In the client/server mode, OpenVPN is configured using a Public Key Infrastructure (PKI) with X.509 certificates and private keys. Before we can set up a client/server VPN, we need to set up this PKI first. The PKI comprises of the CA, the private keys, and the certificates (public keys) for both the client and server. In Chapter 3, PKIs and Certificates, we will discuss in detail how to set up such a PKI. This chapter builds upon the certificates and keys generated in that chapter.
First, we copy the certificate and keys to a separate location. In general, it is a good security practice to keep the PKI files in a separate location, if possible even on a separate computer. Special care should be taken to protect the
ca.key file, as the entire security of your PKI is dependent on this file. If the
ca.key file is compromised in any way, the entire PKI is rendered insecure, and should be abandoned. In the following commands, it is assumed that the PKI...