- OpenVPN-PKI-Manager
batch-pki-gen.sh: generate a batch of certificates and keysctemplate.ovpn: client configuration templatepki-gen.sh: generate certificates and keys
app.py: Flask web server for client file distributiondb_init.py: database initialization and managementmanage_users.py: user management scriptassign_files.py: file assignment scriptgenerate_random_users.py: random user generatorconfig.py: configuration settingsstart_server.sh: web server startup script
templates/: HTML templates for web interfacebase.html: base templateindex.html: homepagelogin.html: login pagedashboard.html: user dashboard
Assume that the certificates and keys are generated on machine a, the client is installed on machine b and the openvpn server is installed on machine c.
The following uses easy-rsa to generate the certificates and keys required for openvpn.
(on machine a) download and install easy-rsa
yay -S easy-rsaGenerate and sign the certificates
easyrsa init-pki
easyrsa build-ca
easyrsa gen-req server nopass
easyrsa sign-req server server
easyrsa gen-req client nopass
easyrsa sign-req client client
easyrsa gen-dh
cd pki
openvpn --genkey secret ta.keyThe directory structure of the certificates and keys that need to be paid attention to and generated is as follows:
pki:
ca.crt dh.pem issued reqs ta.key private
pki/issued:
client.crt server.crt
pki/private:
ca.key client.key server.key
pki/reqs:
client.req server.req
(on server c) download and install openvpn
yay -S openvpnCopy the generated certificates and keys to the server c from machine a
cd pki
scp ca.crt dh.pem issued/server.crt private/server.key ta.key {username}@{server_ip}:/etc/openvpn/server/(on server c)
After installing openvpn, there will be a sample configuration file. The location of the sample configuration file may be different on different computers, but you should be able to find it.
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/Modify the configuration file as needed.
Start openvpn
systemctl enable openvpn@server
systemctl start openvpn@server(on machine b)
You can use batch-pki-gen.sh to batch generate client certificates and keys. The script now supports parameterized configuration, so you don't need to manually modify the template file.
# Generate a single client certificate with default settings
./pki-gen.sh -c client1
# Generate a client certificate with specific server IP and port
./pki-gen.sh -c client1 -s 192.168.1.100 -p 1194
# Generate a client certificate and save to specific directory
./pki-gen.sh -c client1 -s 192.168.1.100 -p 1194 -o ./clients
# Generate with long form parameters
./pki-gen.sh --clientname user1 --server 192.168.1.100 --port 1194 --output-dir /path/to/clients# Generate 100 clients with default settings (using template as-is)
./batch-pki-gen.sh -n 100
# Generate 50 clients with specific server IP and port
./batch-pki-gen.sh -n 50 -s 192.168.1.100 -p 1194
# Generate 10 clients with server IP only (using default port 1194)
./batch-pki-gen.sh --num-clients 10 --server 192.168.1.100
# Generate 20 clients with long form parameters
./batch-pki-gen.sh --num-clients 20 --server 192.168.1.100 --port 1194
# Generate clients and save to specific directory
./batch-pki-gen.sh -n 50 -s 192.168.1.100 -p 1194 -o ./clients
# Generate with all parameters including output directory
./batch-pki-gen.sh --num-clients 25 --server 192.168.1.100 --port 1194 --output-dir /path/to/clientspki-gen.sh parameters:
-c, --clientname: Client name (required)-s, --server: Server IP address (optional)-p, --port: Server port (optional, default: 1194)-o, --output-dir: Output directory for client file (optional, default: current directory)
batch-pki-gen.sh parameters:
-n, --num-clients: Number of clients to generate (default: 100)-s, --server: Server IP address (optional)-p, --port: Server port (optional, default: 1194)-o, --output-dir: Output directory for client files (optional, default: current directory)
If no server IP is specified, the generated client configuration files will use the template as-is, and you can manually modify the server settings later.
The web management interface provides a user-friendly way to distribute OpenVPN client configuration files to users. It includes:
- User authentication system
- Download management
-
Install Python dependencies:
conda create -n ovpn python=3.10 -y conda activate ovpn
pip3 install -r requirements.txt
-
Modify file path of client files:(in
config.py)# File path configuration CLIENT_FILES_DIR = '.' # Base directory where client files are located CLIENT_FILE_PATTERN = 'clients_ovpn/client*.ovpn' # Client file matching pattern
-
Initialize the database:
python3 db_init.py
This will:
- Create the SQLite database
- Create necessary tables (users, client_files)
- Add default admin user
- Scan for existing client files and add them to database
-
Start the web server:
./start_server.sh
Or manually:
python3 app.py
-
Access the web interface:
- Open your browser and go to
http://localhost:5000 - Default admin credentials:
admin/admin123
- Open your browser and go to
- File Download: Download assigned client configuration files
- Personal Dashboard: View only files assigned to you
- Secure Access: Only download files assigned to you
- Simple Interface: Clean and easy-to-use interface
- Backend Management: Use command-line tools to manage users and file assignments
- CSV Import: Bulk import users from CSV files
- User Management: Add, remove, and modify user accounts
- File Assignment: Assign client files to users via database operations
python3 db_init.py# Interactive user management
python3 manage_users.py
# Import users from CSV
python3 manage_users.py --import-csv users.csv
# Export users to CSV
python3 manage_users.py --export-csv users_backup.csv
# List all users
python3 manage_users.py --list-users# Generate 100 random users
python3 generate_random_users.py -n 100 -o users.csv
# Preview generated users
python3 generate_random_users.py -n 10 --preview# Interactive file assignment
python3 assign_files.py
# List all files and their status
python3 assign_files.py --list-files
# List all users
python3 assign_files.py --list-users
# Assign specific file to user
python3 assign_files.py --assign client1.ovpn username1 --notes "Production user"
# Unassign file
python3 assign_files.py --unassign client1.ovpn
# Batch assign files using regex patterns
python3 assign_files.py --batch-assign ".*" ".*client.*.ovpn" --notes "Batch assignment"-
Access the web interface:
- Go to
http://YOUR_SERVER:5000(default port is 5000) - Login with your credentials
- Go to
-
Download your files:
- View assigned client files
- Download
.ovpnconfiguration files - Import to OpenVPN client
The system uses SQLite database (ovpn_clients.db) to store:
- users table: user accounts and authentication
- client_files table: client configuration files and assignments
users table:
id: Primary keyusername: Unique usernamepassword_hash: Hashed passwordis_admin: Boolean admin flag
client_files table:
id: Primary keyfilename: Client file name (e.g., client1.ovpn)assigned_to: Username of assigned userassigned_date: Assignment timestampnotes: Assignment notesis_available: Boolean availability flag