This note refers to the free community edition of OpenVPN, and not to the commercial product OpenVPN Access Server. It explains how you can configure an ordinary home PC to act as an OpenVPN server. You can then access your server from clients outside your home. We assume your home network also includes a router. This entire process is feasible only if your ISP does not implement Carrier-grade NAT.
This note collects together points from various sources around the web, among them the following:
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
https://github.com/TinCanTech/easy-tls/wiki
https://zhuanlan.zhihu.com/p/527300861 translated by Google Translate
https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide
Open your router firewall to allow input on port udp/1194.
Port forward port udp/1194 on your router to port udp/1194 on your Windows PC.
Under Settings > System > Power & sleep, configure Windows so that your PC will not be asleep when you try to VPN home.
If your home IP address is not reasonably fixed, subscribe to a dynamic DNS (DDNS) service such as https://www.noip.com. You run the DDNS client on your PC. It periodically updates the service's name servers with your current IP address. You can then reference your PC by a fixed DNS name, instead of by a variable IP address.
In Windows Defender Firewall with Advanced Security, add a new rule allowing input on port udp/1194.
Open a browser, and visit https://openvpn.net/community-downloads.
Download the latest 64-bit installer for Windows, e.g. https://swupdate.openvpn.org/community/releases/OpenVPN-2.6.10-I002-amd64.msi.
Run the installer. Customize the installation to include the components OpenSSL Utilities and EasyRSA 3 Certificate Management Scripts. If asked if you want to allow the installer to make changes to your device, click Yes.
Assuming you don't need to run the OpenVPN GUI client, find the OpenVPN icon in the system tray, right-click on it, and select Exit.
The installer creates a folder C:\Program Files\OpenVPN with the folder easy-rsa inside it.
If you have not already done so, install 7-Zip from https://www.7-zip.org. You're going to need it to extract the compressed tar file.
In a browser, visit https://github.com/TinCanTech/easy-tls/releases. Download the release archive, e.g. easytls-2.7.0.tar.gz. Right-click on it, and use 7-Zip to extract easytls-2.7.0.tar. Then right-click on easytls-2.7.0.tar in turn, and use 7-Zip to extract the files:
easytlseasytls-client-connect.sheasytls-client-connect.vars-exampleeasytls-client-disconnect.sheasytls-client-disconnect.vars-exampleeasytls-conntrac.libeasytls-cryptv2-verify.sheasytls-cryptv2-verify.vars-exampleCopy these files, and paste all 8 of them into C:\Program Files\OpenVPN\easy-rsa. You will need to provide administrator permission for the paste.
Open a Windows command prompt with Run as administrator. Navigate into the easy-rsa folder:
cd C:\Program Files\OpenVPN\easy-rsa
Copy the file vars.example to a file named vars:
copy vars.example vars
Open vars for editing:
notepad vars
Read through vars for instructions on what to edit. For example, you can choose if your PKI will use RSA or Elliptic Curve cryptography.
Save your changes, and close the Notepad session for editing vars.
Start a bash shell environment:
EasyRSA-Start.bat
The shell prompt is a number sign (#). Initialize your Public Key Infrastructure (PKI):
./easyrsa init-pki
Your newly created PKI directory is C:/Program Files/OpenVPN/easy-rsa/pki. Create your Certificate Authority (CA):
./easyrsa build-ca nopass
Option nopass disables password locking the CA. You are asked to enter a common name. Type a common name, e.g. MyVPN, and press Enter.
Your new CA certificate is at C:/Program Files/OpenVPN/easy-rsa/pki/ca.crt.
Build a server certificate and key:
./easyrsa build-server-full whiskey nopass
Replace whiskey in the above command with your own server name. Option nopass disables password locking the key.
When prompted, type the word yes to confirm.
Your server certificate is created at C:/Program Files/OpenVPN/easy-rsa/pki/issued/whiskey.crt, and the inline version of the server certificate is at C:/Program Files/OpenVPN/easy-rsa/pki/inline/whiskey.inline.
Build a client certificate and key:
./easyrsa build-client-full delta nopass
Replace delta in the above command with your actual client name. Option nopass disables password locking the key.
When prompted, type the word yes to confirm.
Your client certificate is created at C:/Program Files/OpenVPN/easy-rsa/pki/issued/delta.crt, and the inline version of the client certificate is at C:/Program Files/OpenVPN/easy-rsa/pki/inline/delta.inline.
