Table of Contents<\/h2>\n\n- What You Need?<\/a><\/li>\n
- Installing OpenVPN: Simple Steps<\/a><\/li>\n
- Steps to Create the Server Certificate, Key, and Encryption Files<\/a>\n
\n- On the OpenVPN Server<\/a><\/li>\n
- On the CA Server<\/a><\/li>\n<\/ul>\n<\/li>\n
- Steps to Generate a Client Certificate and Key Pair<\/a>\n
\n- On the OpenVPN Server<\/a><\/li>\n
- On the CA Server<\/a><\/li>\n
- Back on the VPN Server<\/a><\/li>\n<\/ul>\n<\/li>\n
- Steps to Configure the OpenVPN Service<\/a><\/li>\n
- Adjusting the Server Networking Configuration<\/a><\/li>\n
- Starting and Enabling the OpenVPN Service<\/a><\/li>\n
- Creating the Client Configuration Infrastructure<\/a><\/li>\n
- Generating Client Configurations<\/a><\/li>\n
- Installing the Client Configuration<\/a><\/li>\n
- Testing Your VPN Connection<\/a><\/li>\n
- Revoking Client Certificates<\/a><\/li>\n
- Conclusion<\/a><\/li>\n<\/ul>\n<\/div>\n
<\/strong><\/p>\nWhat You Need?<\/h2>\n
To follow this tutorial, you’ll need:<\/p>\n
– Two Debian 11 servers: One will host your OpenVPN server, and the other will act as your certificate authority (CA).<\/p>\n
– A non-root user with sudo access on both servers. Follow a Debian 11 setup guide to create a user with these permissions and set up a firewall.<\/p>\n
– Easy-RSA installed on both servers for managing VPN certificates.<\/p>\n
For security, keep your CA\u2019s private key on a separate server that is not connected to the internet. Since your OpenVPN server will likely stay online, it is more vulnerable to attacks. If an attacker gains access to the CA’s private key, they could create certificates to access your VPN. The official OpenVPN documentation recommends using a standalone server for your CA.<\/p>\n
Additionally, if you disable password authentication on these servers, transferring files between them later could be challenging. To fix this, you can either temporarily re-enable password authentication or create an SSH key pair for each server and share their public keys between them.
\n<\/strong>
\nOnce everything is ready, proceed to Step 1 of the tutorial to begin setting up your VPN.<\/p>\nInstalling OpenVPN: Simple Steps<\/h2>\n
Step 1:<\/b> Update Your Server Packages<\/p>\n
Run the command to update the package list:<\/p>\n
# apt update<\/b><\/code><\/pre>\n![\"Update](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-1.png\" "\\"Update")
<\/a><\/p>\nStep 2:<\/b> Install OpenVPN<\/p>\n
Use the following command to install OpenVPN:<\/p>\n
# apt install openvpn<\/b><\/code><\/pre>\n![\"Install](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-2.png\" "\\"Install")
<\/a><\/p>\nStep 3:<\/b> Next Step: Set Up the Server Certificate<\/p>\n
Since you already installed Easy-RSA and set up the Certificate Authority (CA), you can now generate the VPN server\u2019s certificate.<\/p>\n
Steps to Create the Server Certificate, Key, and Encryption Files<\/h2>\nOn the OpenVPN Server:<\/h3>\n
Step 1:<\/b> Install Easy-RSA<\/p>\n
Log in to your vpn Server:<\/b><\/p>\n
Use a non-root user with sudo privileges created during setup.<\/p>\n
Update the system package list:<\/b><\/p>\n
