Home / server / Questions / 229116
Accepted
Industrial
Asked: 2011-02-01 04:14:43 +0800 CST

OpenVPN: Add clients without rebuilding all keys?

  • 772

I've just managed to setup OpenVPN properly on my server and test it to be properly working with client computers and I came to wonder how OpenVPN keys can be generated as clients come and go.

Is it necessary to rebuild the Diffie-Hellman .dh file and recreate all previous client keys as I just need to add or remove a client?

Thanks

vpn openvpn

5 Answers

  1. Best Answer

    As Ency says, provided you've created your own CA, you simply create another key for the new user. Before any more gets typed, when you set up openVPN you did create your own CA, as recommended, didn't you?

    Edit: OK, then

    cd easy-rsa
. ./vars
./build-key newclient

    I also have some notes somewhere about making a CRL, which allows you to revoke old certificates, and pointing openVPN at the crl, but I can't immediately find them.

    • 8

  2. My solution is:
    I have got my own Certificate Authority and anytime I need new client I just create another certificate. It is simple and I am pretty sure you can do same thing even with easyRSA delivered with openVPN.
    It is also more universal, because you can easily manage certificates for another services such as apache, etc.

    • 1

  3. Use duplicate-cn option and one key for all client or use easy-rsa for create user certification.

    • 0

  4. You can also tie the CN (that houses the user login name) of the user cert to a login that you can administer, for example, with FreeRADIUS. I wrote a small integration script couple of years ago. This way you can simply block user access by removing them from FreeRADIUS user list. The idea is that the certificate will protect the VPN from anyone else, and the FreeRADIUS login from the user itself (should the user's login need to be revoked). You can find the script and additional detail here.

    • 0

  5. Tested on OpenVPN 2.4.7 on Windows 7. I followed those steps:

    1. Open CMD with Admin Rights.
    2. Move to easy-rsa directory, within OpenVPN directory.
    3. Run vars.bat.
    4. Run clean-all.bat.
    5. Make sure ca.key and ca.crt in the directory keys, which has just been created by the clean-all.bat.
    6. Run build-key A_New_Client.
    7. There will be A_New_Client.crt, A_New_Client.csr and A_New_Client.key. Those are the files specific to the new client. Copy them somewhere.
    8. For safety reasons, shred the directory keys above.

    It is assumed that vars.bat hasn't been changed since the last time, especially the key size part, as well as openssl-1.0.0.cnf is kept default.

    • 0