|
Setup Easy-RSA
You will need to download the OpenVPN source (unless you already have the easy-rsa scripts somewhere on your system. This script can be run from any system, except windows.)
1. First, edit the file 'vars'. On Gentoo, the default directory for easy-rsa is /usr/share/openvpn/easy-rsa. I copied mine from /usr/share/openvpn/easy-rsa to /etc/openvpn/, so during subsequent upgrades/modifications, my certificates wouldn't get nuked.:
| root@localhost:~# cd /usr/share/openvpn |
| root@localhost:/usr/share/openvpn# cp easy-rsa /etc/openvpn/ |
| root@localhost:/usr/share/openvpn# cd /etc/openvpn/easy-rsa/ |
| root@localhost:/etc/openvpn/easy-rsa/# vi vars |
2. Scroll to the bottom, fill out the 5 values (export KEY_{COUNTRY,PROVINCE,CITY,ORG,EMAIL) so they're relevant for you. Save and exit the file.
Generate Certs with Easy-RSA
1. We need to source the vars file:
| root@localhost:/etc/openvpn/easy-rsa/# source ./vars |
2. Then we clean everything out:
| root@localhost:/etc/openvpn/easy-rsa/# ./clean-all |
3. Then we build the CA. Make sure and fill out your information appropriately.
| root@localhost:/etc/openvpn/easy-rsa/# ./build-ca |
4. Now, we need to generate the certificate and private key for the server. Make sure and fill out your information appropriately. When it asks for the CN, enter server.
| root@localhost:/etc/openvpn/easy-rsa/# ./build-key-server server |
5. Build the Diffie-Hellman parameters. Make sure and fill out your information appropriately:
| root@localhost:/etc/openvpn/easy-rsa/# ./build-dh |
6. Generate the certificates for your client(s). Please note that you must have a unique certificate per client. Make sure and fill out your information appropriately. In the example below, I used client1 and client2 since I am using them as an example. Note: If you would like to password-protect your client keys, substitute the build-key-pass script:
| root@localhost:/etc/openvpn/easy-rsa/# ./build-key client1 |
| root@localhost:/etc/openvpn/easy-rsa/# ./build-key client2 |
| 
