• Events

• LocalGroups

• Activities

• Teams

• KnowHow

• RecentChanges

Giving access to a new user

To allow a client to access the VPN server, you just have to create a client certificate following the procedure below; no configuration changes are needed on the server (the server automatically allows client certificates signed with our master certificate).

- Log into vpn.fsfe.org:/root/wrk/vpn/easy-rsa

- Source the ./vars file

. ./vars

- Choose a nickname for the certificate (CERTNAME in the example below); we usually choose the surname of the person requesting the certificate.

Run:

./build-key CERTNAME

- Answer all questions with the default answer, except for:

• - Common Name: if it's a certificate for a host, enter its FQDN; if it's a person, enter his Name and Surname - Email: you can leave the default value, or enter the real email address, if the certificate is for a real person (this field is informational only,
  • it has no role in the authentication)
  • - Answer "yes" to the last two questions (confirmation of certificate creation and signature)

- In the ./keys directory, you'll find the CERTNAME.crt and CERTNAME.key files.

- Send a GPG-encrypted mail message to the user:

- Use the message template: ./newuser_message.txt

- Attach the certificates: ca, CERTNAME, CERTNAME.key

- Attach the sample configuration files contained in ./conf/client

WARNING: make sure to encrypt the message, since the client certificate and key are sensitive material!!!

- Update the SVN mirror of the server PKI in ./conf/ca

Run the ./conf/ca/getconf.sh script

Creating a server certificate

Use the same procedure to create a client cert, except, run the ./build-key-server script