ovpn-key

ovpn-key: key management for OpenVPN

This utility is designed as easy-rsa replacement suitable for one exact use case.

It's basically a wrapper around OpenSSL API to:

• create a self-signed CA
• create client and server certificates and pack them to ZIP files along with the OpenVPN config
• revoke the certificates
• create a DH keyfile

It supports encrypting .key files with a passphrase (there is an option to disable that).

It can be used with a non-self signed CA, just place your ca.key and ca.crt in the keys directory and skip the --ca step.

It can be used to manage a non-OpenVPN CA, in that case --zip and --static steps will be useless, but all others will work.

OpenVPN static keys are supported partially, as they should be used for tls-auth/tls-crypt only. Please note that they are not encrypted regardless of --nopass option.

For now this utility should be considered experimental and rather undocumented.
If you're brave, let me know, where the problems are.

Installation

• Get Ruby
• Run gem install ovpn-key

Usage

• ovpn-key --init
• edit ovpn-key.yml
• ovpn-key --ca --dh
• ovpn-key --server --nopass
• ovpn-key --client somebody [--nopass]
• ovpn-key --revoke somebody
• ovpn-key --static (generates ta.key)
• add a file with .ovpn extension to the directory
  it should contain every setting except for cert and key
• ovpn-key --zip somebody-else [--nopass]

Configuration

It's just a single simple YAML file named ovpn-key.yml.

ovpn-key also processes ~/.ovpn-key.yml file, for now it has only one possible setting:

cd: ~/some/path

This setting is used as a default directory if:

• current directory does not have ovpn-key.yml
• --init is not specified

If you specify the default directory, you don't need to travel to it every time you want to launch ovpn-key, i.e. you can use it from your home directory or any other, as long as requirements above are met.