This module contains a command-line utility that allows users to request new certificates, administrators to revoke
certificates and the OpenVPN server to process those requests.
How do you use this module?
Examples
Build the binaries for this module or download the relevant release binary (for your desired distro) on your client
machine from the releases page.
N.B.: If the above doesn't work, check if the openvpn-admin binary is in your path, and that it's called openvpn-admin, and ensure that it has the execute permission set (chmod +x openvpn-admin).
Alternatively, you can download the binary from the Releases
Page.
Commandline Options
There are several sub-commands and switches that control the behavior of this utility.
Command
Description
request
Requests a new OpenVPN configuration from the server and writes it locally to disk as username.ovpn
revoke
Revokes a user's certificate so that they may no longer connect to the OpenVPN server
process-requests
A server-side process to respond to requests by generating a new user certificate request, signing it, generating a new OpenVPN configuration file and returning it to the requestor.
process-revokes
A server-side process to respond to revocation requests by revoking the user's valid certificate
The name of the user you are making a certificate request or revocation request for.
revoke (required). request (optional)
IAM username (request command)
--request-url
The url for the SQS queue used for making OpenVPN configuration (certificate) requests
Optional
finds url automatically
--revoke-url
The url for the SQS queue used for making revocation requests
Optional
find url automatically
--host-for-mssfix
The host to ping when determining the mssfix value
Optional
1.1.1.1
Permissions
Users requesting a new OpenVPN request must be a member of the OpenVPNUsers IAM group.
Users requesting a certificate revocation must a member of the OpenVPNAdmins IAM group.
Using openvpn-admin for read-only users
Users who have read only access to AWS will not be able to submit requests to the SQS requests queue used by openvpn-admin. Read only users can temporarily assume the openvpn-allow-certificate-requests-for-external-accounts role which grants write access to the queue. To do so, they should add a profile to their ~/.aws/config file as follows:
The user can assume the role defined by this profile (using aws-auth or aws-vault, run the openvpn-admin request --aws-region us-east-1 --username foo command, and then run subsequent commands using the read only role once again.
Using profiles
To use a named profile, set the AWS_PROFILE environment variable. This tool does not implement CLI flags (e.g. the --profile flag in the AWS CLI) for setting named profiles.
New Certificate Request Workflow
Revoke Certificate Workflow
Questions? Ask away.
We're here to talk about our services, answer any questions, give advice, or just to chat.
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"2b3ceae62420b4fd9ef7413f400619f24e05ac62"},{"name":"post-upgrade-test-results.sh","path":".circleci/post-upgrade-test-results.sh","sha":"a4867e8fbdc334b7a90259568ee41ea577fbe764"},{"name":"set-upgrade-test-vars.sh","path":".circleci/set-upgrade-test-vars.sh","sha":"0978a60d00cfb4a959a939b71d9e9d5929d9baff"}]},{"name":".github","children":[{"name":"ISSUE_TEMPLATE","children":[{"name":"bug_report.md","path":".github/ISSUE_TEMPLATE/bug_report.md","sha":"d2e87e27c601e423865ed660ec697082470ca60f"},{"name":"feature_request.md","path":".github/ISSUE_TEMPLATE/feature_request.md","sha":"023a33099be2336476930c96e17ff1ba5dc55348"}]