Repeat the client part of the process for as many clients as you need.
This next command will generate Diffie-Hellman (DH) parameters, which will be used during the TLS handshake with connecting clients:
./easyrsa gen-dh
The DH parameters are not security sensitive and are needed only on the OpenVPN server, not on the client(s).
DH parameters of size 2048 are created at C:/Program Files/OpenVPN/easy-rsa/pki/dh.pem.
OpenVPN uses two communication channels during a VPN session: the control channel, which handles authentication, key negotiation, and configuration; and the data channel, which encrypts and transports packets.
The control channel can be encrypted by TLS Auth. TLS Crypt improves upon TLS Auth by adding symmetric encryption to the control channel. This extra layer of encryption applies even to the key-exchange before the TLS session starts. TLS Auth and TLS Crypt provide protection against TLS-level attacks with post-quantum resistance, provided the preshared keys are kept secret.
TLS Crypt v2 improves on TLS Crypt by using a unique key per client or group of clients.
Initialize EasyTLS:
./easytls init-tls
You may get a message, Error: Unsupported OpenSSL version: 3.2. In this case, do:
notepad easytls
Find the block:
case "${openssl_version}" in
3.0|3.1) : ;;
1.1) : ;;
*) die "Unsupported OpenSSL version: ${openssl_version}" ;;
esac
Add the case of OpenSSL version 3.2:
case "${openssl_version}" in
3.0|3.1|3.2) : ;;
1.1) : ;;
*) die "Unsupported OpenSSL version: ${openssl_version}" ;;
esac
Save the file, and close Notepad. Then re-run the command:
./easytls init-tls
Your newly created TLS directory is C:/Program Files/OpenVPN/easy-rsa/easytls.
Create a TLS Crypt v2 server key:
./easytls build-tls-crypt-v2-server whiskey
Replace whiskey in the above command with your own server name.
The TLS crypt v2 server key is created in C:/Program Files/OpenVPN/easy-rsa/easytls/whiskey-tls-crypt-v2.key. This key must be kept secure.
Create a TLS Crypt v2 client key:
./easytls build-tls-crypt-v2-client whiskey delta
Replace whiskey by your server name and delta by your client name. The server key is used to encrypt the client key, which is why the server must also be specified.
Follow this by:
./easytls inline-tls-crypt-v2 delta
The inline TLS crypt v2 file is created at C:/Program Files/OpenVPN/easy-rsa/pki/easytls/delta.inline. The inline file is for eventual incorporation into your client configuration .ovpn file.
Do Ctrl+c followed by y to terminate the bash shell session.
Close the Windows command prompt.
Open Notepad with Run as administrator. Create your server configuration file C:\Program Files\OpenVPN\config-auto\whiskey.ovpn. You can use this example as your starting point:
port 1194 proto udp dev tun topology subnet cipher AES-256-GCM ca "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\ca.crt" cert "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\issued\\whiskey.crt" key "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\private\\whiskey.key" dh "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\dh.pem" tls-crypt-v2 "C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\easytls\\whiskey-tls-crypt-v2.key" server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1" push "dhcp-option DNS 1.1.1.1" push "dhcp-option DNS 1.0.0.1" push "block-outside-dns" keepalive 10 60 persist-key persist-tun explicit-exit-notify 1 verb 3
Make sure that when you save the configuration file, Notepad does not add an extra .txt at the end of its name.
Go into Settings > Network & Internet > Change adapter options. Check that the OpenVPN TAP network adapter has been created. It has a name such as OpenVPN TAP-Windows6 and a type TAP-Windows Adapter V9.
Open a Windows command prompt with Run as administrator. Find the interface number for OpenVPN TAP-Windows6:
netsh int ipv4 show int
Replace xx by your OpenVPN TAP-Windows6 interface number in these commands:
netsh int ipv4 show int xx | findstr "Forwarding"
netsh int ipv4 set int xx Forwarding="enabled"
netsh int ipv4 show int xx | findstr "Forwarding"
Invoke regedit.msc (Registry Editor).
Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter to value 1.
When done, reboot your PC.
Type services in the Windows search box. Open the Services app.
Set start types as follows:
Routing and Remote Access service to start automatically from now on, and Start it nowOpenVPN Interactive Service, and make it start manually from now onOpenVPNService is started, and make it start automatically from now onGo into Settings > Network & Internet > Change adapter options.
