Lead Image © Orlando Rosu, 123rf.com

Manage OpenVPN keys with Easy-RSA

Key Cabinet

Article from ADMIN 53/2019

By Markus Feilner

The Easy-RSA tool that comes with OpenVPN provides trouble-free open source PKI management.

At OpenVPN seminars, participants arrive with their own wishes and ideas. Although they are satisfied with the OpenVPN support for bandwidth limitation, simple high availability, and flexible traffic management, for example, one topic remains unclear and concerns all VPNs: How does the admin create and manage a simple secure sockets layer (SSL) public key infrastructure (PKI) for many users without spending a large amount of cash on service providers or proprietary software? The ideal solution would be open source – free of licensing costs and similar complications and definitely not cloud- or web-service-based – in which the use of self-signed certificates is not a problem.

In-House Label

OpenVPN [1] traditionally relies on Easy-RSA [2], of which version 2 is widely used. Many, especially the Debian-based, distributions install it along with openvpn – one exception being Ubuntu, which only offers easy-rsa starting with Cosmic Cuttlefish (Ubuntu version 18.10) [3].

The successor, Easy-RSA 3.0 [4], has been available for years and simplifies a few things but is not that different from version 2, on which most solutions and setups are still based. Both versions have one thing in common: They come without a fancy GUI, but as plain vanilla command-line tools, which is a bit unusual for point-and-click GUI users and many admins.

Although Open CA, XCA, and TinyCA also are open source tools for making PKI administration easier, none of them has had any genuine success. The topic itself seems to be too complex and too prone to error, with a workflow that users and even admins just cannot comprehend.

OpenVPN founder James Yonan of OpenVPN

...

Use Express-Checkout link below to read the full article (PDF).