Skip to content

Server Operations

Server Status — listConnectedClients()

Reads the OpenVPN status file at /var/log/openvpn/status.log.

The status file is updated every 60 seconds by the OpenVPN process. It contains CLIENT_LIST entries with comma-separated fields:

Field Description
Client name Certificate CN
Real address Client's public IP:port
VPN address Assigned VPN IP (e.g., 10.8.0.2)
Bytes received Total bytes from client
Bytes sent Total bytes to client
Connected since Connection timestamp

Traffic values are formatted using formatBytes():

Bytes Display
>= 1,073,741,824 X.X GB
>= 1,048,576 X.X MB
>= 1,024 X.X KB
< 1,024 X B

Server Certificate Renewal — renewServer()

Flow

graph TD
    A[Get server name from server.conf] --> B[Show expiry warning]
    B --> C[Confirm with user]
    C --> D[Set renewal duration]
    D --> E[Backup old certificate]
    E --> F{Auth mode?}
    F -->|PKI| G[easyrsa renew]
    F -->|Fingerprint| H[Generate new self-signed cert]
    G --> I[easyrsa revoke-renewed]
    I --> J[Regenerate CRL]
    H --> K[Update server fingerprint]
    K --> L[Regenerate ALL client .ovpn files]
    J --> M[Copy new cert to server dir]
    L --> M
    M --> N[Restart OpenVPN service]

PKI Mode

cd /etc/openvpn/server/easy-rsa/
./easyrsa --batch --days=3650 renew server_name
./easyrsa --batch revoke-renewed server_name
# Regenerate CRL
./easyrsa gen-crl
cp pki/issued/server_name.crt /etc/openvpn/server/

Fingerprint Mode

When the server certificate changes in fingerprint mode, the server's fingerprint changes too. Since every client .ovpn file embeds the server fingerprint for verification, all client configurations must be regenerated:

  1. Generate new self-signed server certificate
  2. Extract new fingerprint
  3. Store in /etc/openvpn/server/server-fingerprint
  4. Loop through all clients and regenerate their .ovpn files

Warning

In fingerprint mode, all clients need new .ovpn files after server certificate renewal. In PKI mode, existing client configs continue to work.

Post-Renewal

The OpenVPN service is restarted:

systemctl restart openvpn-server@server

All connected clients are briefly disconnected and will reconnect automatically.

Certificate Expiry Helpers

getDaysUntilExpiry(cert_path)

Reads a certificate file and calculates days until expiry:

  1. Extract notAfter date via openssl x509 -enddate
  2. Convert to epoch timestamp
  3. Calculate (expiry - now) / 86400
  4. Returns ? if calculation fails

formatExpiry(days)

Formats days-until-expiry as a human-readable string:

Days Output
? (unknown expiry)
< 0 (EXPIRED X days ago)
0 (expires today)
1 (expires in 1 day)
> 1 (expires in X days)

Uninstall — removeOpenVPN()

Complete removal of all OpenVPN components:

  1. Stop and disable the systemd service
  2. Remove firewall rules:
    • firewalld: remove port, masquerade, rich rules
    • nftables: delete tables, remove include, delete rule file
    • iptables: stop service, remove scripts
  3. Remove SELinux port rules (if applicable)
  4. Remove packages via the OS package manager
  5. Clean up files:
    • /etc/openvpn/ — all configuration and certificates
    • /etc/sysctl.d/99-openvpn.conf — IP forwarding
    • /var/log/openvpn/ — log files
    • AppArmor overrides
    • Client .ovpn files from /home/ and /root/
  6. Remove Unbound DNS (if installed by the script)

Unbound Removal — removeUnbound()

  1. Removes /etc/unbound/unbound.conf.d/openvpn.conf
  2. Cleans up include directive if no other configs remain
  3. Asks user whether to fully remove Unbound or just restart it