/issued \
| sed -e "s/\.\w*$//" \
| while read -r OVPN_ID
do
OVPN_KEY="$(cat ${OVPN_PKI}/private/${OVPN_ID}.key)"
OVPN_CERT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt)"
OVPN_CERT_EXT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt -purpose)"
OVPN_CONF_SERVER="\
user nobody
group nogroup
dev ${OVPN_DEV}
port ${OVPN_PORT}
proto ${OVPN_PROTO}
server ${OVPN_POOL}
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push \"dhcp-option DNS ${OVPN_DNS}\"
push \"dhcp-option DOMAIN ${OVPN_DOMAIN}\"
push \"redirect-gateway def1\"
push \"persist-tun\"
push \"persist-key\"
<dh>${NL}${OVPN_DH}${NL}</dh>"
OVPN_CONF_CLIENT="\
dev ${OVPN_DEV%%[0-9]*}
nobind
client
remote ${OVPN_SERV} ${OVPN_PORT} ${OVPN_PROTO}
auth-nocache
remote-cert-tls server"
OVPN_CONF_COMMON="\
<tls-crypt>${NL}${OVPN_TC}${NL}</tls-crypt>
<key>${NL}${OVPN_KEY}${NL}</key>
<cert>${NL}${OVPN_CERT}${NL}</cert>
<ca>${NL}${OVPN_CA}${NL}</ca>"
case ${OVPN_CERT_EXT} in
(*"SSL server : Yes"*) cat << EOF > ${OVPN_DIR}/${OVPN_ID}.conf ;;
${OVPN_CONF_SERVER}
${OVPN_CONF_COMMON}
EOF
(*"SSL client : Yes"*) cat << EOF > ${OVPN_DIR}/${OVPN_ID}.ovpn ;;
${OVPN_CONF_CLIENT}
${OVPN_CONF_COMMON}
EOF
esac
done
/etc/init.d/openvpn restart
ls ${OVPN_DIR}/*.ovpn

This is the script for generating the server.conf and client.ovpn.

easyrsa build-client-full client2

This is the script to generate the certificate for the client 2. How about the client2.ovpn, how do I get it?

faser · September 10, 2020, 3:21pm

Looks like you would need to call the script after you created the certificates for the client2 as it looks like that script creates for every OVPN_ID that is listed in issued a conf and ovpn file.
Those files would be in ${OVPN_DIR}/${OVPN_ID}.ovpn

vanst · September 10, 2020, 3:28pm

Thanks a lot. It works.

tmomas · September 10, 2020, 5:36pm

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

vgaetera · September 10, 2020, 8:47pm

The configs generated by the script include key/certs, so there's typically no need to manage them separately, as most clients support inline notation or can import key/certs from the config.

faser · September 11, 2020, 12:49am

Yeah, I first only had looked at the second link he had sent. The script in his first link is truly comprehensive and create a file will all information.

system · September 21, 2020, 12:49am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.