Run the following command:<\/p>\n
# apt update<\/b><\/code><\/pre>\nInstall Easy-RSA:<\/b><\/p>\n
Install the package by typing:<\/p>\n
# apt install easy-rsa<\/b><\/code><\/pre>\n![\"Install](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-1-1.png\" "\\"Install")
<\/a><\/p>\nConfirm installation:<\/b><\/p>\n
When prompted, press y to proceed with the installation.<\/p>\n
At this point, Easy-RSA is installed and ready to use. Next, you’ll set up a Public Key Infrastructure (PKI) directory to start creating your Certificate Authority (CA).<\/p>\n
Step 2: <\/b>Set Up a Public Key Infrastructure Directory<\/p>\n
Create an Easy-RSA directory:<\/b><\/p>\n
Run this command to create a folder in your home directory:<\/p>\n
# mkdir ~\/easy-rsa<\/b><\/code><\/pre>\n![\"Create](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-2-1.png\" "\\"Create")
<\/a><\/p>\nLink Easy-RSA package files:<\/b><\/p>\n
Use symbolic links to connect your ~\/easy-rsa folder to the Easy-RSA package files:<\/p>\n
# ln -s \/usr\/share\/easy-rsa\/* ~\/easy-rsa\/<\/b><\/code><\/pre>\n![\"Link](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-2.1.png\" "\\"Link")
<\/a><\/p>\nNote:<\/b> This method allows automatic updates to Easy-RSA to reflect in your setup.<\/p>\n\t\t\n\t\t\t \n \n \n \n \n \n \t\t\n\t\t\t\t\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t <\/div>\n <\/div>\n <\/div>\n <\/section>\n \t\t<\/div>\n\t\t<\/div>\n<\/div>\nSecure the directory:<\/b><\/p>\n
Restrict access to the Easy-RSA folder so only you can use it:<\/p>\n
# chmod 700 ~\/easy-rsa<\/b><\/code><\/pre>\n![\"Secure](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-2.2.png\" "\\"Secure")
<\/a><\/p>\nInitialize the PKI:<\/b><\/p>\n
Navigate to your Easy-RSA directory and initialize the PKI:<\/p>\n
# cd ~\/easy-rsa<\/b><\/code><\/pre>\n# .\/easyrsa init-pki<\/b><\/code><\/pre>\n![\"Initialize](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-2.3.png\" "\\"Initialize")
<\/a><\/p>\nOutput:<\/b><\/p>\n
You will see a message like this:<\/p>\n
init-pki complete; you may now create a CA or requests.<\/b><\/p>\n
Your newly created PKI dir is: \/home\/username\/easy-rsa\/pki<\/b><\/p>\n
Your PKI directory is now set up. In the next step, you’ll create the private key and public certificate for your CA.<\/p>\n
Step 3: <\/b>Generate a Certificate Request<\/p>\n
Run the command below to create a certificate request with the name server (or another name of your choice). Use the nopass option to avoid password protection:<\/p>\n
# .\/easyrsa gen-req server nopass<\/b><\/code><\/pre>\n![\"Generate](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-3.png\" "\\"Generate")
<\/a><\/p>\nPress ENTER to accept the default name when prompted or enter a different one.<\/p>\n
This creates a private key and a request file (server.req).<\/p>\n
Step 4: <\/b>Copy the Server Key to OpenVPN Directory<\/p>\n# cp ~\/easy-rsa\/pki\/private\/server.key \/etc\/openvpn\/<\/b><\/code><\/pre>\n![\"Copy](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-4.png\" "\\"Copy")
<\/a><\/p>\nStep 5:<\/b> Transfer the Certificate Request to the CA Server<\/p>\n