},{"name":"pull_request_template.md","path":".github/pull_request_template.md","sha":"6b100e40e323b5b07f40ed30616277c51c9f4b9e"}]},{"name":".gitignore","path":".gitignore","sha":"dc2eb8ea5e17708df66634ed2f95c8c5e973daed"},{"name":".patcher","children":[{"name":"patches","children":[{"name":"v0.20.0","children":[{"name":"iam-inline-policies","children":[{"name":"patch.yaml","path":".patcher/patches/v0.20.0/iam-inline-policies/patch.yaml","sha":"227e840b5996bae65ce9984c9e1398226a5d8141"},{"name":"var_use_managed_iam_policies.sh","path":".patcher/patches/v0.20.0/iam-inline-policies/var_use_managed_iam_policies.sh","sha":"e5eb47cf889c6e28fec50f34e973ef8c3c5ec2f3"}]}]},{"name":"v0.21.0","children":[{"name":"terraform-1.1-upgrade","children":[{"name":"bump_required_version.sh","path":".patcher/patches/v0.21.0/terraform-1.1-upgrade/bump_required_version.sh","sha":"30abb1d075dbc85ce83dc415869de1c9c8560b0d"},{"name":"patch.yaml","path":".patcher/patches/v0.21.0/terraform-1.1-upgrade/patch.yaml","sha":"1b27c37854276ff6fa550c1211dac23cb61d6ac5"}]}]},{"name":"v0.22.0","children":[{"name":"disable-ebs-optimization","children":[{"name":"patch.yaml","path":".patcher/patches/v0.22.0/disable-ebs-optimization/patch.yaml","sha":"793d51f95be26299442847ac2f9ae523200b7bb1"},{"name":"set_var_ebs_optimized_to_false.sh","path":".patcher/patches/v0.22.0/disable-ebs-optimization/set_var_ebs_optimized_to_false.sh","sha":"870246ddb1d2d902fc830d080e278372110ddc24"}]}]},{"name":"v0.23.0","children":[{"name":"aws-provider-4.x","children":[{"name":"bump_provider.sh","path":".patcher/patches/v0.23.0/aws-provider-4.x/bump_provider.sh","sha":"d3daee144dd21814811d998e5ae69796b9956509"},{"name":"create_script_for_terraform_init.sh","path":".patcher/patches/v0.23.0/aws-provider-4.x/create_script_for_terraform_init.sh","sha":"c38f2bb4802978301590d1a045037655e54995e3"},{"name":"patch.yaml","path":".patcher/patches/v0.23.0/aws-provider-4.x/patch.yaml","sha":"f287d938e73b1b3fbbd3912c31f429d73416c468"}]}]},{"name":"v0.24.0","children":[{"name":"aws-provider-4.x","children":[{"name":"bump_provider.sh","path":".patcher/patches/v0.24.0/aws-provider-4.x/bump_provider.sh","sha":"7c61315127a8c8471a2688c089e23963161d5d35"},{"name":"create_script_for_terraform_init.sh","path":".patcher/patches/v0.24.0/aws-provider-4.x/create_script_for_terraform_init.sh","sha":"10a61b3d3b064715829a8635464cb45df2fa6608"},{"name":"patch.yaml","path":".patcher/patches/v0.24.0/aws-provider-4.x/patch.yaml","sha":"284408766ca98c795d72d9f0dcb7482e948fda08"}]}]}]}]},{"name":".pre-commit-config.yaml","path":".pre-commit-config.yaml","sha":"ef4c514168a04923df9033bb2ea77801b035eef5"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"ba6f6b4ca9979f15f13a1002e4d6edbeca674637"},{"name":"LICENSE.txt","path":"LICENSE.txt","sha":"5ae97660cb6e3a07b61c971f1a25edf402e90f53"},{"name":"README.md","path":"README.md","sha":"a04049315ec75ca736c9a2c562eb97ac24679a6e"},{"name":"examples","children":[{"name":"openvpn-host-duo","children":[{"name":"README.md","path":"examples/openvpn-host-duo/README.md","sha":"1a3065f058745f0f03fd74844ac4e872d52538de"},{"name":"main.tf","path":"examples/openvpn-host-duo/main.tf","sha":"bc5a44c2030d8c471ff9ba045681b427fbc909ab"},{"name":"outputs.tf","path":"examples/openvpn-host-duo/outputs.tf","sha":"f527145f657a5a99d32c301c591f461f2230e3b9"},{"name":"user-data","children":[{"name":"user-data.sh","path":"examples/openvpn-host-duo/user-data/user-data.sh","sha":"11d8cb4fd9efc019a506a848eb8312d26f8d9b26"}]},{"name":"vars.tf","path":"examples/openvpn-host-duo/vars.tf","sha":"280eaddae0870e2815aab482f81e73e19754c15f"}]},{"name":"openvpn-host","children":[{"name":"README.md","path":"examples/openvpn-host/README.md","sha":"851c84174ea25ce2dbf01aae7a3764a5208f553d"},{"name":"main.tf","path":"examples/openvpn-host/main.tf","sha":"15b314bc2e17bbdfb79d5473e7245b882b7df5bd"},{"name":"outputs.tf","path":"examples/openvpn-host/outputs.tf","sha":"f527145f657a5a99d32c301c591f461f2230e3b9"},{"name":"user-data","children":[{"name":"user-data.sh","path":"examples/openvpn-host/user-data/user-data.sh","sha":"efee4866142d928414e821e5bde470f5bdb1a2bf"}]},{"name":"vars.tf","path":"examples/openvpn-host/vars.tf","sha":"542775561463c32dde942a809ad0736d71a83b5a"}]},{"name":"packer-duo","children":[{"name":"README.md","path":"examples/packer-duo/README.md","sha":"d885b8114f2af50fb01d4707e56bb81ae79da798"},{"name":"build.json","path":"examples/packer-duo/build.json","sha":"277b1569ac194f72c2796089870a9c8b366373e5"}]},{"name":"packer","children":[{"name":"README.md","path":"examples/packer/README.md","sha":"7c3444a90e7bd6ffd8dd0d281439a03d01827d68"},{"name":"build.json","path":"examples/packer/build.json","sha":"0202c80862a2758391cb07b3753ffc6d76f20f38"}]}]},{"name":"modules","children":[{"name":"backup-openvpn-pki","children":[{"name":"README.md","path":"modules/backup-openvpn-pki/README.md","sha":"d271084a97e3ea953afb0e9e690fac951bb6be6d"},{"name":"bin","children":[{"name":"backup-openvpn-pki","path":"modules/backup-openvpn-pki/bin/backup-openvpn-pki","sha":"90effb15d572fb909c10c45cfd7bb496f6efb748"}]},{"name":"install.sh","path":"modules/backup-openvpn-pki/install.sh","sha":"af225b1dcd43eaab802a9e8040b3d39e25dd46a0"}]},{"name":"init-openvpn","children":[{"name":"README.md","path":"modules/init-openvpn/README.md","sha":"3a55b2c92611085870730ea15d589723b31dc775"},{"name":"bin","children":[{"name":"init-openvpn","path":"modules/init-openvpn/bin/init-openvpn","sha":"6446e18cb12aa1f21cf565905a5e8fbdbabf98d9"}]},{"name":"install.sh","path":"modules/init-openvpn/install.sh","sha":"9a41f990f62b2a9b526edfa813075cff277e1312"}]},{"name":"install-openvpn","children":[{"name":"README.md","path":"modules/install-openvpn/README.md","sha":"6073ab56f3a3ca0a69ca949a8a1e6086d7797709"},{"name":"bin","children":[{"name":"install-openvpn","path":"modules/install-openvpn/bin/install-openvpn","sha":"3927f5cbeaf08966f9132c161187915186c5a1f2"}]},{"name":"files","children":[{"name":"before.rules","path":"modules/install-openvpn/files/before.rules","sha":"e9f11106dda0d258910a36d88b3cac05c0d85146"},{"name":"openvpn-client.ovpn","path":"modules/install-openvpn/files/openvpn-client.ovpn","sha":"3fe8af5d74c724399d2b2acaaac3e5d07889912f"},{"name":"ufw-default","path":"modules/install-openvpn/files/ufw-default","sha":"ff5e7f69b1f65a2760579d4aa7575b278273e56b"},{"name":"vars.local","path":"modules/install-openvpn/files/vars.local","sha":"b19ce7da2758a7792a05d7563201127f8b1542c9"}]},{"name":"install.sh","path":"modules/install-openvpn/install.sh","sha":"65c8ed227131e94e7db76f47093f05b953950d07"},{"name":"scripts","children":[{"name":"generate-wrapper.sh","path":"modules/install-openvpn/scripts/generate-wrapper.sh","sha":"34d49724be9c3555a886d3cf00cf9cdbcb2a43bf"},{"name":"revoke-wrapper.sh","path":"modules/install-openvpn/scripts/revoke-wrapper.sh","sha":"d158a871cdd70cfed92418b6618d81c6bef08bd7"}]}]},{"name":"openvpn-admin","children":[{"name":".dockerignore","path":"modules/openvpn-admin/.dockerignore","sha":"a725465aee245635a2bd129af54858ed32c84cb8"},{"name":"Dockerfile","path":"modules/openvpn-admin/Dockerfile","sha":"d8b2de7aeb782a31932157e3a4fb183333da4259"},{"name":"README