Certman is a simple certificate manager web service for OpenVPN.
**For usage tips, please consult
There are prebuilt binary files for this application. They are statically linked and have no additional dependencies. Supported plattforms are:
- Windows (XP and up)
- Linux (2.6.16 and up)
- Linux ARM (for raspberry pi, 3.0 and up) Simply download them from the "artifacts" section of this project.
A prebuilt docker image (10MB) is available:
docker pull zombi/certman
You can easily build your own docker image from source
docker build -t zombi/certman .
Certman assumes the root certificates of the VPN CA are located in the same
directory as the binary, If that is not the case you need to copy over the
ca.key files before you are able to generate certificates
with this tool.
Additionally, the project is configured by the following environment variables:
OAUTH2_CLIENT_IDthe Client ID, assigned during client registration
OAUTH2_CLIENT_SECRETthe Client secret, assigned during client registration
OAUTH2_AUTH_URLthe URL to the "/authorize" endpoint of the identity provider
OAUTH2_TOKEN_URLthe URL to the "/token" endpoint of the identity provider
OAUTH2_REDIRECT_URLthe redirect URL used by the app, usually the hostname suffixed by "/login/oauth2/redirect"
USER_ENDPOINTthe URL to the Identity provider user endpoint, for gitlab this is "/api/v4/user". The "username" attribute of the returned JSON will used for authentication.
APP_LISTENport and ip to listen on, e.g.
VPN_DEVwhich device is used by the network, either
tap(check server cfg)
VPN_HOSTHostname or IP address of the server
VPN_PORTPort of the VPN server
VPN_PROTOProtocol of the VPN server, either
There are some files that need to be mounted inside the container:
/ca.crtthe certificate of the server PKI
/ca.keythe key of the server PKI, unencrypted
/ta.keyshared HMAC secret of server and client
/clients.jsonthe generated certificates for each client
There is an
docker-compose.yml example you can use as a base for your own docker-compose service.