This document should be used by a Technical Support Engineer(TSE) to
generate required keys and client-certificates for OpenVPN clients.
This document does not mention the steps required to generate a CA
certificate (ca.crt) and other details of configuration of OpenVPN
server. Also make sure that OpenVPN GUI client is installed
correctly on Windows XP/2000. On a Linux based system, OpenVPN
software must be installed properly. Generally the configuration
directory of it is in /etc/openvpn. On Windows it is in
C:\Program Files\OpenVPN\config.

0. Login as root on the system running OpenVPN server. If contents
of the directory /etc/openvpn/easy-rsa is accessible to a
non-root user, then use that account to login. It is necessary
to protect the directory /etc/openvpn to prevent unauthorized
access from others. The security of VPN server can be
compromised by obtaining the contents of this directory.

1. Go to the directory /etc/openvpn/easy-rsa.
cd /etc/openvpn/easy-rsa

2. Think of a common name for the VPN client machine. It should be
unique and preferably should not contain any spaces. For this
discussion, we assume the client machine's common name to be
vpn-client-1.

3. Source the contents of ./vars file.
. ./vars

4. Generate and sign the client certificate.
./build-key-pass vpn-client-1

5. Many questions will be asked for which you may answer. Many of
them will contain the default answers based on the values in
file ./vars. If contents of this file are correct, then other
than a pass phrase and common name (vpn-client-1 in this case),
no other values needed to be supplied.

6. This will generate key file and corresponding signed
certificate in /etc/openvpn/easy-rsa/keys. Make a tar file of
following files in above mentioned directory:
- client-vpn-1.key
- client-vpn-1.crt
- ca.crt
- ta.key

tar -C /etc/openvpn/easy-rsa/keys -cvf /root/vpn-client-1.tar client-vpn-1.key client-vpn-1.crt ca.crt ta.key

This will create a tar file vpn-client-1.tar in the home
directory of root (/root). If you have logged in a a non-root
user, then use the home directory of that account to store this
tar file. This file should be copied to the Windows or Linux
system on which the OpenVPN client is running. As soon as this
task is over, delete the copy of this tar file on the server.

7. Untar this file in /etc/openvpn on Linux based client or in
C:\Program Files\OpenVPN\config on Windows based client.

Make sure that following parameters are set correctly in the
configuration file of OpenVPN (server.conf or client.conf).

proto, dev, ca, cert, key, server, tls-auth, tun-mtu

Generally proto is udp and dev is tun. Value of ca should be ca.crt,
key should be client-vpn-1.key and cert should be client-vpn-1.crt.
Value of server should be the IP or host name of OpenVPN server.
Value of tls-auth should be ta.key and tun-mtu should match with the
same set on server side (generally 1500).

Now restart the OpenVPN software on client system. In case of
Windows, use the GUI to connect to the server.