ovpn-key: key management for OpenVPN Gem Version

This utility is designed as easy-rsa replacement suitable for one exact use case.

It's basically a wrapper around OpenSSL API to:

  • create a self-signed CA
  • create client and server certificates and pack them to ZIP files along with the OpenVPN config
  • revoke the certificates
  • create a DH keyfile

It supports encrypting .key files with a passphrase (there is an option to disable that).

It can be used with a non-self signed CA, just place your ca.key and ca.crt in the keys directory and skip the --ca step.

It can be used to manage a non-OpenVPN CA, in that case --zip and --static steps will be useless, but all others will work.

OpenVPN static keys are supported partially, as they should be used for tls-auth/tls-crypt only. Please note that they are not encrypted regardless of --nopass option.

For now this utility should be considered experimental and rather undocumented.
If you're brave, let me know, where the problems are.

Installation

  1. Get Ruby
  2. Run gem install ovpn-key

Usage

  1. ovpn-key --init
  2. edit ovpn-key.yml
  3. ovpn-key --ca --dh
  4. ovpn-key --server --nopass
  5. ovpn-key --client somebody [--nopass]
  6. ovpn-key --revoke somebody
  7. ovpn-key --static (generates ta.key)
  8. add a file with .ovpn extension to the directory
    it should contain every setting except for cert and key
  9. ovpn-key --zip somebody-else [--nopass]

Configuration

Most of configuration is done in open-vpn.key and openssl.ini files in the directory.

ovpn-key also processes ~/.ovpn-key.yml file, for now it has only one possible setting:

cd: ~/some/path

This setting is used as a default directory if:

  1. current directory does not have ovpn-key.yml
  2. --init is not specified

If you specify the default directory, you don't need to travel to it every time you want to launch ovpn-key, i.e. you can use it from your home directory or any other, as long as requirements above are met.