How to setup point-to-point OpenVPN tunnel

Static key configuration is the easiest and shortest way to set up OpenVPN tunnel.

It is especially useful when you need to securely connect two distinct locations, but due to its simplicity I am using it here in conjunction with the Shoreline Firewall (Shorewall) to access protected network services - to be honest I am referring just to secure shell and several web services.

OpenVPN static key generation and distribution

Generate OpenVPN static key.

$ openvpn --genkey --secret emergency.key

Move it to the /etc/openvpn/ directory.

$ sudo mv emergency.key /etc/openvpn 

Securely copy previously generated static key to the second machine, move it to the proper directory and ensure proper file permissions on both machines.

$ sudo chown root:root /etc/openvpn/emergency.key
$ sudo chmod 600       /etc/openvpn/emergency.key
Protect the generated key as failure to do so will result in intrusion so always replace the key if in doubt.

Point-to-point OpenVPN configuration

Server configuration (IP address over VPN:, /etc/openvpn/tun0.conf file):

dev tun0
secret /etc/openvpn/emergency.key

Client configuration (IP address over VPN:, /etc/openvpn/tun0.conf file):

dev tun0
secret /etc/openvpn/emergency.key

Now you need to adjust firewall configuration, start openvpn service, and make sure that it will start at boot.

To automatically start only selected VPNs edit /etc/defaults/openvpn file as by default it is assumed to start all VPN configurations.


For more information read OpenVPN - Static Key Mini HOWTO.

Milosz Galazka's Picture

About Milosz Galazka

Milosz is a Linux Foundation Certified Engineer working for a successful Polish company as a system administrator and a long time supporter of Free Software Foundation and Debian operating system.