stonevpn man page

stonevpn — Easy OpenVPN certificate and configuration management


stonevpn -f filename -n commonname [ Options ]


StoneVPN allows you to manage OpenVPN certificates and create configurations for Windows and Linux machines based on a template. It can package everything into a zipfile and mail it to a user.



Show program's version number and exit

-h, --help

Show the help message and exit

-D, --debug

Enable debugging information. You probably don't want to use this option as it prints quite useless information for normal usage.

-n CNAME, --name=CNAME

Common Name, use quotes eg.: "John Cleese"

-f FNAME, --file=FNAME

Write to file FNAME (no extension!)

-o CONFS, --config=CONFS

Create config files for [ windows | unix |  mac | all ]

When supplying all StoneVPN will generate configuration files for all three Operating Systems.

-e FPREFIX, --prefix=FPREFIX

Prefix (almost all) generated files. For example, if you set FPREFIX to 'mycorp', generated files will look like 'mycorp-user.crt/zip/key'


Package all generated files into a ZIP file.


Send all generated files by e-mail to EMAILADDRESS. You might want to encrypt the user's key with a password when using this method.


Locate and assign free ip by parsing the OpenVPN server configuration file (more specifically the 'ifconfig-pool' line), and client configuration files within the ccd directory.


Prompt for a passphrase when generating the user's private key. Leave empty to provide one on the commandline. For example:

 stonevpn -f user -n "User Name" -p mysecret


Include passphrase in e-mail body (only useful with the '-m' option). You might want to change the mail_passtxt variable in stonevpn.conf as well.


Generate a random password of RANDPASS characters. For example, to generate an 8 character passphrase:

 stonevpn -f user -n "User Name" -R 8


Include extra files when generating a certificate. When also specifying the --zip option, these will be packed in the zip file. Else, they will remain in a subdirectory of the working directory, based on the given FNAME. Use the full path to the filename to be included. You can use this option multiple times:

 stonevpn -f user -n "User Name" -E /path/to/file1 -E /path/to/file2


Use this IP address for the server when generating the configuration file, overriding the one specified in stonevpn.conf

-r SERIAL, --revoke=SERIAL

Revoke certificate with serial SERIAL

-u ROUTE, --route=ROUTE

Push extra route(s) to client by means of a client configuration file on the server. For example:

 stonevpn -f user -n "User Name" -u

You can specify multiple routes with another '-u <route>'. This will write the route(s) to /etc/openvpn/cdd/Test_User


List revoked certificates


Display CRL file contents


List all certificates


Display current SSL serial number


Prints information about a certficiate file


Prints index file


Certificate expires in EXPIREDATE hours/days/years instead of the default specified in the openssl.cnf. For example:

 stonevpn -f user -n "User Name" -x 3h   # valid for 3 hours
 stonevpn -f user -n "User Name" -x 2d   # same, but 2 days
 stonevpn -f user -n "User Name" -x 1y   # and for one year


Create an empty CRL file (or overwrite an existing one)


Danger, Will Robinson, Danger! test parameter - can do anything! Review source before executing!



Configuration file. See stonevpn(5) for further details.


Create a certificate and (Unix) configuration file for John Cleese and pack everything into

stonevpn -f johncleese -n "John Cleese" -z

The same, but now encrypt the user's private key with a password and email the zipfile to them:

stonevpn -f johncleese -n "John Cleese" -z -p -m user@domain.tld


Please report bugs on or mail the author.


Léon Keijser <keijser at stone-it dot com>

See Also



May 2010 StoneVPN User Manual