OpenVPN

pacman -S easy-rsa
cd /etc/easy-rsa
export EASYRSA=$(pwd)
easyrsa init-pki
easyrsa build-ca
 
# The CA cert and key will be generated
# see /etc/easy-rsa/pki/ca.crt
# and /etc/easy-rsa/pki/private/ca.key
 
# copy the CA cert to the openvpn directory
cp /etc/easy-rsa/pki/ca.crt /etc/openvpn/server/ca.crt

# cert request
easyrsa gen-req servername nopass
easyrsa gen-req clientname nopass
 
# self-sign
easyrsa sign-req server servername
easyrsa sign-req client clientname
 
# the generated cert will be saved to：
/etc/easy-rsa/pki/reqs/servername.req
/etc/easy-rsa/pki/private/servername.key
/etc/easy-rsa/pki/issued/servername.crt
 
/etc/easy-rsa/pki/reqs/clientname.req
/etc/easy-rsa/pki/private/clientname.key
/etc/easy-rsa/pki/issued/clientname.crt
 
# copy the server cert to the openvpn server directory
cp /etc/easy-rsa/pki/issued/servername.crt /etc/openvpn/server/servername.crt
cp /etc/easy-rsa/pki/private/clientname.key /etc/openvpn/server/servername.key

openssl dhparam -out /etc/openvpn/server/dh.pem 2048

openvpn --genkey --secret /etc/openvpn/server/ta.key