OpenVPN: Connect your LANs over the Internet

The keys

by ross at 05:48:36 on January 15, 2013

You can use one of two approaches: simple static key (allows to connect single client to single server) or complex public key infrastruction (or PKI, which allows to connect multiple clients to a server).

Choose your method and generate the keys now.

Static key

# cd /usr/local/etc/openvpn
# openvpn --genkey --secret static.key

That's it. Now copy static.key to the client.


You should build OpenVPN with EASY-RSA option turned on.

Create easy-rsa dir for our setup:

# cp -R /usr/local/share/easy-rsa /usr/local/etc/openvpn/officelan-rsa
# cd /usr/local/etc/openvpn/officelan-rsa

Edit /usr/local/etc/openvpn/officelan-rsa/vars (bottom of the file):

export KEY_PROVINCE="Province"
export KEY_CITY="City"
export KEY_ORG="Your Company"
export KEY_EMAIL=""
export KEY_OU=
# sh
# . ./vars
# ./clean-all
# ./build-ca
You can just press enter for every question

Create certificate and key for server:

# ./build-key-server

Create certificate and key for a client:

# ./build-key

Generate Diffie Hellman parameters:

# ./build-dh

Copy files to client

The keys are here: officelan-rsa/keys. Copy the following files to client (to /usr/local/etc/openvpn):

  • Save ca.crt as there.
  • Save dh1024.pem as openvpn_officelan.dh1024.pem there.
  • Save as openvpn_officelan.crt there.
  • Save as openvpn_officelan.key there.

Another client

In order to create key & sertificate for another client later:

# cd /usr/local/etc/openvpn/officelan-rsa
# sh
# . ./vars
# ./build-key another.client.hostname