OPENVPN - The Easy Tutorial - Static Key

OpenVPN Static Key
Last Update: Dec 19 2007


Podrobnosti Co je OpenVPN?
Předpoklady a instalace
Průvodce OpenVPN
-----Bezpečný režim-----------
Transparentní tunel
Statické klíče
SSL a PKI (certifikáty)
-----Případová studie-----------
VPN přes IP (TUN)
VPN přes Ethernet (TAP)
Rozšířené nastavení VPN

Czech translation by Ivo Raisr.

Please check our page about COVID-19!!
100 Questions and answers about Coronavirus.

Merci de consulter notre page sur la COVID-19 !!
227 questions et réponses sur le Coronavirus.

OpenVPN - Preshared or static keys

The preshared keys OpenVPN mode is easier to implement than the SSL/TLS mode but with the following disadvantages:
- The shared secret is not renewed.
- The shared secret has be transported on the two peers.
- The VPN peers are not authenticated.

You can create a preshared key very easily with OpenVPN on any platform. Once you have created a preshared key, you have to copy it onto the other OpenVPN peer.
You should transmit it only via a secure media like SSH or physically with a floppy disk or an USB key.

To create a key, proceed as follows:

On Linux:

##openvpn --genkey --secret /home/user/key.txt

On Windows:

openmaniak generate a static openvpn key

Let's open the key file we have just created:

openmaniak openvpn static key

The OpenVPN key is composed by hexadecimal characters and divided into four parts.

The first part is used as a key to cipher the data, the second for the hash algorithm key. By default the key to cipher and decipher the data are similar, the principle being the same for the Hash algorithm.
The third and fourth part of the OpenVPN key is used in case you want different cipher (1st part) and decipher (3rd part) keys and different keys to hash the outgoing (2nd part) or incoming (4th part) data.

Do not confuse the OpenVPN key which is composed of 512 hexadecimal characters with the keys used by the cipher and hash function algorithm to secure the OpenVPN tunnel which are composed by hexadecimal characters inside the OpenVPN key.

By default, the blowfish encryption algorithm is used with a 128 bits keys (cipher and decipher), 160 bits being used for the hash algorithm (outgoing and incoming data).
Each hexadecimal character represents 4 bits of the key meaning, that 128 and 160 bits will represent respectively (128/4) 32 and (160/4) 40 hexadecimal characters.

In our example (default setting), the hexadecimal characters used for the keys are displayed in the red squares above.
The characters not used for the keys can be different on the two OpenVPN key files.

If you want to finish your OpenVPN configuration go on with the OpenManiak OpenVPN configuration tutorial.

Examples with OpenVPN in preshared keys can be found in the case studies.