================================================================================
OpenVPN: build PKI on your PC, upload to this server, minimal work for users
================================================================================

GOAL
----
- You (admin): create certificates on YOUR PC, copy a few files here, keep the
  VPN server config in sync with the same CA.
- Your users: log in to the VPN web page, download ONE .ovpn file, import it
  in OpenVPN Connect — no extra files on the phone/TV.

WHY ONE CA FOR BOTH PLACES
--------------------------
The OpenVPN SERVER (the machine users connect to) must trust the same CA that
signed each CLIENT certificate. So you usually create ONE PKI (one CA) on your
PC, then:
  A) Put server cert/key + CA on the VPN *server* (the remote host in vpn-config.php).
  B) Put ca.crt + each user's .crt/.key on THIS *web* server under openvpn-pki/
     so PHP can embed them into downloaded .ovpn files.

If you only create client certs with a NEW CA and never install that CA on the
VPN server, connections will fail.


WHAT TO INSTALL ON YOUR PC (pick one)
-------------------------------------
  • Windows: install "Git for Windows" and use "Git Bash", OR use WSL (Ubuntu),
    OR download Easy-RSA release zip from:
    https://github.com/OpenVPN/easy-rsa/releases
  • macOS/Linux: install package "easy-rsa" or unpack the same release zip.

Below uses Easy-RSA 3.x commands in a terminal.


STEP 1 — CREATE PKI ON THE PC (once per CA)
-------------------------------------------
  cd ~/somewhere
  make-cadir my-openvpn-pki && cd my-openvpn-pki
  ./easyrsa init-pki
  ./easyrsa build-ca nopass
        (set a CA common name when asked, e.g. "MyVPN-CA")

Create the SERVER certificate (name must match what you use in OpenVPN server config):
  ./easyrsa gen-req server nopass
  ./easyrsa sign-req server server

Create a CLIENT for VPN username "barry" (must match vpn_users.username in the database):
  ./easyrsa gen-req barry nopass
  ./easyrsa sign-req client barry

Optional but common: Diffie-Hellman (server):
  ./easyrsa gen-dh

After this, your PC has a folder pki/ with at least:
  pki/ca.crt
  pki/issued/server.crt
  pki/private/server.key
  pki/issued/barry.crt
  pki/private/barry.key
  pki/dh.pem   (if you generated dh)


STEP 2 — CONFIGURE THE OPENVPN *SERVER* (not this web server)
--------------------------------------------------------------
On the machine that runs OpenVPN (UDP 1194, etc.), install:
  - CA: pki/ca.crt
  - Server cert/key: pki/issued/server.crt and pki/private/server.key (names may differ)
  - dh.pem if you use it
  - tls-crypt/ta.key if you use tls-crypt (generate separately if needed)

Point clients at the correct "remote" host — same values you put in EP/vpn-config.php
($vpn_servers → host/port).

This step is required; the web site only *distributes* client profiles.


STEP 3 — COPY FILES TO *THIS* WEB SERVER (for automatic .ovpn embedding)
------------------------------------------------------------------------
Only these are needed per VPN user for the download script (username = barry):

  openvpn-pki/ca.crt
  openvpn-pki/issued/barry.crt    OR  openvpn-pki/barry.crt
  openvpn-pki/private/barry.key   OR  openvpn-pki/barry.key

Example (run from your PC, replace USER/HOST):

  scp pki/ca.crt USER@HOST:/var/www/html/wordpress6/wordpress/EP/openvpn-pki/
  scp pki/issued/barry.crt USER@HOST:/var/www/html/wordpress6/wordpress/EP/openvpn-pki/issued/barry.crt
  scp pki/private/barry.key USER@HOST:/var/www/html/wordpress6/wordpress/EP/openvpn-pki/private/barry.key

On the server (so PHP can read the key):

  sudo chown root:www-data /var/www/html/wordpress6/wordpress/EP/openvpn-pki/ca.crt \
    /var/www/html/wordpress6/wordpress/EP/openvpn-pki/issued/barry.crt \
    /var/www/html/wordpress6/wordpress/EP/openvpn-pki/private/barry.key
  sudo chmod 644 .../ca.crt .../issued/barry.crt
  sudo chmod 640 .../private/barry.key

Repeat "issued/USERNAME.crt" + "private/USERNAME.key" for each VPN user you add
in the admin panel / database.

Optional: set env VPN_PKI_DIR to a single Easy-RSA pki/ folder instead of EP/openvpn-pki.


STEP 4 — END USER (phone / Google TV) — MINIMUM STEPS
------------------------------------------------------
  1. Open the VPN login page in a browser, sign in.
  2. Choose country, tap "Download .ovpn file" (use the main link with token on TV).
  3. Open OpenVPN Connect → Import → select the downloaded profile.
  4. Connect.

No separate ca.crt / .key files on the device — they are inside the .ovpn.


IF SOMETHING FAILS
------------------
  • "Files could not be found" in OpenVPN: server is not embedding certs —
    check files exist under openvpn-pki (or VPN_PKI_DIR) and names match username.
  • TLS/auth errors: client cert not signed by the CA the server uses, or wrong
    "remote" host/port, or server config mismatch.
  • Regenerate .ovpn from the dashboard after uploading new certs.


SECURITY
--------
  • Never commit *.key or *.crt to git (see .gitignore).
  • Restrict permissions on .key files (640, group www-data).
  • Revoke a user by removing their cert on the server side (OpenVPN CRL) and
    deleting their files from openvpn-pki if you rotate.

================================================================================