Use scp to transfer the server.req file:<\/p>\n
# scp ~\/easy-rsa\/pki\/reqs\/server.req root@your_CA_ip:\/tmp<\/b><\/code><\/pre>\n<\/strong>
\n![\"Certificate](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-5.png\" "\\"Certificate")
<\/a><\/p>\nOn the CA Server:<\/h3>\n
Step 6:<\/b> Install Easy-RSA<\/p>\n
Log in to your other Server:<\/b><\/p>\n
Use a non-root user with sudo privileges.<\/p>\n
\t\t\n\t\t\t \n \n \n \n \n \n \t\t\n\t\t\t\t\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t <\/div>\n <\/div>\n <\/div>\n <\/section>\n \t\t<\/div>\n\t\t<\/div>\n<\/div>\nUpdate the package list:<\/b><\/p>\n
Run:<\/p>\n
# apt update<\/b><\/code><\/pre>\n![\"Update](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-6.png\" "\\"Update")
<\/a><\/p>\nInstall Easy-RSA:<\/b><\/p>\n
Install the package with:<\/p>\n
# apt install easy-rsa<\/b><\/code><\/pre>\n![\"Install](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-6.1.png\" "\\"Install")
<\/a><\/p>\nConfirm installation:<\/b><\/p>\n
When prompted, press y to confirm.<\/p>\n
Easy-RSA is now installed. Next, you will set up a Public Key Infrastructure (PKI) directory.<\/p>\n
Step 7: <\/b>Prepare the Public Key Infrastructure Directory<\/p>\n
Create an Easy-RSA directory:<\/b><\/p>\n
Run:<\/p>\n
# mkdir ~\/easy-rsa<\/b><\/code><\/pre>\n![\"Create](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-7.png\" "\\"Create")
<\/a><\/p>\nLink the package files:<\/b><\/p>\n
Use symbolic links to connect the package files:<\/p>\n
# ln -s \/usr\/share\/easy-rsa\/* ~\/easy-rsa\/<\/b><\/code><\/pre>\n![\"Link](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-7.1.png\" "\\"Link")
<\/a><\/p>\nNote:<\/b> This method ensures that any updates to Easy-RSA are reflected automatically.<\/p>\n
Secure the directory:<\/b><\/p>\n
Restrict access to the directory:<\/p>\n
# chmod 700 ~\/easy-rsa<\/b><\/code><\/pre>\n![\"Secure](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-7.2.png\" "\\"Secure")
<\/a><\/p>\nInitialize the PKI:<\/b><\/p>\n
Navigate to the Easy-RSA folder and initialize:<\/p>\n
# cd ~\/easy-rsa<\/b><\/code><\/pre>\n# .\/easyrsa init-pki<\/b><\/code><\/pre>\n![\"Initialize](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-7.3.png\" "\\"Initialize")
<\/a><\/p>\nOutput:<\/b><\/p>\n
You\u2019ll see a message like:<\/p>\n
init-pki complete; you may now create a CA or requests.<\/b><\/p>\n
Your newly created PKI dir is: \/home\/username\/easy-rsa\/pki<\/b><\/p>\n
Your PKI directory is now ready. Next, you will create a Certificate Authority (CA).<\/p>\n
\t\t\n\t\t\t \n \n \n \n \n \n \t\t\n\t\t\t\t\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t <\/div>\n <\/div>\n <\/div>\n <\/section>\n \t\t<\/div>\n\t\t<\/div>\n<\/div>\nStep 8: <\/b>Create a Certificate Authority (CA)<\/p>\n
Edit the configuration file:<\/b><\/p>\n
Navigate to the Easy-RSA directory and create a vars file:<\/p>\n
# nano vars<\/b><\/code><\/pre>\nAdd configuration details:<\/p>\n
Paste the following into the file and modify the values:<\/p>\n
