You can use one of two approaches: simple static key (allows to connect single client to single server) or complex public key infrastruction (or PKI, which allows to connect multiple clients to a server).
Choose your method and generate the keys now.
# cd /usr/local/etc/openvpn # openvpn --genkey --secret static.key
That's it. Now copy static.key to the client.
You should build OpenVPN with EASY-RSA option turned on.
Create easy-rsa dir for our setup:
# cp -R /usr/local/share/easy-rsa /usr/local/etc/openvpn/officelan-rsa # cd /usr/local/etc/openvpn/officelan-rsa
Edit /usr/local/etc/openvpn/officelan-rsa/vars (bottom of the file):
export KEY_COUNTRY="US" export KEY_PROVINCE="Province" export KEY_CITY="City" export KEY_ORG="Your Company" export KEY_EMAIL="firstname.lastname@example.org" export KEY_OU=
# sh # . ./vars # ./clean-all # ./build-ca You can just press enter for every question
Create certificate and key for server:
# ./build-key-server server.host.name
Create certificate and key for a client:
# ./build-key client.host.name
Generate Diffie Hellman parameters:
Copy files to client
The keys are here: officelan-rsa/keys. Copy the following files to client (to /usr/local/etc/openvpn):
- Save ca.crt as openvpn_officelan.ca.crt there.
- Save dh1024.pem as openvpn_officelan.dh1024.pem there.
- Save client.host.name.crt as openvpn_officelan.crt there.
- Save client.host.name.key as openvpn_officelan.key there.
In order to create key & sertificate for another client later:
# cd /usr/local/etc/openvpn/officelan-rsa # sh # . ./vars # ./build-key another.client.hostname