The oVirt datacenter in Phoenix has got several internal networks used for various purposes. Since they are not accessible from the outside, the easiest way to connect is via VPN. An OpenVPN service is available and served by

OpenVPN uses TLS to authenticate users and encrypt traffic. It works via TCP on port 443 which is permitted by most network firewalls and proxies.

Add a new user

To allow access to the VPN for a new user it's necessary to generate a certificate and sign it by the OpenVPN CA. The CSR file can be provided by the user but in this example we'll generate a certificate and sign it immediately.

First - log in the machine which contains the oVirt OpenVPN CA. At the moment of this writing the CA is on the PHX Gateway. Root access to this machine is required as well as the CA password to perform signing tasks.

$ ssh
$ sudo su -
# cd /etc/openvpn/ssl/ca

The CA uses a wrapper around openssl called easyrsa that is suited specifically for use with OpenVPN.

To generate a certificate and private key with no password for user testuser run:

 ./easyrsa  build-client-full testuser nopass

The script will ask for the CA password and generate files in the following locations:

pki/private/testuser.key - private key
pki/issued/testuser.crt - signed certificate

Also, the CA certificate is needed by the client, it is located here:


OpenVPN config template

Ensure the client system has OpenVPN installed, it is provided by the "openvpn" package on all major distibutions.

The above data can be inserted into this template and saved as /etc/openvpn/client/ovirt.conf on the client system.

dev tun4
proto tcp
remote 443
remote 443
resolv-retry infinite
cipher AES-128-CBC
verb 3
...CA certificate goes here...
...Client certificate goes here...
...Private key goes here...

after it is saved, enable and start the service to run permanently:

systemctl enable openvpn-client@ovirt
systemctl start openvpn-client@ovirt

Alternatively - import the config file via network manager to be able to connect through the applet when needed. In this case, certificates and keys need to be saved in a location reachable by Network Manager.

Delete a user

To ensure an existing user cannot connect, the certifiate needs to be revoked by the CA. For that, go into the CA directory as described in the user creation step and run:

./easyrsa revoke testuser

After performing revocation, generate a new CRL file so that OpenVPN knows about the change:

./easyrsa gen-crl

OpenVPN re-reads this file each time a client connects to it, so no restart is necessary.