set_var EASYRSA_REQ_COUNTRY \"US\"<\/b>\r\nset_var EASYRSA_REQ_PROVINCE \"New Jersy\"<\/b>\r\nset_var EASYRSA_REQ_CITY \"Old Tappan\"<\/b>\r\nset_var EASYRSA_REQ_ORG \"Accuwebhosting\"<\/b>\r\nset_var EASYRSA_REQ_EMAIL \"nick@accuwebhosting.com\"<\/b>\r\nset_var EASYRSA_REQ_OU \"Technical support\"<\/b>\r\nset_var EASYRSA_ALGO \"ec\"<\/b>\r\nset_var EASYRSA_DIGEST \"sha512\"<\/b><\/code><\/pre>\n![\"Create](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-8.png\" "\\"Create")
<\/a><\/p>\nSave and close the file:<\/b><\/p>\n
In nano, press CTRL+X, then Y, and ENTER.<\/p>\n
Build the CA:<\/b><\/p>\n
Create the private key and public certificate:<\/p>\n
# .\/easyrsa build-ca<\/b><\/code><\/pre>\n![\"Build](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-8.1.png\" "\\"Build")
<\/a><\/p>\nSet a passphrase:<\/b><\/p>\n
You\u2019ll be prompted to enter and confirm a passphrase. Use a strong passphrase and save it securely.<\/p>\n
Confirm the Common Name (CN):<\/b><\/p>\n
Press ENTER to accept the default name, or enter a custom name.<\/p>\n
Output:<\/b><\/p>\n
Enter New CA Key Passphrase:<\/p>\n
Re-Enter New CA Key Passphrase:<\/p>\n
…<\/p>\n
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:<\/p>\n
CA creation is complete and you may now import and sign cert requests.<\/p>\n
Your new CA certificate file for publishing is at:<\/p>\n
\/home\/username\/easy-rsa\/pki\/ca.crt<\/p>\n
You now have two key files:<\/p>\n
ca.crt:<\/b> The public certificate. Share this with users and servers.<\/p>\n
ca.key: <\/b>The private key. Keep this secure and never share it.<\/p>\n
Note: <\/b>If you don\u2019t want to enter a password every time, you can use:<\/p>\n# .\/easyrsa build-ca nopass<\/b><\/code><\/pre>\nYour Certificate Authority is now set up and ready to sign certificate requests or revoke certificates.<\/p>\n
Step 9:<\/b> Navigate to the Easy-RSA Directory<\/p>\n# cd ~\/easy-rsa<\/b><\/code><\/pre>\n![\"Navigate](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-9.png\" "\\"Navigate")
<\/a><\/p>\nStep 10:<\/b> Import the Certificate Request<\/p>\n
Replace server.req and server with the file name and common name you used earlier:<\/p>\n
# .\/easyrsa import-req \/tmp\/server.req server<\/b><\/code><\/pre>\n![\"Import](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-10.png\" "\\"Import")
<\/a><\/p>\nStep 11: <\/b>Sign the Certificate Request<\/p>\n
Use the server request type:<\/b><\/p>\n# .\/easyrsa sign-req server server<\/b><\/code><\/pre>\n– Type yes to confirm the request.<\/p>\n
– If your CA key is encrypted, you\u2019ll need to enter its passphrase.<\/p>\n
\t\t\n\t\t\t \n \n \n \n \n \n \t\t\n\t\t\t\t\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t <\/div>\n <\/div>\n <\/div>\n <\/section>\n \t\t<\/div>\n\t\t<\/div>\n<\/div>\nStep 12:<\/b> Transfer the Signed Certificate to the VPN Server<\/p>\n
Use scp to send back the signed certificate:<\/p>\n
# scp pki\/issued\/server.crt root@vpn_server_ip:\/tmp<\/b><\/code><\/pre>\n![\"Use](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-10-1.png\" "\\"Use")
<\/a><\/p>\nAlso, transfer the CA certificate (ca.crt):<\/p>\n
# scp pki\/ca.crt root@your_server_ip:\/tmp<\/b><\/code><\/pre>\n![\"Transfer](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-10.1.png\" "\\"Transfer")
<\/a><\/p>\nBack on the OpenVPN Server:<\/b><\/p>\n
