Changes between Initial Version and Version 1 of StaticKeyMiniHowto

07/24/14 12:22:49 (4 years ago)
Samuli Seppänen

Migrated content from


  • StaticKeyMiniHowto

    v1 v1  
     2[[TOC(inline, depth=1)]]
     4= Introduction =
     6Static key configurations offer the simplest setup, and are ideal for point-to-point VPNs or proof-of-concept testing.
     8= Static Key advantages =
     10 * Simple Setup
     11 * No X509 PKI (Public Key Infrastructure) to maintain
     13= Static Key disadvantages =
     15 * Limited scalability -- one client, one server
     16 * Lack of perfect forward secrecy -- key compromise results in total disclosure of previous sessions
     17 * Secret key must exist in plaintext form on each VPN peer
     18 * Secret key must be exchanged using a pre-existing secure channel
     20= Simple Example =
     22This example demonstrates a bare-bones point-to-point OpenVPN configuration. A VPN tunnel will be created with a server endpoint of and a client endpoint of Encrypted communication between client and server will occur over UDP port 1194, the default OpenVPN port.
     24Generate a static key:
     27$ openvpn --genkey --secret static.key
     30Copy the static key to both client and server, over a pre-existing secure channel.
     32== Server configuration file ==
     35dev tun
     37secret static.key
     40== Client configuration file ==
     43remote myremote.mydomain
     44dev tun
     46secret static.key
     49== Firewall configuration ==
     51Make sure that:
     53 * UDP port 1194 is open on the server, and
     54 * the virtual TUN interface used by OpenVPN is not blocked on either the client or server (on Linux, the TUN interface will probably be called tun0 while on Windows it will probably be called something like Local Area Connection n unless you rename it in the Network Connections control panel).
     56Bear in mind that 90% of all connection problems encountered by new OpenVPN users are firewall-related.
     58== Testing the VPN ==
     60Run OpenVPN using the respective configuration files on both server and client, changing myremote.mydomain in the client configuration to the domain name or public IP address of the server.
     62To verify that the VPN is running, you should be able to ping from the server and from the client.
     64= Expanding on the Simple Example =
     66== Use compression on the VPN link ==
     68Add the following line to both client and server configuration files:
     73== Make the link more resistent to connection failures ==
     75Deal with:
     77 * keeping a connection through a NAT router/firewall alive, and
     78 * follow the DNS name of the server if it changes its IP address.
     80Add the following to both client and server configuration files:
     83keepalive 10 60
     89== Run OpenVPN as a daemon (Linux/BSD/Solaris/MacOSX only) ==
     91Run OpenVPN as a daemon and drop privileges to user/group nobody.
     93Add to configuration file (client and/or server):
     96user nobody
     97group nobody
     101== Allow client to reach entire server subnet ==
     103Suppose the OpenVPN server is on a subnet Add the following to client configuration:
     107Then on the server side, add a route to the server's LAN gateway that routes to the OpenVPN server machine (only necessary if the OpenVPN server machine is not also the gateway for the server-side LAN). Also, don't forget to enable IP Forwarding on the OpenVPN server machine.