OpenVPN: Connect your LANs over the Internet

The keys

by ross at 09:04:18 on April 7, 2017

You can use one of two approaches: simple static key (allows to connect single client to single server) or complex public key infrastruction (or PKI, which allows to connect multiple clients to a server).

Choose your method and generate the keys now.

Static key

# cd /usr/local/etc/openvpn
# openvpn --genkey --secret static.key

That's it. Now copy static.key to the client.

PKI

You should build OpenVPN with EASY-RSA option turned on.

Create easy-rsa dir for our setup:

# cp -R /usr/local/share/easy-rsa ./officelan-rsa
# cd ./officelan-rsa

Prepare:

# ./easyrsa.real init-pki
# ./easyrsa.real build-ca
# ./easyrsa.real gen-dh

Create certificate and key for server:

# ./easyrsa.real build-server-full server.host.name nopass

Create certificate and key for a client:

# ./easyrsa.real build-client-full client.host.name nopass

Copy files to the server and to the clients

Copy the following files to /usr/local/etc/openvpn:

  • Save pki/ca.crt as openvpn_officelan.ca.crt there.
  • Save pki/dh.pem as openvpn_officelan.dh.pem there.
  • Save pki/issued/<hostname-here>.crt as openvpn_officelan.crt there.
  • Save pki/private/<hostname-here>.key as openvpn_officelan.key there.

In order to add another client rerun build-client-full command

 

Comments