Step 13:<\/b> Copy Certificates to OpenVPN Directory<\/p>\n# cp \/tmp\/{server.crt,ca.crt} \/etc\/openvpn\/<\/b><\/code><\/pre>\n![\"Copy](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-11.png\" "\\"Copy")
<\/a><\/p>\nStep 14:<\/b> Navigate to Easy-RSA Directory<\/p>\n# cd ~\/easy-rsa<\/b><\/code><\/pre>\n![\"Navigate](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-12.png\" "\\"Navigate")
<\/a><\/p>\nStep 15:<\/b> Generate Diffie-Hellman Parameters<\/p>\n# .\/easyrsa gen-dh<\/b><\/code><\/pre>\n![\"Generate](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-13.png\" "\\"Generate")
<\/a><\/p>\nThis may take a few minutes.<\/p>\n
Step 16:<\/b> Create HMAC Signature<\/p>\n# openvpn --genkey secret ta.key<\/b><\/code><\/pre>\n![\"Create](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-14.png\" "\\"Create")
<\/a><\/p>\nStep 17:<\/b> Copy Files to OpenVPN Directory<\/p>\n# cp ~\/easy-rsa\/ta.key \/etc\/openvpn\/<\/b><\/code><\/pre>\n# cp ~\/easy-rsa\/pki\/dh.pem \/etc\/openvpn\/<\/b><\/code><\/pre>\n
- \n
- On the OpenVPN Server<\/a><\/li>\n
- On the CA Server<\/a><\/li>\n<\/ul>\n<\/li>\n
- Steps to Generate a Client Certificate and Key Pair<\/a>\n
- \n
- On the OpenVPN Server<\/a><\/li>\n
- On the CA Server<\/a><\/li>\n
- Back on the VPN Server<\/a><\/li>\n<\/ul>\n<\/li>\n
- Steps to Configure the OpenVPN Service<\/a><\/li>\n
- Adjusting the Server Networking Configuration<\/a><\/li>\n
- Starting and Enabling the OpenVPN Service<\/a><\/li>\n
- Creating the Client Configuration Infrastructure<\/a><\/li>\n
- Generating Client Configurations<\/a><\/li>\n
- Installing the Client Configuration<\/a><\/li>\n
- Testing Your VPN Connection<\/a><\/li>\n
- Revoking Client Certificates<\/a><\/li>\n
- Conclusion<\/a><\/li>\n<\/ul>\n<\/div>\n
<\/strong><\/p>\n
What You Need?<\/h2>\n
To follow this tutorial, you’ll need:<\/p>\n
– Two Debian 11 servers: One will host your OpenVPN server, and the other will act as your certificate authority (CA).<\/p>\n
– A non-root user with sudo access on both servers. Follow a Debian 11 setup guide to create a user with these permissions and set up a firewall.<\/p>\n
– Easy-RSA installed on both servers for managing VPN certificates.<\/p>\n
For security, keep your CA\u2019s private key on a separate server that is not connected to the internet. Since your OpenVPN server will likely stay online, it is more vulnerable to attacks. If an attacker gains access to the CA’s private key, they could create certificates to access your VPN. The official OpenVPN documentation recommends using a standalone server for your CA.<\/p>\n
Additionally, if you disable password authentication on these servers, transferring files between them later could be challenging. To fix this, you can either temporarily re-enable password authentication or create an SSH key pair for each server and share their public keys between them.
\n<\/strong>
\nOnce everything is ready, proceed to Step 1 of the tutorial to begin setting up your VPN.<\/p>\nInstalling OpenVPN: Simple Steps<\/h2>\n
Step 1:<\/b> Update Your Server Packages<\/p>\n
