Configure OpenVPN Access Server and setup a test client

This step integrates the certificates and keys generated earlier into Access Server. The server uses the PKCS #11-backed keys stored in the CryptoHub, while Access Server reads the associated certificate and parameter files from its configuration database. You’ll then configure a test user and connect with a server-locked profile.

Prepare the Access Server key directory

Connect to the Access Server console and get root privileges.

Create a directory for your external PKI files:

Shell

mkdir epki && cd epki

Copy the required files into the directory:

Shell

cp /path/to/ca.crt ./
cp /path/to/server.crt ./
cp /path/to/server.key ./

Generate required OpenVPN keys and parameters

Generate a tls_auth key:

Shell

/usr/local/openvpn_as/scripts/certool --tls_auth

Generate Diffie Hellman parameters for the OpenVPN server:

Shell

openssl dhparam -out dh.pem 2048

Generate your auth token and add the generated file:

Shell

/usr/local/openvpn_as/scripts/certool --auth_token

Configure X509 explicit/extended key usage based on RFC3280 TLS rules:

Shell

/usr/local/openvpn_as/scripts/sacli --key "external_pki.remote_cert_usage" --value eku ConfigPut

Configure the use of the X509 “role” attribute for the declaration of auto-login permission:

Shell

/usr/local/openvpn_as/scripts/sacli --key "external_pki.autologin_x509_spec" --value "role,,AUTOLOGIN" ConfigPut

Generate the tls-crypt-v2 key:

Shell

/usr/local/openvpn_as/scripts/certool --tls_crypt2_server

Import certificates and keys into Access Server

Load the files into the Access Server configuration database:

Shell

/usr/local/openvpn_as/scripts/sacli --key "external_pki.ta_key" --value_file ta.key ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "external_pki.ca_crt" --value_file ca.crt ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "external_pki.server_crt" --value_file server.crt ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "external_pki.server_key" --value_file server.key ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "external_pki.dh_pem" --value_file dh.pem ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "external_pki.auth_token_key" --value_file auth_token.key ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "external_pki.tls_cryptv2_server" --value_file tls_crypt2.key ConfigPut

Restart Access Server:

Shell

systemctl restart openvpnas

​Prepare the Access Server key directory

​Generate required OpenVPN keys and parameters

​Import certificates and keys into Access Server

Prepare the Access Server key directory

Generate required OpenVPN keys and parameters

Import certificates and keys into Access Server