Configure OpenVPN Access Server and setup a test client

after the keys and certificates are prepared, this section covers integrating them with the openvpn access server by storing the keys in {{k3}} and referencing them during server configuration, the integration supports strong cryptographic operations and helps align the deployment with enterprise security policies at a high level, these are the steps for your configuration create the tls auth key generate diffie hellman parameters import the necessary certificate and key files to access server configure the test client on openvpn access server admin ui generate and download a server locked profile for the client install the profile and p12 file in openvpn connect v3 configure openvpn access server switch to root and create a directory sudo su mkdir epki && cd epki place the ca crt , server crt , and server key in the epki directory cp /path/to/ca crt / cp /path/to/server crt / cp /path/to/server key / create a tls auth key for the openvpn server /usr/local/openvpn as/scripts/certool tls auth generate diffie hellman parameters for the openvpn server openssl dhparam out dh pem 2048 for access server 2 7 and newer, you must also generate the auth token and add the generate file /usr/local/openvpn as/scripts/certool auth token configure x509 explicit/extended key usage based on rfc3280 tls rules /usr/local/openvpn as/scripts/sacli key "external pki remote cert usage" value eku configput configure the use of the x509 “role” attribute for the declaration of auto login permission /usr/local/openvpn as/scripts/sacli key "external pki autologin x509 spec" value "role,,autologin" configput generate the tls crypt v2 key (for access server 2 9 0 and higher only) /usr/local/openvpn as/scripts/certool tls crypt2 server load the newly generated files into the access server config database /usr/local/openvpn as/scripts/sacli key "external pki ta key" value file ta key configput /usr/local/openvpn as/scripts/sacli key "external pki ca crt" value file ca crt configput /usr/local/openvpn as/scripts/sacli key "external pki server crt" value file server crt configput /usr/local/openvpn as/scripts/sacli key "external pki server key" value file server key configput /usr/local/openvpn as/scripts/sacli key "external pki dh pem" value file dh pem configput /usr/local/openvpn as/scripts/sacli key "external pki auth token key" value file auth token key configput /usr/local/openvpn as/scripts/sacli key "external pki tls cryptv2 server" value file tls crypt2 key configput restart the access server systemctl restart openvpnas configure the test client on the admin web ui go to the web https //\<access server ip> 943/admin/login enter the username openvpn , and the password (which is usually found in the init log sudo cat /usr/local/openvpn as/init log click on users > add new user create a new user, etest , and click on save under user settings , scroll down to authentication , and enter the preferred password for the test client on the top right corner, click on save then at the top, click on restart in a terminal, generate a server locked profile, etest ovpn /usr/local/openvpn as/scripts/sacli getgeneric >etest ovpn copy the files etest p12 and etest ovpn to the client machine launch openvpn connect v3 on a windows or mac in the app, click on the 3 bar icon at the top left corner and select on my profiles click on + icon and upload the etest ovpn file click on 3 bar icon at the top left corner and select certificates & tokens under pkcs #12 , click on + icon, and upload the etest p12 file enter the password that was configured in step 6 in prepare cryptographic material for access server docid 5tail56v 2wa15fy2vqg3 click on 3 bar icon at the top left corner and select my profiles , click on the pencil icon next to the newly uploaded profile, scroll down to certificates and click on select , and click on the circular button next to etest , and click on select click on save changes