Run the command to update the package list:<\/p>\n
# apt update<\/b><\/code><\/pre>\n<\/a><\/p>\nStep 2:<\/b> Install OpenVPN<\/p>\n
Use the following command to install OpenVPN:<\/p>\n
# apt install openvpn<\/b><\/code><\/pre>\n<\/a><\/p>\nStep 3:<\/b> Next Step: Set Up the Server Certificate<\/p>\n
Since you already installed Easy-RSA and set up the Certificate Authority (CA), you can now generate the VPN server\u2019s certificate.<\/p>\n
Steps to Create the Server Certificate, Key, and Encryption Files<\/h2>\n
On the OpenVPN Server:<\/h3>\n
Step 1:<\/b> Install Easy-RSA<\/p>\n
Log in to your vpn Server:<\/b><\/p>\n
Use a non-root user with sudo privileges created during setup.<\/p>\n
Update the system package list:<\/b><\/p>\n
Run the following command:<\/p>\n
# apt update<\/b><\/code><\/pre>\nInstall Easy-RSA:<\/b><\/p>\n
Install the package by typing:<\/p>\n
# apt install easy-rsa<\/b><\/code><\/pre>\n<\/a><\/p>\nConfirm installation:<\/b><\/p>\n
When prompted, press y to proceed with the installation.<\/p>\n
At this point, Easy-RSA is installed and ready to use. Next, you’ll set up a Public Key Infrastructure (PKI) directory to start creating your Certificate Authority (CA).<\/p>\n
Step 2: <\/b>Set Up a Public Key Infrastructure Directory<\/p>\n
Create an Easy-RSA directory:<\/b><\/p>\n
Run this command to create a folder in your home directory:<\/p>\n
# mkdir ~\/easy-rsa<\/b><\/code><\/pre>\n<\/a><\/p>\nLink Easy-RSA package files:<\/b><\/p>\n
Use symbolic links to connect your ~\/easy-rsa folder to the Easy-RSA package files:<\/p>\n
# ln -s \/usr\/share\/easy-rsa\/* ~\/easy-rsa\/<\/b><\/code><\/pre>\n<\/a><\/p>\nNote:<\/b> This method allows automatic updates to Easy-RSA to reflect in your setup.<\/p>\n
\t\t\n\t\t\t\n \n \n\n\n \n \t\t\n\t\t\t\t\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t <\/div>\n <\/div>\n <\/div>\n <\/section>\n \t\t<\/div>\n\t\t<\/div>\n<\/div>\nSecure the directory:<\/b><\/p>\n
Restrict access to the Easy-RSA folder so only you can use it:<\/p>\n
# chmod 700 ~\/easy-rsa<\/b><\/code><\/pre>\n<\/a><\/p>\nInitialize the PKI:<\/b><\/p>\n
Navigate to your Easy-RSA directory and initialize the PKI:<\/p>\n
# cd ~\/easy-rsa<\/b><\/code><\/pre>\n# .\/easyrsa init-pki<\/b><\/code><\/pre>\n<\/a><\/p>\nOutput:<\/b><\/p>\n
You will see a message like this:<\/p>\n
init-pki complete; you may now create a CA or requests.<\/b><\/p>\n
Your newly created PKI dir is: \/home\/username\/easy-rsa\/pki<\/b><\/p>\n
Your PKI directory is now set up. In the next step, you’ll create the private key and public certificate for your CA.<\/p>\n
Step 3: <\/b>Generate a Certificate Request<\/p>\n
Run the command below to create a certificate request with the name server (or another name of your choice). Use the nopass option to avoid password protection:<\/p>\n
# .\/easyrsa gen-req server nopass<\/b><\/code><\/pre>\n<\/a><\/p>\nPress ENTER to accept the default name when prompted or enter a different one.<\/p>\n
This creates a private key and a request file (server.req).<\/p>\n
Step 4: <\/b>Copy the Server Key to OpenVPN Directory<\/p>\n
