How to Add/Remove Additional Users to OpenVPN

To continue on from the previous tutorial on setting up OpenVPN on Ubuntu we will now see what is required to add and remove users on our server.

Adding Users

A lot of the steps are the same as creating the initial installation so it should look pretty familiar.  Lets assume our new client is called home_pc.

The first step is to generate the key.

cd $HOME/clientside/easy-rsa/easyrsa3
./easyrsa gen-req home_pc nopass
cd $HOME/serverside/easy-rsa/easyrsa3
./easyrsa import-req $HOME/clientside/easy-rsa/easyrsa3/pki/reqs/home_pc.req home_pc
./easyrsa sign-req client home_pc

After the keys are created copy all the required files to the clientside directory.
cp $HOME/serverside/easy-rsa/easyrsa3/pki/issued/home_pc.crt $HOME/clientside/
cp $HOME/serverside/easy-rsa/easyrsa3/ta.key $HOME/clientside/
cp $HOME/serverside/easy-rsa/easyrsa3/pki/ca.crt $HOME/clientside/
cp $HOME/clientside/easy-rsa/easyrsa3/pki/private/home_pc.key $HOME/clientside/

Open the OpenVPN configuration file

nano $HOME/clientside/home_pc.ovpn

The same as before, paste the following.

dev tun
scramble obfuscate insert_SAME_password_here
proto udp
remote insert_server_address_here 443
resolv-retry infinite
ca ca.crt
cert home_pc.crt
key home_pc.key
tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
verb 3
script-security 2

Edit the file to change the xclientx names to home_pc. Save the file.
cd $HOME/clientside/
nano $HOME/clientside/

Run the script.
Now there will be a single file in your $HOME/clientside/ directory called home_pc.ovpn. Use WinSCP to connect via SCP to this directory and copy the file to your PC. Thats it. Now you can use the ovpn file to connect.

Removing Users

To revoke a user is very simple. Lets assume we want to remove the home_pc user we just created.

Add the following to your server.conf file
nano /etc/openvpn/server.conf
crl-verify /root/serverside/easy-rsa/easyrsa3/pki/crl.pem

Revoke the certificate
cd $HOME/serverside/easy-rsa/easyrsa3
./easyrsa revoke home_pc
./easyrsa gen-crl

Restart OpenVPN.
sudo /etc/init.d/openvpn restart

To verify that the user is disabled open the following file.
nano /root/serverside/easy-rsa/easyrsa3/pki/index.txt
You should see an R in the first column beside the name. Indicating the certificate has been revoked.

One Reader Comment

Leave a Comment