Programster's Blog

Tutorials focusing on Linux, programming, and open-source

Debian 8 - Managing OpenVPN Clients

I've previously written about how to configure your OpenVPN server to give your client's individual static IPs. It can be a bit tedious to manually run all of those steps so here are some scripts for managing your clients/users.

Adding Clients

#!/bin/bash

# make sure the client has postfix and mutt for
# sending the encrypted login credentials via
# email
sudo apt-get install postfix mutt -y

USER=`whoami`

if [ "$USER" != "root" ]; then
        echo "You need to run me with sudo!"
        exit
fi

echo -n "Enter the desired ip (e.g. 10.8.0.2): "
read DESIRED_STATIC_IP

echo -n "Enter a one-word (hyphens allowed) name for the client (e.g. seafile): "
read CLIENT_NAME

echo "ifconfig-push $DESIRED_STATIC_IP 10.8.0.1" > /etc/openvpn/staticclients/$CLIENT_NAME
cd /etc/openvpn/easy-rsa
. vars
. build-key $CLIENT_NAME

mkdir /tmp/vpn.configs
cp /etc/openvpn/easy-rsa/keys/ca.crt \
/etc/openvpn/easy-rsa/keys/$CLIENT_NAME.crt \
/etc/openvpn/easy-rsa/keys/$CLIENT_NAME.key \
/tmp/vpn.configs

tar --create --gzip --file /tmp/vpn.configs.tar.gz /tmp/vpn.configs


gpg \
--cipher-algo AES256 \
--no-use-agent \
--symmetric \
/tmp/vpn.configs.tar.gz


echo -n "Enter the email address where I should send the login certificates: "
read EMAIL_ADDRESS

# email yourself the encrypted configs
mutt -a /tmp/vpn.configs.tar.gz.gpg -s "Your VPN configs for $CLIENT_NAME" -- $EMAIL_ADDRESS

# cleanup
sudo rm -rf /tmp/vpn.configs
sudo rm -rf /tmp/vpn.configs.tar.gz
sudo rm -rf /tmp/vpn.configs.tar.gz.gpg

If you configure postfix to send as an "Internet Site" rather than plugging in an smtp server, then your details will probably be in your spam folder. You will need to decrypt them with GPG before then uncompressing the tar.gz file.

When you have your config files on your client machine, add a file called client.conf. Use the following template, making sure to fill in the $CONFIG_FILE_PATH and the $VPN_SERVER_IP variables.

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote $VPN_SERVER_IP 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca $CONFIG_FILE_PATH/ca.crt
cert $CONFIG_FILE_PATH/$CLIENT_NAME.crt
key $CONFIG_FILE_PATH/$CLIENT_NAME.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

Now you have all the files on your client, create and run the following script from within the same folder to start the VPN connection.

#!/bin/bash
SCRIPT=$(readlink -f "$0")
DIR=$(dirname "$SCRIPT") 
sudo /usr/sbin/openvpn --config $DIR/client.conf --script-security 2

Removing Clients

Below is a script to remove a vpn client. Execute the script with sudo.

#!/bin/bash
USER=`whoami`

if [ "$USER" != "root" ]; then
        echo "You need to run me with sudo!"
        exit
fi

echo -n "Enter the client name: "
read CLIENT_NAME

# Remove the client from the database
cd /etc/openvpn/easy-rsa
source ./vars
./revoke-full $CLIENT_NAME

# remove the client keys
cd /etc/openvpn/easy-rsa/keys
rm $CLIENT_NAME.key
rm $CLIENT_NAME.csr
rm $CLIENT_NAME.crt

# remove the static clients file
rm /etc/openvpn/staticclients/$CLIENT_NAME
Last updated: 17th January 2021
First published: 16th August 2018