Complete OpenVPN Setup for Carel Boss Devices on Rocky Linux 9.5
Prerequisites
- Rocky Linux 9.5 server with root/sudo access
- Public IP or domain name reachable on 1194/UDP
- Boss web access to upload client certificates
Step 1: Install Required Packages
sudo dnf -y install epel-release
sudo dnf -y install openvpn easy-rsa
Why:
epel-release— enables Extra Packages for Enterprise Linux (required by some tooling)openvpn— installs the VPN server software and systemd unit fileseasy-rsa— provides scripts to create a private CA and issue server/client certificates
Step 2: Prepare Easy-RSA Working Directory
sudo mkdir -p /etc/openvpn/server/easy-rsa
sudo cp -r /usr/share/easy-rsa/3/* /etc/openvpn/server/easy-rsa/
cd /etc/openvpn/server/easy-rsa
Why:
- Create a dedicated PKI workspace (keeps things tidy)
- Copy Easy-RSA scripts so your PKI is self-contained
- Move into that directory to run CA/PKI commands
Step 3: Define Certificate Defaults (vars)
Edit file:
nano /etc/openvpn/server/easy-rsa/vars
Add:
set_var EASYRSA_REQ_COUNTRY "PL"
set_var EASYRSA_REQ_PROVINCE "Malopolskie"
set_var EASYRSA_REQ_CITY "Krakow"
set_var EASYRSA_REQ_ORG "BossVPN"
set_var EASYRSA_REQ_EMAIL "admin@icelab.pl"
set_var EASYRSA_REQ_OU "IT"
Why: Pre-fills certificate subjects so you don’t type them repeatedly — consistency and speed.
Step 4: Build the PKI, CA, Server Keys and DH
./easyrsa init-pki
./easyrsa --batch build-ca nopass
./easyrsa --batch build-server-full boss-vpn nopass
./easyrsa gen-dh
./easyrsa gen-crl
Why each step matters:
init-pki— scaffolds the PKI foldersbuild-ca— creates the root Certificate Authority (keep its private key safe!)build-server-full— issues the server’s identity certificategen-dh— ensures secure key exchangegen-crl— lets the server reject revoked client certificates
Step 5: Create the OpenVPN Server Config
Edit file:
nano /etc/openvpn/server/boss-vpn.conf
Minimal production configuration:
# === Network ===
port 1194 # UDP port for VPN
proto udp # UDP is faster/leaner for VPN
dev tun # Layer-3 routed tunnel
topology subnet # Modern addressing model
server 10.200.0.0 255.255.255.0 # VPN subnet (srv .1, clients .2-.254)
# === Security / hardening ===
user nobody # Drop privileges after start
group nobody
tls-version-min 1.2 # Enforce modern TLS
data-ciphers AES-256-GCM # Preferred data cipher
data-ciphers-fallback AES-256-GCM
remote-cert-tls client # Require client certs signed by our CA
crl-verify /etc/openvpn/server/easy-rsa/pki/crl.pem # Reject revoked certs
max-clients 50 # Soft cap for concurrent clients
# === Certificates ===
ca /etc/openvpn/server/easy-rsa/pki/ca.crt
cert /etc/openvpn/server/easy-rsa/pki/issued/boss-vpn.crt
key /etc/openvpn/server/easy-rsa/pki/private/boss-vpn.key
dh /etc/openvpn/server/easy-rsa/pki/dh.pem
# === Client behavior ===
keepalive 10 120 # Detect dead peers; reduce stale sessions
persist-key # Don't re-read keys on restart
persist-tun # Don't tear down the tunnel device
explicit-exit-notify 1 # Signal clients on server stop/restart
# === Per-client overrides ===
client-config-dir /etc/openvpn/server/ccd # Static IPs per client
client-to-client # Enabled so Windows laptop can reach Boss devices
# === Logging ===
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3 # Reasonable verbosity
Step 6: Create CCD (Per-Client Overrides)
sudo mkdir -p /etc/openvpn/server/ccd
nano /etc/openvpn/server/ccd/boss-ABC123
File content:
ifconfig-push 10.200.0.10 255.255.255.0
Why: Gives the device a predictable VPN IP — vital for monitoring or static routing.