# cp ~\/easy-rsa\/pki\/private\/server.key \/etc\/openvpn\/<\/b><\/code><\/pre>\n<\/a><\/p>\nStep 5:<\/b> Transfer the Certificate Request to the CA Server<\/p>\n
Use scp to transfer the server.req file:<\/p>\n
# scp ~\/easy-rsa\/pki\/reqs\/server.req root@your_CA_ip:\/tmp<\/b><\/code><\/pre>\n<\/strong>
\n<\/a><\/p>\nOn the CA Server:<\/h3>\n
Step 6:<\/b> Install Easy-RSA<\/p>\n
Log in to your other Server:<\/b><\/p>\n
Use a non-root user with sudo privileges.<\/p>\n
\t\t\n\t\t\t\n \n \n\n\n \n \t\t\n\t\t\t\t\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t <\/div>\n <\/div>\n <\/div>\n <\/section>\n \t\t<\/div>\n\t\t<\/div>\n<\/div>\nUpdate the package list:<\/b><\/p>\n
Run:<\/p>\n
# apt update<\/b><\/code><\/pre>\n<\/a><\/p>\nInstall Easy-RSA:<\/b><\/p>\n
Install the package with:<\/p>\n
# apt install easy-rsa<\/b><\/code><\/pre>\n<\/a><\/p>\nConfirm installation:<\/b><\/p>\n
When prompted, press y to confirm.<\/p>\n
Easy-RSA is now installed. Next, you will set up a Public Key Infrastructure (PKI) directory.<\/p>\n
Step 7: <\/b>Prepare the Public Key Infrastructure Directory<\/p>\n
Create an Easy-RSA directory:<\/b><\/p>\n
Run:<\/p>\n
# mkdir ~\/easy-rsa<\/b><\/code><\/pre>\n<\/a><\/p>\nLink the package files:<\/b><\/p>\n
Use symbolic links to connect the package files:<\/p>\n
# ln -s \/usr\/share\/easy-rsa\/* ~\/easy-rsa\/<\/b><\/code><\/pre>\n<\/a><\/p>\nNote:<\/b> This method ensures that any updates to Easy-RSA are reflected automatically.<\/p>\n
Secure the directory:<\/b><\/p>\n
Restrict access to the directory:<\/p>\n
# chmod 700 ~\/easy-rsa<\/b><\/code><\/pre>\n<\/a><\/p>\nInitialize the PKI:<\/b><\/p>\n
Navigate to the Easy-RSA folder and initialize:<\/p>\n
# cd ~\/easy-rsa<\/b><\/code><\/pre>\n# .\/easyrsa init-pki<\/b><\/code><\/pre>\n<\/a><\/p>\nOutput:<\/b><\/p>\n
You\u2019ll see a message like:<\/p>\n
init-pki complete; you may now create a CA or requests.<\/b><\/p>\n
Your newly created PKI dir is: \/home\/username\/easy-rsa\/pki<\/b><\/p>\n
Your PKI directory is now ready. Next, you will create a Certificate Authority (CA).<\/p>\n
\t\t\n\t\t\t\n \n \n\n\n \n \t\t\n\t\t\t\t\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t <\/div>\n <\/div>\n <\/div>\n <\/section>\n \t\t<\/div>\n\t\t<\/div>\n<\/div>\nStep 8: <\/b>Create a Certificate Authority (CA)<\/p>\n
Edit the configuration file:<\/b><\/p>\n
Navigate to the Easy-RSA directory and create a vars file:<\/p>\n
# nano vars<\/b><\/code><\/pre>\nAdd configuration details:<\/p>\n
Paste the following into the file and modify the values:<\/p>\n
set_var EASYRSA_REQ_COUNTRY \"US\"<\/b>\r\nset_var EASYRSA_REQ_PROVINCE \"New Jersy\"<\/b>\r\nset_var EASYRSA_REQ_CITY \"Old Tappan\"<\/b>\r\nset_var EASYRSA_REQ_ORG \"Accuwebhosting\"<\/b>\r\nset_var EASYRSA_REQ_EMAIL \"nick@accuwebhosting.com\"<\/b>\r\nset_var EASYRSA_REQ_OU \"Technical support\"<\/b>\r\nset_var EASYRSA_ALGO \"ec\"<\/b>\r\nset_var EASYRSA_DIGEST \"sha512\"<\/b><\/code><\/pre>\n<\/a><\/p>\nSave and close the file:<\/b><\/p>\n
In nano, press CTRL+X, then Y, and ENTER.<\/p>\n
Build the CA:<\/b><\/p>\n
Create the private key and public certificate:<\/p>\n
