OpenVPN CA scripts
This repository provides some scripts that wrap cloudflare's cfssl tool to provide an alternative to openvpn's easy-rsa.
Usage
First, install cfssl and openvpn. On a mac with homebrew, you would run:
brew install cfssl openvpn
Optional: edit config/csr.json and change the country and org values for
your certificates. They can be safely left at the defaults however.
Run ./init.sh. This will generate the ca certificate, a server certificate,
and a tls-auth static key file inside certs/:
- ca.pem
- ca-key.pem
- server.pem
- server-key.pem
- ta.key
Copy these files (except for ca-key.pem) to your openvpn server and reference them in your openvpn config. For example:
ca ca.pem
cert server.pem
key server-key.pem
tls-auth ta.key 0
Creating a client
Run ./client.sh CLIENTNAME. This will create a client certificate and key
inside of certs/:
- clientname.pem
- clientname-key.pem
Copy these files, along with ca.pem and ta.key to your openvpn client and
reference them in your config:
ca ca.pem
cert clientname.pem
key clientname-key.pem
tls-auth ta.key 1
Note: you can include certificates directly in your client config. See https://community.openvpn.net/openvpn/wiki/IOSinline for an example of how to do this.