Setting up the public and private keys
Before we can set up a client/server VPN, we need to set up the Public Key Infrastructure (PKI) first. The PKI comprises the Certificate Authority, the private keys, and the certificates (public keys) for both the client and server. We also need to generate a Diffie-Hellman parameter file that is required for perfect forward secrecy.
For setting up the PKI, we make use of the easy-rsa scripts supplied by the OpenVPN distribution itself.
Getting ready
The PKI needs to be set up on a trusted computer. This can be the same as the computer on which the OpenVPN server is run, but from a security point of view, it is best if the PKI is kept completely separated from the rest of the OpenVPN services. One option is to keep the PKI Certificate Authority (CA) key located on a separate, external disk, which is attached only when needed. Another option would be to keep the CA private key on a separate computer that is not hooked up to any network at all.
This recipe...
