[SOLVED] OpenVPN: Add clients without rebuilding all keys?

I’ve followed this video:

and after a lot of reading and brain-storming / testing with a friend got myself a working openvpn setup.

Here is the server config:

cat /etc/openvpn/server.andrzejl.eu.conf

dev tun
port 40404
proto tcp
cipher AES-256-CBC
server 10.8.0.0 255.255.255.0
ca server.andrzejl.eu.crt
cert client.andrzejl.eu.crt
key client.andrzejl.eu.key
dh server.andrzejl.eu.dh8192.pem
push "redirect-gateway def1 bypass-dhcp"
client-to-client
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
#push "route 192.168.0.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
script-security 3 system
client-connect /etc/openvpn/Client_Connected.sh
keepalive 10 60
user nobody
group nobody

Here is the script that is sending me e-mail each time somebody connects:

cat /etc/openvpn/Client_Connected.sh

#!/bin/bash
#Send an email when a client connects with today's time and date
NOW="$(date +"%H:%M:%S - %d-%m-%Y")"
sendmail openvpn@andrzejl.eu <<EOF
FROM: openvpn@andrzejl.eu
TO: andrzejl@andrzejl.eu
SUBJECT: $NOW: Client connected to the AndrzejL.eu OpenVPN server: $common_name
At $NOW, $common_name connected to the AndrzejL.eu OpenVPN server.
Client's IP: $trusted_ip
Client's PORT: $trusted_port
Client's MTU: $tun_mtu
.
EOF
exit 0

Here is the example of the message that script would send:

Subject:

09:14:09 - 02-02-2015: Client connected to the AndrzejL.eu OpenVPN server: andrzejl

Body:

At 09:14:09 - 02-02-2015, andrzejl connected to the AndrzejL.eu OpenVPN server.
Client's IP: 86.44.168.4
Client's PORT: 59213
Client's MTU: 1500

Here is the list of the server files with permissions:

ls --full /etc/openvpn/

total 44
-r-------- 1 root root 13749 2014-08-24 10:45:55.412850235 +0100 client.andrzejl.eu.crt
-r-------- 1 root root 6388 2014-08-24 10:45:55.429517125 +0100 client.andrzejl.eu.key
-r-x------ 1 nobody nobody 448 2015-01-31 19:30:05.772365139 +0000 Client_Connected.sh
drw------- 3 root root 4096 2014-08-22 00:27:38.010289003 +0100 easy-rsa
-r-------- 1 root root 500 2015-01-31 19:07:28.741675880 +0000 server.andrzejl.eu.conf
-r-------- 1 root root 3857 2014-08-24 10:45:55.442850636 +0100 server.andrzejl.eu.crt
-r-------- 1 root root 1464 2014-08-24 10:45:55.449517392 +0100 server.andrzejl.eu.dh8192.pem

The server was enabled and started.

systemctl enable openvpn@server.andrzejl.eu

systemctl start openvpn@server.andrzejl.eu

And here a bit about client…

cat /etc/modules-load.d/openvpn.conf

tun

Here is the client config:

cat /etc/openvpn/andrzejl.eu.conf

client
dev tun
proto tcp
remote andrzejl.eu 40404
resolv-retry infinite
nobind
persist-key
persist-tun
ca server.andrzejl.eu.crt
cert client.andrzejl.eu.crt
key client.andrzejl.eu.key
remote-cert-tls server
cipher AES-256-CBC
verb 3

Here is the list of the client side files with permissions:

ls --full /etc/openvpn/

total 52
-r-------- 1 root root 214 2015-01-31 17:50:39.000000000 +0000 andrzejl.eu.conf
-r-------- 1 andrzejl andrzejl 13624 2014-08-24 17:37:11.000000000 +0100 client.andrzejl.eu.crt
-r-------- 1 andrzejl andrzejl 6392 2014-08-24 17:37:07.000000000 +0100 client.andrzejl.eu.key
-r-------- 1 root root 3857 2014-08-24 12:26:47.000000000 +0100 server.andrzejl.eu.crt

The client can be enabled at boot with:

systemctl enable openvpn@andrzejl.eu

or started manually with

systemctl start openvpn@andrzejl.eu

IF You do not use systemd based distro You can start the OpenVPN client with this set of commands:

su

modprobe tun

cd /etc/openvpn/

openvpn ./andrzejl.eu.conf

It will work fine too.

So I had the openvpn server up and running… However then I’ve ran into a little snag… I have rebooted the server and went about my business just to realize that I have no idea how to generate keys for clients. Turns out its not JUST enter the directory and run the ./build-key newclient command…

[easy-rsa]# ./build-key newclient
Please edit the vars script to reflect your configuration,
then source it with “source ./vars”.
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run “./clean-all”.
Finally, you can run this tool (pkitool) to build certificates/keys.
[easy-rsa]# ls keys/

cd /etc/openvpn/easy-rsa/
. ./vars
./build-key newclient

This however… Works ;).

Source: http://serverfault.com/questions/229116/openvpn-add-clients-without-rebuilding-all-keys

Cheers.

Andrzej

P.S. Replace the word newclient with the nickname / name of the person you’re generating the key for…

AndrzejL

"Never meet Your heroes. Most of the time you'll only end up disappointed." White Polak Male Husband Employee Hetero Carnivorous Fugly Geek @$$hole with ADD Catholic “Some men just want to watch the world burn.”

One Comment:

  1. Dzięĸi 🙂 Jak zawsze, działa 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.