.md","path":"modules/openvpn-admin/README.md","sha":"27e205afef3ce91fb229c359693de4a99c5651f7","toggled":true},{"name":"_ci","children":[{"name":"build-and-test.sh","path":"modules/openvpn-admin/_ci/build-and-test.sh","sha":"7b57f49d2a5cbce5f3e833c6e3dac767a90a92fa"},{"name":"test.sh","path":"modules/openvpn-admin/_ci/test.sh","sha":"ba48b9b10f31ca3f2e41ee3ce85e04d6ae289657"}]},{"name":"docker-compose.yml","path":"modules/openvpn-admin/docker-compose.yml","sha":"9a1c04848275d1a302063301d55b811aa0d666ed"},{"name":"go.mod","path":"modules/openvpn-admin/go.mod","sha":"ab79e395738712bb556310407f5db92bfdaee77d"},{"name":"go.sum","path":"modules/openvpn-admin/go.sum","sha":"3c87ad8ce8618d3614021bd24633a1c4159613dc"},{"name":"openvpn-request-flow-diagram.svg","path":"modules/openvpn-admin/openvpn-request-flow-diagram.svg","sha":"4c170df3fd6cf76d4c8e0bed7e1f2dbd98c08942"},{"name":"openvpn-revoke-flow-diagram.png","path":"modules/openvpn-admin/openvpn-revoke-flow-diagram.png","sha":"ccf48d05e3a492188900dfe73ea2fbc4eb3a3e29"},{"name":"scripts","children":[{"name":"build-linux-binary.sh","path":"modules/openvpn-admin/scripts/build-linux-binary.sh","sha":"3dfe844499b28878ebbb177453887bc786aec4de"},{"name":"run.sh","path":"modules/openvpn-admin/scripts/run.sh","sha":"bbcb7f9bdf8578561226954669cdb3e886093fcb"}]},{"name":"src","children":[{"name":"app","children":[{"name":"app.go","path":"modules/openvpn-admin/src/app/app.go","sha":"28e3810bc071174e385ebf2247b61bda13435971"},{"name":"cert_helpers.go","path":"modules/openvpn-admin/src/app/cert_helpers.go","sha":"020446eb604694f4e7d96157147ca8a1889d72bb"},{"name":"cmd_process_certificate_requests.go","path":"modules/openvpn-admin/src/app/cmd_process_certificate_requests.go","sha":"cf02bc05833ef0b56d83ead4d5d176e944e37636"},{"name":"cmd_process_certificate_revocation_requests.go","path":"modules/openvpn-admin/src/app/cmd_process_certificate_revocation_requests.go","sha":"74861b358fb0f6d3cb5cbad5db7300334bd82cca"},{"name":"cmd_request_new_certificate.go","path":"modules/openvpn-admin/src/app/cmd_request_new_certificate.go","sha":"c71dc8560f604ab280ef8836cbbec8871cb43777"},{"name":"cmd_revoke_certificate.go","path":"modules/openvpn-admin/src/app/cmd_revoke_certificate.go","sha":"ee774da09d7dacf3040262589f1a78d415e72f6f"},{"name":"common.go","path":"modules/openvpn-admin/src/app/common.go","sha":"c4719d234436c76dee9950728e6654ec0227c187"},{"name":"common_test.go","path":"modules/openvpn-admin/src/app/common_test.go","sha":"95a41eb26136556b11fdcd1e5b731f6700b5dfc9"},{"name":"flags.go","path":"modules/openvpn-admin/src/app/flags.go","sha":"cdc6e7119277e7d1b8ff1684fd2c5aaf45c3b732"}]},{"name":"aws_helpers","children":[{"name":"iam.go","path":"modules/openvpn-admin/src/aws_helpers/iam.go","sha":"dd72a9b653f9ef2b2c2a98f1e1aa99adab9a8ff0"},{"name":"imds.go","path":"modules/openvpn-admin/src/aws_helpers/imds.go","sha":"2e0a36ba3352deaed04ea262fd0405e37bed9e00"},{"name":"sqs.go","path":"modules/openvpn-admin/src/aws_helpers/sqs.go","sha":"16e133d97e6f28e470c44aad18870dfe8e4685c9"}]},{"name":"main.go","path":"modules/openvpn-admin/src/main.go","sha":"b3a10913aa75a4032e52a071f1b88033ef10a29c"},{"name":"ping_helpers","children":[{"name":"ping_darwin.go","path":"modules/openvpn-admin/src/ping_helpers/ping_darwin.go","sha":"2322b41ee20f31a9312d1f3fdff02c3f81bca38a"},{"name":"ping_linux.go","path":"modules/openvpn-admin/src/ping_helpers/ping_linux.go","sha":"2890ee14fcaf9360e6d800648e7b272b78ea1fed"},{"name":"ping_windows.go","path":"modules/openvpn-admin/src/ping_helpers/ping_windows.go","sha":"a61dc1671a7726