OpenVPN: Connect your LANs over the Internet

The keys

by ross at 05:48:36 on January 15, 2013

You can use one of two approaches: simple static key (allows to connect single client to single server) or complex public key infrastruction (or PKI, which allows to connect multiple clients to a server).

Choose your method and generate the keys now.

Static key

# cd /usr/local/etc/openvpn
# openvpn --genkey --secret static.key

That's it. Now copy static.key to the client.

PKI

You should build OpenVPN with EASY-RSA option turned on.

Create easy-rsa dir for our setup:

# cp -R /usr/local/share/easy-rsa /usr/local/etc/openvpn/officelan-rsa
# cd /usr/local/etc/openvpn/officelan-rsa

Edit /usr/local/etc/openvpn/officelan-rsa/vars (bottom of the file):

export KEY_COUNTRY="US"
export KEY_PROVINCE="Province"
export KEY_CITY="City"
export KEY_ORG="Your Company"
export KEY_EMAIL="root@example.com"
export KEY_OU=
# sh
# . ./vars
# ./clean-all
# ./build-ca
You can just press enter for every question

Create certificate and key for server:

# ./build-key-server server.host.name

Create certificate and key for a client:

# ./build-key client.host.name

Generate Diffie Hellman parameters:

# ./build-dh

Copy files to client

The keys are here: officelan-rsa/keys. Copy the following files to client (to /usr/local/etc/openvpn):

  • Save ca.crt as openvpn_officelan.ca.crt there.
  • Save dh1024.pem as openvpn_officelan.dh1024.pem there.
  • Save client.host.name.crt as openvpn_officelan.crt there.
  • Save client.host.name.key as openvpn_officelan.key there.

Another client

In order to create key & sertificate for another client later:

# cd /usr/local/etc/openvpn/officelan-rsa
# sh
# . ./vars
# ./build-key another.client.hostname

 

Comments