Setting up a roadwarrior VPN with OpenVPN was a bit tricky for me. Therefore, I have put together some scripts which should make a sensible setup easier.
Feel free to let me know if you encouter any issues with this.
The configs generated by these scripts require OpenVPN version >=2.4.
On some machine which you trust with the PKI:
- Clone this git:
git clone https://github.com/cfra/roadwarrior-vpn.git - Create a
SETTINGSfile fromSETTINGS.example. - Initialize the CA:
./init_ca.sh - Create Server Config:
./new_endpoint.sh server <server-common-name> - Create Client Config:
./new_endpoint.sh client <client-common-name>
- Install OpenVPN on the server:
apt install openvpn - Edit the VPN config
- Put the generated config from the PKI system to the machine which should be
the VPN server:
scp servers/vpn.example.com.ovpn vpn.example.com:/etc/openvpn/roadwarrior.conf - On the server, enable and start the VPN service:
systemctl enable openvpn@roadwarrior.service systemctl start openvpn@roadwarrior.service
- Verify its status:
systemctl status openvpn@roadwarrior.service
- The generated config should just be usable as is
- Call the revocation script:
./revoke_endpoint.sh client <client-common-name> - Copy the generated CRL from
pki/ca/crl/current.pemto a place where OpenVPN can read it and reference it like this, updating the path accordingly:crl-verify crl/current.pem