OpenVPN

Install needed packages:

# apt install --no-install-recommends openvpn openssl

Download easy-rsa v3.0.4 and install it.

We don't use the git clone version because we would need to use the build.sh script with the –version=3.0.4 version to generate the final version

# wget --no-check-certificate https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
# tar -xvzf EasyRSA-3.0.4.tgz
# rm EasyRSA-3.0.4.tgz
# mv EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/

Make sure you have this option set: set_var EASYRSA_PKI “/etc/openvpn/easy-rsa/pki” in /etc/openvpn/easy-rsa/vars

Initialize a new PKI and generate a CA keypair that will be used to sign certificates.

# cd /etc/openvpn/easy-rsa
# export EASYRSA=$(pwd)
# easyrsa init-pki
# easyrsa build-ca nopass

Common name : Testing server OpenVPN certificate

Now build the intermediate certificate.

# ./easyrsa build-server-full server nopass

Once you have generated and signed OpenVPN server certificate, rename the root CA and CA (intermediate) certificates.

# cd /etc/openvpn/easy-rsa/pki/
# mv ca.crt root_ca.crt
# mv private/ca.key private/root_ca.key

# mv issued/server.crt issued/ca.crt
# mv private/server.key private/ca.key

Also move ca.crt to /etc/openvpn/easy-rsa/pki.

# mv /etc/openvpn/easy-rsa/pki/issued/ca.crt /etc/openvpn/easy-rsa/pki

Make sure pki directory has the following rights, otherwise easygateway web interface won't detect the root_ca.crt file (file_exists() php function):

drwxrwx--x 6 root       root        4096 Jun 17 16:23 pki

References:
https://wiki.archlinux.org/index.php/Easy-RSA
https://wiki.debian.org/OpenVPN