907d77693e25e2679a0b8cc856"}]}]}],"toggled":true},{"name":"openvpn-server","children":[{"name":"README.md","path":"modules/openvpn-server/README.md","sha":"87b5f1fe56a78b2310fd3a0232d68da34ba0ab07"},{"name":"main.tf","path":"modules/openvpn-server/main.tf","sha":"a738bfd945211c92075a86367cc108b872ae438f"},{"name":"outputs.tf","path":"modules/openvpn-server/outputs.tf","sha":"47f8161b74e4e659bcaee4b985e246cae8dba8ba"},{"name":"vars.tf","path":"modules/openvpn-server/vars.tf","sha":"6b457a3d89685e38ea5e19d886e96cc3fe71408d"}]},{"name":"start-openvpn-admin","children":[{"name":"README.md","path":"modules/start-openvpn-admin/README.md","sha":"0c9902a49939a60e80a57fa0f39bfbb50eafd40a"},{"name":"bin","children":[{"name":"run-process-requests","path":"modules/start-openvpn-admin/bin/run-process-requests","sha":"c46e8124f8d940bb682d8610cbf26f6877e13f08"},{"name":"run-process-revokes","path":"modules/start-openvpn-admin/bin/run-process-revokes","sha":"28a93d013eebb6cea2101eb81629431d25b9523b"}]},{"name":"install.sh","path":"modules/start-openvpn-admin/install.sh","sha":"2af5af7f24c40136b22d50cb8cec47f7a9d2b2ac"}]}],"toggled":true},{"name":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","path":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","sha":"ae586c0fe830819580e1009d41a9074f16e65bed"},{"name":"test","children":[{"name":"README.md","path":"test/README.md","sha":"0b09878429ef9ed0b43b812a3947ba8e1264d107"},{"name":"go.mod","path":"test/go.mod","sha":"c963b682e6f0a870482e1eb04500dc61394b13d3"},{"name":"go.sum","path":"test/go.sum","sha":"c3c6829ba00cc19eea1311d0b9074e438c5b50d6"},{"name":"local-test","children":[{"name":"docker-compose.yml","path":"test/local-test/docker-compose.yml","sha":"e69de29bb2d1d6434b8b29ae775ad8c2e48c5391"}]},{"name":"openvpn_test.go","path":"test/openvpn_test.go","sha":"c0eeaac954b4f8b88b48610ad0f16f14c1cad631"},{"name":"test_helpers.go","path":"test/test_helpers.go","sha":"f250a2ee29e5c55a8fb97359083a565846575fad"},{"name":"upgrades","children":[{"name":"constants.go","path":"test/upgrades/constants.go","sha":"eb3c6ad4b94676fc1ab1313d0c10a2e3ce99996a"},{"name":"upgrade_module_openvpn_test.go","path":"test/upgrades/upgrade_module_openvpn_test.go","sha":"cfb675307aa23f7735dfb46938f25975487161d6"}]},{"name":"validation","children":[{"name":"validate_all_modules_and_examples_test.go","path":"test/validation/validate_all_modules_and_examples_test.go","sha":"33d73c385b64c4fc870033e99427e683c31dc45a"}]}]}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"openvpn-admin\">openvpn-admin</h1><div class=\"preview__body--border\"></div><p>This module contains a command-line utility that allows users to request new certificates, administrators to revoke\ncertificates and the OpenVPN server to process those requests.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-use-this-module\">How do you use this module?</h2>\n<h4 id=\"examples\">Examples</h4>\n<ol>\n<li>Build the binaries for this module or download the relevant release binary (for your desired distro) on your client\nmachine from <a href=\"#open_modal\" class=\"preview__body--description--blue\">the releases page</a>.