You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Jérémy Dubois 91b40ce72f
gitea/ansible-roles/pipeline/head This commit looks good Details
openvpn: Fix mode of shellpki script
2 months ago
defaults Write an openvpn role 1 year ago
files openvpn: shellpki upstream release 22.12.2 2 months ago
handlers openvpn: make it compatible with OpenBSD and add some improvements 1 year ago
tasks openvpn: Fix mode of shellpki script 2 months ago
templates openvpn: Run OpenVPN with the \_openvpn user and group instead of nobody which is originally for NFS 5 months ago openvpn: update README 10 months ago


Install and configure OpenVPN, based on our HowtoOpenVPN wiki


Everything is in the tasks/main.yml file. Some manual actions are requested at the end of the playbook, to do before finishing the playbook.

Here is a copy of what is requested :

  • You have to manually create the CA on the server with shellpki init The command will ask you to create a password, and will ask you again to give the same one several times.
  • You have to manually generate the CRL on the server with openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf. The previously created password will be asked.
  • You have to manually create the server's certificate with shellpki create
  • You have to adjust the config file /etc/openvpn/server.conf for the following parameters : local (to check), cert (to check), key (to add), server (to check), push (to complete if needed).
  • Finally, you can (re)start the OpenVPN service with systemctl restart openvpn@server.service on Debian, or rcctl restart openvpn on OpenBSD.

Then, you can use shellpki to generate client certificates.


  • openvpn_lan: network to use for OpenVPN
  • openvpn_netmask: netmask of the network to use for OpenVPN
  • openvpn_netmask_cidr: automatically generated prefix length of the netmask, in CIDR notation


  • Files in files/shellpki/* are gotten from the upstream shellpki and must be updated when the upstream is.