diff --git a/pkgs/tools/networking/easyrsa/default.nix b/pkgs/tools/networking/easyrsa/default.nix
index e49c32aac704..2b41f8ca1d3c 100644
--- a/pkgs/tools/networking/easyrsa/default.nix
+++ b/pkgs/tools/networking/easyrsa/default.nix
@@ -1,39 +1,33 @@
-{ stdenv, fetchurl, autoconf, automake111x, makeWrapper
-, gnugrep, openssl}:
+{ stdenv, fetchFromGitHub, openssl }:
 
-stdenv.mkDerivation rec {
-  name = "easyrsa-2.2.0";
+let
+  version = "3.0.0";
+in stdenv.mkDerivation rec {
+  name = "easyrsa-${version}";
 
-  src = fetchurl {
-    url = "https://github.com/OpenVPN/easy-rsa/archive/v2.2.0.tar.gz";
-    sha256 = "1xq4by5frb6ikn53ss3y8v7ss639dccxfq8jfrbk07ynkmk668qk";
+  src = fetchFromGitHub {
+    owner = "OpenVPN";
+    repo = "easy-rsa";
+    rev = "v${version}";
+    sha256 = "0wbdv3wmqwm5680rpb971l56xiw49adpicqshk3vhfmpvqzl4dbs";
   };
 
-  # Copy missing files and autoreconf
-  preConfigure = ''
-    cp ${automake111x}/share/automake/install-sh .
-    cp ${automake111x}/share/automake/missing .
+  patches = [ ./fix-paths.patch ];
 
-    autoreconf
-  '';
+  installPhase = ''
+    mkdir -p $out/share/easyrsa
+    cp -r easyrsa3/{openssl*.cnf,x509-types,vars.example} $out/share/easyrsa
+    install -D -m755 easyrsa3/easyrsa $out/bin/easyrsa
+    substituteInPlace $out/bin/easyrsa \
+      --subst-var out \
+      --subst-var-by openssl ${openssl}/bin/openssl
 
-  preBuild = ''
-    mkdir -p $out/share/easy-rsa
-  '';
-
-  nativeBuildInputs = [ autoconf makeWrapper automake111x ];
-  buildInputs = [ gnugrep openssl];
-
-  # Make sane defaults and patch default config vars
-  postInstall = ''
-    cp $out/share/easy-rsa/openssl-1.0.0.cnf $out/share/easy-rsa/openssl.cnf
-    for prog in $(find "$out/share/easy-rsa" -executable -type f); do
-      makeWrapper "$prog" "$out/bin/$(basename $prog)" \
-        --set EASY_RSA "$out/share/easy-rsa" \
-        --set OPENSSL "${openssl}/bin/openssl" \
-        --set GREP "${gnugrep}/bin/grep"
-    done
-    sed -i "/EASY_RSA=\|OPENSSL=\|GREP=/d" $out/share/easy-rsa/vars
+    # Helper utility
+    cat > $out/bin/easyrsa-init <<EOF
+    #!${stdenv.shell} -e
+    cp -r $out/share/easyrsa/* .
+    EOF
+    chmod +x $out/bin/easyrsa-init
   '';
 
   meta = with stdenv.lib; {
diff --git a/pkgs/tools/networking/easyrsa/fix-paths.patch b/pkgs/tools/networking/easyrsa/fix-paths.patch
new file mode 100644
index 000000000000..82688fa79460
--- /dev/null
+++ b/pkgs/tools/networking/easyrsa/fix-paths.patch
@@ -0,0 +1,33 @@
+diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
+index 6fec288..210648a 100755
+--- a/easyrsa3/easyrsa
++++ b/easyrsa3/easyrsa
+@@ -1003,7 +1003,7 @@ Note: using Easy-RSA configuration from: $vars"
+ 	
+ 	# Set defaults, preferring existing env-vars if present
+ 	set_var EASYRSA		"$PWD"
+-	set_var EASYRSA_OPENSSL	openssl
++	set_var EASYRSA_OPENSSL	"@openssl@"
+ 	set_var EASYRSA_PKI	"$EASYRSA/pki"
+ 	set_var EASYRSA_DN	cn_only
+ 	set_var EASYRSA_REQ_COUNTRY	"US"
+@@ -1030,13 +1030,17 @@ Note: using Easy-RSA configuration from: $vars"
+ 	# Detect openssl config, preferring EASYRSA_PKI over EASYRSA
+ 	if [ -f "$EASYRSA_PKI/openssl-1.0.cnf" ]; then
+ 		set_var EASYRSA_SSL_CONF	"$EASYRSA_PKI/openssl-1.0.cnf"
+-	else	set_var EASYRSA_SSL_CONF	"$EASYRSA/openssl-1.0.cnf"
++	elif [ -f "$EASYRSA/openssl-1.0.cnf" ]; then
++		set_var EASYRSA_SSL_CONF	"$EASYRSA/openssl-1.0.cnf"
++	else	set_var EASYRSA_SSL_CONF	"@out@/share/easyrsa/openssl-1.0.cnf"
+ 	fi
+ 
+ 	# Same as above for the x509-types extensions dir
+ 	if [ -d "$EASYRSA_PKI/x509-types" ]; then
+ 		set_var EASYRSA_EXT_DIR		"$EASYRSA_PKI/x509-types"
+-	else	set_var EASYRSA_EXT_DIR		"$EASYRSA/x509-types"
++	elif [ -d "$EASYRSA/x509-types" ]; then
++		set_var EASYRSA_EXT_DIR		"$EASYRSA/x509-types"
++	else	set_var EASYRSA_EXT_DIR		"@out@/share/easyrsa/x509-types"
+ 	fi
+ 
+ 	# EASYRSA_ALGO_PARAMS must be set depending on selected algo