OpenVPN Client Key Generation Guide for a TSE

This document should be used by a Technical Support Engineer(TSE) to generate required keys and client-certificates for OpenVPN clients.
This document does not mention the steps required to generate a CA certificate (ca.crt) and other details of configuration of OpenVPN server. Also make sure that OpenVPN GUI client is installed correctly on Windows XP/2000. On a Linux based system, OpenVPN software must be installed properly. Generally the configuration directory of it is in /etc/openvpn. On Windows it is in C:\Program Files\OpenVPN\config.

• Login as root on the system running OpenVPN server. If contents of the directory /etc/openvpn/easy-rsa is accessible to a non-root user, then use that account to login. It is necessary to protect the directory /etc/openvpnto prevent unauthorized access from others. The security of VPN server can be compromised by obtaining the contents of this directory.
• Go to the directory /etc/openvpn/easy-rsa.
  cd /etc/openvpn/easy-rsa
• Think of a common name for the VPN client machine. It should be unique and preferably should not contain any spaces. For this discussion, we assume the client machine's common name to be vpn-client-1.
• Source the contents of ./vars file.
  . ./vars
• Generate and sign the client certificate.
  ./build-key-pass vpn-client-1
• Many questions will be asked for which you may answer. Many of
  them will contain the default answers based on the values in
  file ./vars. If contents of this file are correct, then other
  than a pass phrase and common name (vpn-client-1 in this case),
  no other values needed to be supplied.
• This will generate key file and corresponding signed
  certificate in /etc/openvpn/easy-rsa/keys. Make a tar file of
  following files in above mentioned directory:
  • client-vpn-1.key
  • client-vpn-1.crt
  • ca.crt
  • ta.key

  tar -C /etc/openvpn/easy-rsa/keys -cvf /root/vpn-client-1.tar client-vpn-1.key client-vpn-1.crt ca.crt ta.key

  This will create a tar file vpn-client-1.tar in the home directory of root (/root). If you have logged in a a non-root user, then use the home directory of that account to store this tar file. This file should be copied to the Windows or Linux system on which the OpenVPN client is running. As soon as this task is over, delete the copy of this tar file on the server.

• Untar this file in /etc/openvpn on Linux based client or in
  C:\Program Files\OpenVPN\config on Windows based client.

Make sure that following parameters are set correctly in the configuration file of OpenVPN (server.conf or client.conf).

• proto
• dev
• ca
• cert
• key
• server
• tls-auth
• tun-mtu

Generally proto is udp and dev is tun. Value of ca should be ca.crt, key should be client-vpn-1.key and cert should be client-vpn-1.crt. Value of server should be the IP or host name of OpenVPN server. Value of tls-auth should be ta.key and tun-mtu should match with the same set on server side (generally 1500).

Now restart the OpenVPN software on client system. In case of Windows, use the GUI to connect to the server.