Identify your primary network adapter (i.e. your physical Ethernet or Wi-Fi interface).
Right-click and select Properties. On the Sharing tab, check the box to Allow other network users to connect through this computer's Internet connection and specifically to allow the OpenVPN TAP-Windows6 to use the primary network adapter.
Go into Settings > Network & Internet > Change adapter options.
Disable then re-enable OpenVPN TAP-Windows6.
At this point, the server should be fully working.
You can check the server log in C:\Program Files\OpenVPN\log\whiskey.log.
You can use this example as your starting point. Copy and paste the inline client certificates and keys from C:\Program Files\OpenVPN\easy-rsa\pki\easytls\delta.inline. Insert your actual home public IP address or dynamic DNS name on the remote line.
client
dev tun
proto udp
cipher AES-256-GCM
remote 123.123.123.123 1194
resolv-retry infinite
nobind
persist-key
persist-tun
# EASYTLS
# EasyTLS version 2.7.0.0
# Common name: delta
# X509 serial: 0FA0AE87A132A0C8F80E092E3332BF61
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0f:a0:ae:87:a1:32:a0:c8:f8:0e:09:2e:33:32:bf:61
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=MyVPN
Validity
Not Before: May 4 00:06:46 2024 GMT
Not After : Aug 7 00:06:46 2026 GMT
Subject: CN=delta
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bb:fe:13:48:2e:7a:bf:1d:ce:60:57:f5:73:c3:
24:ec:17:83:8b:22:75:b6:0d:b5:97:23:4b:88:0e:
7a:40:3e:26:75:b4:da:f4:00:41:c3:a7:50:33:a4:
d2:51:d6:95:55:5b:fc:d8:ec:b9:02:20:d3:34:39:
30:77:bd:97:92:cd:e1:17:b2:8d:b8:51:d5:a9:59:
25:7c:67:06:0c:35:6e:c8:33:48:c0:57:39:59:5a:
81:b0:5d:a0:c3:72:b6:4d:81:79:ed:5b:36:be:39:
70:19:06:9c:ba:f5:7d:4a:d9:86:43:bc:45:89:19:
83:9d:ac:58:7e:77:70:2e:40:dd:a8:90:ee:bc:30:
a3:5e:9a:bc:7b:65:02:21:7f:c1:07:10:fe:39:7b:
6f:62:51:c1:b6:47:35:69:74:d9:88:5b:4d:67:67:
44:a7:ac:11:dc:60:56:57:7e:47:1c:e2:d1:4e:3a:
3d:bf:a5:9d:db:3a:9d:8b:e9:8c:42:a8:fd:33:25:
c3:a8:47:73:73:16:c9:8a:96:ff:23:6e:43:f3:1f:
b3:1f:d5:8d:04:34:c0:92:57:fc:53:7c:72:c2:4e:
b3:9f:86:5d:57:c7:38:7f:a8:8b:cb:0c:e0:e6:ee:
10:4b:48:9d:79:b8:f8:0a:1f:77:ea:53:a9:23:3f:
b6:55
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
DD:F8:AA:71:30:A4:B1:1E:2A:27:CF:D3:FE:69:13:F1:79:08:8B:F2
X509v3 Authority Key Identifier:
keyid:2F:CE:3B:67:C8:31:C5:2C:BA:C7:31:CC:F8:D0:91:55:76:71:D7:25
DirName:/CN=MyVPN
serial:4E:00:2E:DB:12:68:C5:34:9E:BA:4A:0F:6F:BB:BD:21:E5:40:32:09
