OpenVPN tricks and traps


Recently I had to update my certificates. As things go, I decided to do a 2 tier CA. Of course, this compilcates the config of systems like OpenVPN. This needed some bending of the configs to get what I wanted.


Critical config enrties to make this all work – with comments

ca /etc/openvpn/root-ca.cert <= root CA certificate
cert /etc/openvpn/chain.cert <= certificate chain : server cert + intermediate CA cert
key /etc/openvpn/private.key <= certificate private key
dh /etc/openvpn/dh.pem       <= Diffie-Helman key exchange parameters  
tls-version-min 1.2          <= force TLS 1.2 ciphers


  1. Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA TLS v1.2 achieved.
  2. OpenVPN working.