Step 7: Protect Private Keys and Set Ownership
sudo chmod 600 /etc/openvpn/server/easy-rsa/pki/private/*.key
sudo chown -R root:nobody /etc/openvpn/server/ccd
sudo chmod 750 /etc/openvpn/server/ccd
sudo chmod 640 /etc/openvpn/server/ccd/*
Why: Keys must be unreadable for other users. CCD stays controlled by root.
Note: On Rocky Linux, OpenVPN drops privileges to
nobody:nobody. For the VPN to read CCD (client-config-dir) files, set the group tonobodyand ensure proper read/execute rights. Otherwise, you’ll seePermission denied (errno=13)in logs when clients connect.
Step 8: Enable IP Forwarding
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
Why: Allows routing between VPN and other networks.
Step 9: Start & Enable the OpenVPN Service
sudo systemctl enable --now openvpn-server@boss-vpn
sudo systemctl status openvpn-server@boss-vpn
Why: Starts now and at boot; status confirms it is running.
Step 10: Issue a Client Certificate (Boss Device)
cd /etc/openvpn/server/easy-rsa
./easyrsa --batch build-client-full boss-ABC123 nopass
Why: Creates unique identity for each device.
Naming rule: boss-<last6_MAC_digits> (e.g., boss-ABC123)
Step 11: Prepare Files for Boss Web API
sudo cp /etc/openvpn/server/easy-rsa/pki/ca.crt ~/boss-41540D-ca.crt
sudo cp /etc/openvpn/server/easy-rsa/pki/issued/boss-41540D.crt ~/boss-41540D-cert.crt
sudo cp /etc/openvpn/server/easy-rsa/pki/private/boss-41540D.key ~/boss-41540D-key.key
Why: Boss expects separate CA, client cert and private key files.
Step 12: Configure the Boss Device (Web UI)
In the Boss web interface:
Settings → VPN Client Config → Add Generic VPN
Fill in:
- TUN / UDP / Remote: YOUR_SERVER_IP / Port: 1194
- Authentication: Client certificate
- Upload: CA cert, Client cert, Private key
- Cipher: AES-256-GCM
- Auth: SHA256
- TLS Crypt: Leave unchecked
- Save and Activate: Click “SAVE” — the Boss device will automatically connect
Why: These settings must match the server configuration.
Step 13: Verify Connection
On the server:
sudo cat /var/log/openvpn-status.log
sudo tail -f /var/log/openvpn.log
Why: Confirms the client authenticated and received the expected IP.
Step 14: Day-to-Day Operations
List issued certs:
ls /etc/openvpn/server/easy-rsa/pki/issued/boss-*
Check connected devices:
sudo cat /var/log/openvpn-status.log
Revoke a device:
cd /etc/openvpn/server/easy-rsa
./easyrsa revoke boss-ABC123
./easyrsa gen-crl
sudo systemctl restart openvpn-server@boss-vpn
Why: Revocation + CRL ensures a lost/stolen device cannot reconnect.
Troubleshooting
- Service won’t start →
journalctl -u openvpn-server@boss-vpn -b - No traffic beyond server → check IP forwarding and firewall/NAT
- Wrong IP on client → check CCD filename matches client CN exactly
- Multiple clients → allowed to talk to each other (
client-to-clientenabled)
Summary
You now have:
- An OpenVPN server on Rocky Linux 9.5 with modern crypto
- Boss devices authenticated by unique certificates
client-to-clientenabled so your Windows laptop can reach Boss devices- Clear operational routines (status, revoke, logs)
Next steps: back up your CA private key and keep monitoring openvpn-status.log.