container-openvpn/docs/clients.md

# Advanced Client Management

## Client Configuration Mode

The [`ovpn_getclient`](/bin/ovpn_getclient) can produce two different versions of the configuration.

1. combined (default): All needed configuration and cryptographic material is in one file (Use "combined-save" to write the configuration file in the same path as the separated parameter does).
2. separated: Separated files.

Note that some client software might be picky about which configuration format it accepts.

## Batch Mode

If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script [`ovpn_getclient_all`](/bin/ovpn_getclient_all) was written, which writes out the configuration for each client to a separate directory called `clients/$cn`.

Execute the following to generate the configuration for all clients:

    docker run --rm -it -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_getclient_all

After doing so, you will find the following files in each of the `$cn` directories:

    ca.crt
    dh.pem
    $cn-combined.ovpn # Combined configuration file format. If your client recognices this file then only this file is needed.
    $cn.ovpn          # Separated configuration. This configuration file requires the other files ca.crt dh.pem $cn.crt $cn.key ta.key
    $cn.crt
    $cn.key
    ta.key

## Revoking Client Certificates

Revoke `client1`'s certificate and generate the certificate revocation list (CRL):

    docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn easyrsa revoke client1
    docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn easyrsa gen-crl

The OpenVPN server will read this change everytime a client connects (no need to restart server) and deny clients access using revoked certificates.
docs: Tweak case and arguments * Makes the reading more uniform with the rest of the documentation. 2015-05-11 17:32:58 +00:00			`# Advanced Client Management`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00
docs: Tweak case and arguments * Makes the reading more uniform with the rest of the documentation. 2015-05-11 17:32:58 +00:00			`## Client Configuration Mode`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00
Fixed based on the review by @kylemanna. Thanks. 2015-03-14 12:22:28 +00:00			The [`ovpn_getclient`](/bin/ovpn_getclient) can produce two different versions of the configuration.
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00
Fixed based on the review by @kylemanna. Thanks. 2015-03-14 12:22:28 +00:00			`1. combined (default): All needed configuration and cryptographic material is in one file (Use "combined-save" to write the configuration file in the same path as the separated parameter does).`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`2. separated: Separated files.`

Fixed spelling. 2015-03-13 01:00:04 +00:00			`Note that some client software might be picky about which configuration format it accepts.`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00
docs: Tweak case and arguments * Makes the reading more uniform with the rest of the documentation. 2015-05-11 17:32:58 +00:00			`## Batch Mode`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00
Fixed based on the review by @kylemanna. Thanks. 2015-03-14 12:22:28 +00:00			If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script [`ovpn_getclient_all`](/bin/ovpn_getclient_all) was written, which writes out the configuration for each client to a separate directory called `clients/$cn`.
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00
			`Execute the following to generate the configuration for all clients:`

docs: Tweak case and arguments * Makes the reading more uniform with the rest of the documentation. 2015-05-11 17:32:58 +00:00			`docker run --rm -it -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_getclient_all`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00
			After doing so, you will find the following files in each of the `$cn` directories:

			`ca.crt`
			`dh.pem`
Fixed based on the review by @kylemanna. Thanks. 2015-03-14 12:22:28 +00:00			`$cn-combined.ovpn # Combined configuration file format. If your client recognices this file then only this file is needed.`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`$cn.ovpn # Separated configuration. This configuration file requires the other files ca.crt dh.pem $cn.crt $cn.key ta.key`
			`$cn.crt`
			`$cn.key`
			`ta.key`
ovpn: Add support for revoking certificates (CRL) * Add this much needed missing feature. Easy RSA makes it... easy. 2015-05-11 17:33:56 +00:00
			`## Revoking Client Certificates`

			Revoke `client1`'s certificate and generate the certificate revocation list (CRL):

docs: Fix typo to CRL steps * Copy paste error. Oops. 2015-05-11 17:48:09 +00:00			`docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn easyrsa revoke client1`
			`docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn easyrsa gen-crl`
ovpn: Add support for revoking certificates (CRL) * Add this much needed missing feature. Easy RSA makes it... easy. 2015-05-11 17:33:56 +00:00
docs: Fix typo to CRL steps * Copy paste error. Oops. 2015-05-11 17:48:09 +00:00			`The OpenVPN server will read this change everytime a client connects (no need to restart server) and deny clients access using revoked certificates.`