</li>\n<li>Run the command you need on your client machine</li>\n</ol>\n<pre>$ openvpn-<span class=\"hljs-keyword\">admin</span> request <span class=\"hljs-comment\">--aws-region us-east-1</span>\n$ openvpn-<span class=\"hljs-keyword\">admin</span> <span class=\"hljs-keyword\">revoke</span> <span class=\"hljs-comment\">--aws-region us-east-1 --username john.doe</span>\n$ openvpn-<span class=\"hljs-keyword\">admin</span> process-requests <span class=\"hljs-comment\">--aws-region us-east-1</span>\n$ openvpn-<span class=\"hljs-keyword\">admin</span> process-revokes <span class=\"hljs-comment\">--aws-region us-east-1</span>\n</pre>\n<p><em><strong>N.B.:</strong> If the above doesn't work, check if the <code>openvpn-admin</code> binary is in your path, and that it's called <code>openvpn-admin</code>, and ensure that it has the execute permission set (<code>chmod +x openvpn-admin</code>).</em></p>\n<p><em><strong>N.B.:</strong> To use the <code>openvpn-admin</code> commands above, you'll need to authenticate to AWS. For examples and guidance on how to do so, check out our blog post: <a href=\"https://blog.gruntwork.io/a-comprehensive-guide-to-authenticating-to-aws-on-the-command-line-63656a686799\" class=\"preview__body--description--blue\" target=\"_blank\">A Comprehensive Guide to Authenticating to AWS on the Command Line</a></em></p>\n<h4 id=\"install-openvpn-admin-on-your-servers\">Install openvpn-admin on your servers</h4>\n<p><code>openvpn-admin</code> consists of a single binary. The easiest way to get it onto your servers is to use the <a href=\"/repos/gruntwork-installer\" class=\"preview__body--description--blue\">Gruntwork\nInstaller</a>:</p>\n<pre>gruntwork-install --binary-name openvpn-admin --repo https://github.com/gruntwork-io/<span class=\"hljs-keyword\">terraform</span>-aws-openvpn --tag v0.<span class=\"hljs-number\">5.4</span>\n</pre>\n<p>Alternatively, you can download the binary from the <a href=\"#open_modal\" class=\"preview__body--description--blue\">Releases\nPage</a>.</p>\n<h4 id=\"commandline-options\">Commandline Options</h4>\n<p>There are several sub-commands and switches that control the behavior of this utility.</p>\n<table>\n<thead>\n<tr>\n<th>Command</th>\n<th>Description</th>\n</tr>\n</thead>\n<tbody>\n<tr>\n<td>request</td>\n<td>Requests a new OpenVPN configuration from the server and writes it locally to disk as <em>username</em>.ovpn</td>\n</tr>\n<tr>\n<td>revoke</td>\n<td>Revokes a user's certificate so that they may no longer connect to the OpenVPN server</td>\n</tr>\n<tr>\n<td>process-requests</td>\n<td>A server-side process to respond to requests by generating a new user certificate request, signing it, generating a new OpenVPN configuration file and returning it to the requestor.</td>\n</tr>\n<tr>\n<td>process-revokes</td>\n<td>A server-side process to respond to revocation requests by revoking the user's valid certificate</td>\n</tr>\n</tbody>\n</table>\n<table>\n<thead>\n<tr>\n<th>Option</th>\n<th>Description</th>\n<th>Required</th>\n<th>Default</th>\n</tr>\n</thead>\n<tbody>\n<tr>\n<td>--debug</td>\n<td>Enable verbose logging to the console</td>\n<td>Optional</td>\n<td></td>\n</tr>\n<tr>\n<td>--aws-region</td>\n<td>The region OpenVPN is installed in</td>\n<td>request, revoke, process-requests, process-revokes</td>\n<td></td>\n</tr>\n<tr>\n<td>--username</td>\n<td>The name of the user you are making a certificate request or revocation request for.</td>\n<td>revoke (required). request (optional)</td>\n<td>IAM username (request command)</td>\n</tr>\n<tr>\n<td>--request-url</td>\n<td>The url for the SQS queue used for making OpenVPN configuration (certificate) requests</td>\n<td>Optional</td>\n<td>finds url automatically</td>\n</tr>\n<tr>\n<td>--revoke-url</td>\n<td>The url for the SQS queue used for making revocation requests</td>\n<td>Optional</td>\n<td>find url automatically</td>\n</tr>\n<tr>\n<td>--host-for-mssfix</td>\n<td>The host to ping when determining the mssfix value</td>\n<td>Optional</td>\n<td>1.1.1.1</td>\n</tr>\n</tbody>\n</table>\n<h5 id=\"permissions\">Permissions</h5>\n<ul>\n<li>Users requesting a new OpenVPN request must be a member of the <code>OpenVPNUsers</code> IAM group.