# .\/easyrsa build-ca<\/b><\/code><\/pre>\n<\/a><\/p>\nSet a passphrase:<\/b><\/p>\n
You\u2019ll be prompted to enter and confirm a passphrase. Use a strong passphrase and save it securely.<\/p>\n
Confirm the Common Name (CN):<\/b><\/p>\n
Press ENTER to accept the default name, or enter a custom name.<\/p>\n
Output:<\/b><\/p>\n
Enter New CA Key Passphrase:<\/p>\n
Re-Enter New CA Key Passphrase:<\/p>\n
…<\/p>\n
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:<\/p>\n
CA creation is complete and you may now import and sign cert requests.<\/p>\n
Your new CA certificate file for publishing is at:<\/p>\n
\/home\/username\/easy-rsa\/pki\/ca.crt<\/p>\n
You now have two key files:<\/p>\n
ca.crt:<\/b> The public certificate. Share this with users and servers.<\/p>\n
ca.key: <\/b>The private key. Keep this secure and never share it.<\/p>\n
Note: <\/b>If you don\u2019t want to enter a password every time, you can use:<\/p>\n
# .\/easyrsa build-ca nopass<\/b><\/code><\/pre>\nYour Certificate Authority is now set up and ready to sign certificate requests or revoke certificates.<\/p>\n
Step 9:<\/b> Navigate to the Easy-RSA Directory<\/p>\n
# cd ~\/easy-rsa<\/b><\/code><\/pre>\n<\/a><\/p>\nStep 10:<\/b> Import the Certificate Request<\/p>\n
Replace server.req and server with the file name and common name you used earlier:<\/p>\n
# .\/easyrsa import-req \/tmp\/server.req server<\/b><\/code><\/pre>\n<\/a><\/p>\nStep 11: <\/b>Sign the Certificate Request<\/p>\n
Use the server request type:<\/b><\/p>\n
# .\/easyrsa sign-req server server<\/b><\/code><\/pre>\n– Type yes to confirm the request.<\/p>\n
– If your CA key is encrypted, you\u2019ll need to enter its passphrase.<\/p>\n
\t\t\n\t\t\t\n \n \n\n\n \n \t\t\n\t\t\t\t\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t <\/div>\n <\/div>\n <\/div>\n <\/section>\n \t\t<\/div>\n\t\t<\/div>\n<\/div>\nStep 12:<\/b> Transfer the Signed Certificate to the VPN Server<\/p>\n
Use scp to send back the signed certificate:<\/p>\n
# scp pki\/issued\/server.crt root@vpn_server_ip:\/tmp<\/b><\/code><\/pre>\n<\/a><\/p>\nAlso, transfer the CA certificate (ca.crt):<\/p>\n
# scp pki\/ca.crt root@your_server_ip:\/tmp<\/b><\/code><\/pre>\n<\/a><\/p>\nBack on the OpenVPN Server:<\/b><\/p>\n
Step 13:<\/b> Copy Certificates to OpenVPN Directory<\/p>\n
# cp \/tmp\/{server.crt,ca.crt} \/etc\/openvpn\/<\/b><\/code><\/pre>\n<\/a><\/p>\nStep 14:<\/b> Navigate to Easy-RSA Directory<\/p>\n
# cd ~\/easy-rsa<\/b><\/code><\/pre>\n<\/a><\/p>\nStep 15:<\/b> Generate Diffie-Hellman Parameters<\/p>\n
# .\/easyrsa gen-dh<\/b><\/code><\/pre>\n<\/a><\/p>\nThis may take a few minutes.<\/p>\n
Step 16:<\/b> Create HMAC Signature<\/p>\n
# openvpn --genkey secret ta.key<\/b><\/code><\/pre>\n<\/a><\/p>\nStep 17:<\/b> Copy Files to OpenVPN Directory<\/p>\n
# cp ~\/easy-rsa\/ta.key \/etc\/openvpn\/<\/b><\/code><\/pre>\n# cp ~\/easy-rsa\/pki\/dh.pem \/etc\/openvpn\/<\/b><\/code><\/pre>\n - On the CA Server<\/a><\/li>\n
- On the CA Server<\/a><\/li>\n<\/ul>\n<\/li>\n
![\"Copy](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-15.png\" "\\"Copy")
<\/a><\/p>\n![\"Set](\"https:\/\/accuweb.cloud\/resource\/wp-content\/uploads\/2025\/01\/Step-2-2.png\" "\\"Set")
<\/a><\/p>\n