apt-get install openvpn easy-rsa
).xcode-select -p
outputs a file path beginning with /Applications/Xcode.app/ if they are already installed.xcode-select --install
to trigger the installation app.gcc
(e.g. gcc --version
). If the tools are not installed, you will be greeted by a graphical MacOS installation prompt instead of the expected Terminal output from gcc. You don’t necessarily need the full XCode so you can click the “install” button for just the command line tools.openssl
command bundled with MacOS is not likely compatible with EasyRSA and will produce errors if you try to use it (note: the binary is at /usr/bin/openssl
).brew
package manager (https://brew.sh/). Installing via brew will not clobber or harm the Apple version that’s already on your system. If you need to install brew
, go to the project’s website and follow the simple instructions on the landing page.brew
installed, open a Terminal and run the command:/usr/local/Cellar
./usr/local/bin
or anywhere else in your $PATH. You will not have a conflicting openssl
command, and Apple’s binary will remain intact./usr/local/Cellar/openssl/1.0.2n
. In your case, this may be a different path due to a more recent version being available in the future. Next, inspect this folder to locate the binary and determine the full path to it. In my example case, the full path to the binary was:EASYRSA_OPENSSL
variable.~/vpn/easyrsa
. The ‘~’ character is a shortcut to your home folder that works in Terminal, i.e. on a Mac its a placeholder for /Users/your_username
and on a typical linux environment /home/username
.~/vpn/easyrsa
, open Terminal and navigate to the unpacked folder:vars.example
“starter” configuration file to vars
:vars
to reflect your own.#
character) and fill them in with your appropriate values. Specify something for each field below:openssl
binary found in the $PATH. Find the following line, uncomment it, and update the value with the path to the brew-installed openssl
binary from Step 1. For example, in my case, the following line:easyrsa
script. This will create a pki/ subfolder:pki/ca.crt
.pki/issued/server.crt
pki/private/server.key
pki/dh.pem
.pki/issued/exampleclient.crt
pki/private/exampleclient.key
pki/issued/exampleclient.crt
)pki/private/exampleclient.key
)pki/ca.crt
).ovpn
extension. Both Tunnelblick and Viscosity recognize the .ovpn
extension and file format..ovpn
file..ovpn
, certificate, and key files as safe as possible with exposure to as few eyes/hands/hard-disks/clouds/etc as possible. Distribute them as securely as you can to your clients/users..ovpn
client configuration files to include specific settings that correspond to your server’s particular setup, so that clients can successfully connect./etc/easy-rsa/vars
to make Easy-RSA use elliptic curves:/etc/openvpn/server/ca.crt
/etc/openvpn/server/dh.pem
(not when using TLS with elliptic curves)/etc/openvpn/server/servername.crt
and /etc/openvpn/server/servername.key
/etc/openvpn/server/ta.key
/etc/easy-rsa/pki/ca.crt
generated in the previous step needs to be copied over to the machine that will be running OpenVPN./etc/easy-rsa/pki/reqs/servername.req
/etc/easy-rsa/pki/private/servername.key
/etc/easy-rsa/pki/reqs/client1.req
/etc/easy-rsa/pki/private/client1.key
/etc/easy-rsa/pki/issued/servername.crt
/etc/easy-rsa/pki/issued/client1.crt
/etc/easy-rsa/pki/crl.pem
that needs to be transferred to the OpenVPN server and made active there.crl.pem
and inform the server to read it:/etc/openvpn/server/server.conf
uncommenting the crl-verify directive, then restart [email protected] to re-read it: