Skip to content

Instantly share code, notes, and snippets.

@yegorg
Forked from jiphex/instructions.md
Created November 12, 2015 05:18
Show Gist options
  • Save yegorg/02376b4103913ce3b40f to your computer and use it in GitHub Desktop.
Save yegorg/02376b4103913ce3b40f to your computer and use it in GitHub Desktop.
Static OpenVPN between two hosts

Static OpenVPN configuration between a single pair of hosts

So you've got two boxes, separated by some kind of network that you're not in control of, and you'd like to encrypt traffic between them. You're not going to have multiple clients connecting to each other, just these two boxes.

As of OpenVPN 2, it's possible to configure the hosts in peer-to-peer mode, with static keying, meaning that the actual VPN setup is super easy:

  1. Install OpenVPN (>=2) on both boxes, the standard Wheezy version is fine.
  2. Generate a static key as follows: openvpn --genkey --secret /path/to/somewhere/secret.key
  3. Copy the secret key to both boxes over a secure channel (e.g SSH)
  4. Create /etc/openvpn/p2p.conf on both boxes as show in box1.vpn.cnf and box2.vpn.cnf below
  5. That's done, on Debian, you can just do /etc/init.d/openvpn start. Otherwise you can run openvpn --config /etc/openvpn/p2p.conf to get the verbose output.

Caveat: This has no forward secrecy, so if someone manages to get your key at some point, and has captured your traffic in the past, they can then use the key to decode past conversations.

# on box1
mode p2p
remote box2.name.goes.here
dev tun
secret /path/to/your/secret.key
ifconfig 10.0.0.1 10.0.0.2
# on box2
mode p2p
remote box1.name.goes.here
dev tun
secret /path/to/your/secret.key
ifconfig 10.0.0.2 10.0.0.1 # note order of these is reversed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment