Project

General

Profile

Feature #2243

Multiple users and custom certificates with OpenVPN

Added by chayes874 over 2 years ago. Updated over 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
05/16/2017
Due date:
% Done:

0%


Description

This is to help those who might want to create OpenVPN custom certificates for supporting multiple users. I set up my system in 2016 under Amahi 8 using OpenVPN, but I had to piece together the information to make it work. I am currently supporting a team of 8 people who collaborate through a phpBB forum hosted on my Amahi server. Everyone connects using their own OpenVPN certificate and key which allows simultaneous access for multiple users.

The two main pages that helped me get it working were:
https://wiki.amahi.org/index.php/OpenVPN_custom_certificates
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

I could duplicate the whole procedure again and document it in detail, but that won't be anytime soon. As best I can recall, these were the steps:
  • Define users and passwords via Amahi dashboard
  • Install OpenVPN from Amahi app store
  • Copy /usr/share/doc/openvpn/easy-rsa to /etc/openvpn
  • Follow the instructions on the EasyRSA3-OpenVPN-Howto page
    • I only init-pki once
    • Build the ca
    • Build the server .crt and .key
    • Build multiple client .crt and .key
    • I believe you only need to "gen-req" and then "sign"
  • I created the ca.crt, server.crt, server.key and all client.crt/client.key on the Amahi server. Everything was created at /etc/openvpn/easy-rsa/easyrsa3/pki
  • Copy out created ca.crt, server.crt, server.key and dh.pem to /etc/openvpn/amahi
  • Modify etc/openvpn/amahi.conf to point to these files in the /etc/openvpn/amahi directory
  • Create .crt and .key for each user according to instructions on OpenVPN wiki page
  • In the pki directory, .crt files will be in the issued directory, .key files will be in the private directory
  • chmod 777 on .crt and .key files
  • Create ovpn config file that:
    • points to your Dynamic DNS (remote username.yourhda.com 1194)
    • points to ca.crt, client.crt, client.key
  • Package up ca.crt, client.crt, client.key and ovpn config file
  • Deliver these files to the end user
  • End-user installs an OpenVPN client and uses the files to connect

I recall there being an issue with Tunnelblick not loading the ovpn config file correctly. Like it didn't understand the file (created on Windows), but copying the text to a new text file created on the local Mac resolved the issue. This happened to two users. Other than that, it worked as expected. I also created documentation showing them how to load VPN clients under Windows, iOS and OS X, where to place the files they received and how to connect using the client.

Once everyone is connected via their chosen OpenVPN client, they can connect to the phpBB forum that the Amahi server is hosting.

I made plenty of mistakes generating the crts and keys, but eventually I made it work and in the end it really wasn't too difficult.

History

#1 Updated by chayes874 over 2 years ago

  • Tracker changed from Bug to Feature

Also available in: Atom