</li>\n<li>Users requesting a certificate revocation must a member of the <code>OpenVPNAdmins</code> IAM group.</li>\n</ul>\n<h3 class=\"preview__body--subtitle\" id=\"using-openvpn-admin-for-read-only-users\">Using openvpn-admin for read-only users</h3>\n<p>Users who have read only access to AWS will not be able to submit requests to the SQS requests queue used by <code>openvpn-admin</code>. Read only users can temporarily assume the <code>openvpn-allow-certificate-requests-for-external-accounts</code> role which grants write access to the queue. To do so, they should add a profile to their <code>~/.aws/config</code> file as follows:</p>\n<pre>[profile foo-vpn]\nregion=us-west<span class=\"hljs-number\">-2</span>\nrole_arn=<span class=\"hljs-symbol\">arn:</span><span class=\"hljs-symbol\">aws:</span>iam::<span class=\"hljs-number\">11111111111</span><span class=\"hljs-symbol\">:role/openvpn-allow-certificate-requests-for-external-accounts</span>\nmfa_serial=<span class=\"hljs-symbol\">arn:</span><span class=\"hljs-symbol\">aws:</span>iam::<span class=\"hljs-number\">22222222222</span><span class=\"hljs-symbol\">:mfa/user</span><span class=\"hljs-variable\">@company</span>.com\nsource_profile=foo-security\n</pre>\n<p>The user can assume the role defined by this profile (using <a href=\"/repos/terraform-aws-security/modules/aws-auth/README.md\" class=\"preview__body--description--blue\"><code>aws-auth</code></a> or <a href=\"https://github.com/99designs/aws-vault\" class=\"preview__body--description--blue\" target=\"_blank\"><code>aws-vault</code></a>, run the <code>openvpn-admin request --aws-region us-east-1 --username foo</code> command, and then run subsequent commands using the read only role once again.</p>\n<h3 class=\"preview__body--subtitle\" id=\"using-profiles\">Using profiles</h3>\n<p>To use a <a href=\"https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html\" class=\"preview__body--description--blue\" target=\"_blank\">named profile</a>, set the <code>AWS_PROFILE</code> environment variable. This tool does not implement CLI flags (e.g. the <code>--profile</code> flag in the AWS CLI) for setting named profiles.</p>\n<h2 class=\"preview__body--subtitle\" id=\"new-certificate-request-workflow\">New Certificate Request Workflow</h2>\n<p><img src=\"/repos/images/v0.24.2/package-openvpn/modules/openvpn-admin/openvpn-request-flow-diagram.svg\" alt=\"openvpn-request-flow-diagram\" class=\"preview__body--diagram\"></p>\n<h2 class=\"preview__body--subtitle\" id=\"revoke-certificate-workflow\">Revoke Certificate Workflow</h2>\n<p><img src=\"/repos/images/v0.24.2/package-openvpn/modules/openvpn-admin/openvpn-revoke-flow-diagram.png\" alt=\"openvpn-revoke-flow-diagram\" class=\"preview__body--diagram\"></p>\n","repoName":"package-openvpn","repoRef":"v0.24.3","serviceDescriptor":{"serviceName":"OpenVPN","serviceRepoName":"package-openvpn","serviceRepoOrg":"gruntwork-io","cloudProviders":["aws"],"description":"Deploy an OpenVPN server. Supports auto healing, public key infrastructure (PKI), cert backup, and managing user accounts using IAM groups.","imageUrl":"openvpn.png","licenseType":"subscriber","technologies":["Terraform","Bash","Go"],"compliance":[],"tags":[""]},"serviceCategoryName":"Client VPN access","fileName":"README.md","filePath":"/modules/openvpn-admin","title":"Repo Browser: OpenVPN","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}