Skip to content

Client Management

Adding a Client

# Basic client
sudo ./openvpn-install.sh client add mydevice

# Password-protected client (interactive password prompt)
sudo ./openvpn-install.sh client add mydevice --password

# Password-protected client (inline password)
sudo ./openvpn-install.sh client add mydevice --password "secretpass123"

# Custom certificate validity
sudo ./openvpn-install.sh client add mydevice --cert-days 365

The .ovpn file is saved to the home directory of the user running the script (e.g., ~/mydevice.ovpn).

Client name rules

  • Maximum 64 characters
  • Only alphanumeric characters, underscores, hyphens, and dots
  • Must be unique (no duplicate names)

Listing Clients

# Table format
sudo ./openvpn-install.sh client list

# JSON format (for automation)
sudo ./openvpn-install.sh client list --format json

Example output:

Name             Status    Expires
----             ------    -------
laptop           Valid     2036-03-18
phone            Valid     2036-03-18
old-device       Revoked   -

Revoking a Client

Revocation immediately disconnects the client and prevents future connections:

sudo ./openvpn-install.sh client revoke mydevice

What happens:

  1. The client certificate is added to the CRL (Certificate Revocation List)
  2. If the client is currently connected, it is immediately disconnected via the management interface
  3. The client can no longer connect with this certificate

Revocation is permanent

A revoked certificate cannot be restored. To re-enable access for the same user, create a new client with the same name — a new certificate will be generated.

Renewing a Client Certificate

Renew a client certificate before it expires:

# Renew with default validity (3650 days)
sudo ./openvpn-install.sh client renew mydevice

# Renew with custom validity
sudo ./openvpn-install.sh client renew mydevice --cert-days 365

What happens:

  1. The old certificate is revoked
  2. A new certificate is generated with a new serial number
  3. A new .ovpn file is created
  4. The client must download the new .ovpn file

Multi-Device Support

By default, each client certificate is bound to a single persistent VPN IP address. To allow the same certificate on multiple devices simultaneously:

sudo ./openvpn-install.sh install --multi-client --client shared-cert

Note

Enabling multi-device support disables persistent IP addresses for all clients.

Interactive Mode

If you prefer a menu-driven interface:

sudo ./openvpn-install.sh interactive

When OpenVPN is already installed, the interactive mode presents a management menu:

  1. Add a new client
  2. Revoke a client
  3. Renew a client certificate
  4. Show server status
  5. Renew server certificate
  6. Uninstall OpenVPN
  7. Exit