Static Key Mini-HOWTO


Static key configurations offer the simplest setup, and are ideal for point-to-point VPNs or proof-of-concept testing.

Static Key advantages

Static Key disadvantages

Simple Example

This example demonstrates a bare-bones point-to-point OpenVPN configuration. A VPN tunnel will be created with a server endpoint of and a client endpoint of Encrypted communication between client and server will occur over UDP port 1194, the default OpenVPN port.


Generate a static key:

openvpn --genkey --secret static.key

Copy the static key to both client and server, over a pre-existing secure channel.

Server configuration file

dev tun
secret static.key

Client configuration file

remote myremote.mydomain
dev tun
secret static.key

Firewall configuration

Make sure that:

Bear in mind that 90% of all connection problems encountered by new OpenVPN users are firewall-related.

Testing the VPN

Run OpenVPN using the respective configuration files on both server and client, changing myremote.mydomain in the client configuration to the domain name or public IP address of the server.

To verify that the VPN is running, you should be able to ping from the server and from the client.

Expanding on the Simple Example

Add the following line to both client and server configuration files:


Deal with:

Add the following to both client and server configuration files:

keepalive 10 60

Run OpenVPN as a daemon (Linux/BSD/Solaris/MacOSX only)

Run OpenVPN as a daemon and drop privileges to user/group nobody.

Add to configuration file (client and/or server):

user nobody
group nobody

Allow client to reach entire server subnet

Suppose the OpenVPN server is on a subnet Add the following to client configuration:


Then on the server side, add a route to the server’s LAN gateway that routes to the OpenVPN server machine (only necessary if the OpenVPN server machine is not also the gateway for the server-side LAN). Also, don’t forget to enable IP Forwarding on the OpenVPN server machine.