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
5b:ca:7b:8e:cc:d4:d9:fb:ec:df:ee:09:8f:c8:70:b9:4c:f4:
d8:4d:ce:41:14:13:e3:19:7a:17:2e:b3:14:da:ef:37:03:e5:
58:e6:0d:3c:df:bd:52:97:0a:85:9e:11:9a:e4:81:84:c6:75:
23:bc:b6:1f:91:65:c8:86:5f:c5:04:34:12:b0:db:20:45:57:
ab:5b:21:46:a9:8a:5c:1e:55:0c:a3:08:52:1c:63:b6:e2:92:
fd:ea:97:b6:26:7f:3d:42:18:46:7c:86:82:17:89:16:5e:06:
e9:31:5c:e8:d8:54:41:b7:66:9c:1d:67:17:a4:2e:48:5c:f2:
ca:5a:c4:f8:69:f7:56:da:80:de:93:60:6f:84:00:a8:a9:d6:
74:a2:0a:f1:4a:11:47:9b:80:6a:61:c3:79:70:9b:45:4f:e0:
32:6a:1e:9b:35:38:85:1a:c7:bc:4f:b7:cc:7f:01:f9:a7:67:
60:25:7a:e8:20:e2:6e:38:99:26:6f:96:3d:aa:dd:6a:9a:69:
74:c1:1a:f5:21:fd:c6:0a:3f:73:99:33:ab:39:35:06:43:2a:
6c:1d:bf:50:f4:21:05:7b:1e:e2:21:68:66:81:bc:5e:44:30:
67:70:27:a2:4c:1e:c2:67:9b:cd:3d:1c:97:2c:5d:d4:12:cf:
dc:16:35:1a
-----BEGIN CERTIFICATE-----
MIIDRzCCAi+gAwIBAgIQD6Cuh6EyoMj4DgkuMzK/YTANBgkqhkiG9w0BAQsFADAQ
MQ4wDAYDVQQDDAVNeVZQTjAeFw0yNDA1MDQwMDA2NDZaFw0yNjA4MDcwMDA2NDZa
MBAxDjAMBgNVBAMMBWRlbHRhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAu/4TSC56vx3OYFf1c8Mk7BeDiyJ1tg21lyNLiA56QD4mdbTa9ABBw6dQM6TS
UdaVVVv82Oy5AiDTNDkwd72Xks3hF7KNuFHVqVklfGcGDDVuyDNIwFc5WVqBsF2g
w3K2TYF57Vs2vjlwGQacuvV9StmGQ7xFiRmDnaxYfndwLkDdqJDuvDCjXpq8e2UC
IX/BBxD+OXtvYlHBtkc1aXTZiFtNZ2dEp6wR3GBWV35HHOLRTjo9v6Wd2zqdi+mM
Qqj9MyXDqEdzcxbJipb/I25D8x+zH9WNBDTAklf8U3xywk6zn4ZdV8c4f6iLywzg
5u4QS0idebj4Ch936lOpIz+2VQIDAQABo4GcMIGZMAkGA1UdEwQCMAAwHQYDVR0O
BBYEFN34qnEwpLEeKifP0/5pE/F5CIvyMEsGA1UdIwREMEKAFC/OO2fIMcUsuscx
zPjQkVV2cdcloRSkEjAQMQ4wDAYDVQQDDAVNeVZQToIUTgAu2xJoxTSeukoPb7u9
IeVAMgkwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA0GCSqGSIb3
DQEBCwUAA4IBAQBbynuOzNTZ++zf7gmPyHC5TPTYTc5BFBPjGXoXLrMU2u83A+VY
5g08371SlwqFnhGa5IGExnUjvLYfkWXIhl/FBDQSsNsgRVerWyFGqYpcHlUMowhS
HGO24pL96pe2Jn89QhhGfIaCF4kWXgbpMVzo2FRBt2acHWcXpC5IXPLKWsT4afdW
2oDek2BvhACoqdZ0ogrxShFHm4BqYcN5cJtFT+Ayah6bNTiFGse8T7fMfwH5p2dg
JXroIOJuOJkmb5Y9qt1qmml0wRr1If3GCj9zmTOrOTUGQypsHb9Q9CEFex7iIWhm
gbxeRDBncCeiTB7CZ5vNPRyXLF3UEs/cFjUa
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC7/hNILnq/Hc5g
V/VzwyTsF4OLInW2DbWXI0uIDnpAPiZ1tNr0AEHDp1AzpNJR1pVVW/zY7LkCINM0
OTB3vZeSzeEXso24UdWpWSV8ZwYMNW7IM0jAVzlZWoGwXaDDcrZNgXntWza+OXAZ
Bpy69X1K2YZDvEWJGYOdrFh+d3AuQN2okO68MKNemrx7ZQIhf8EHEP45e29iUcG2
RzVpdNmIW01nZ0SnrBHcYFZXfkcc4tFOOj2/pZ3bOp2L6YxCqP0zJcOoR3NzFsmK
lv8jbkPzH7Mf1Y0ENMCSV/xTfHLCTrOfhl1Xxzh/qIvLDODm7hBLSJ15uPgKH3fq
U6kjP7ZVAgMBAAECggEAGZ61OwOWl+A0hX3HRjkEmaZUt4wBNcflhQz62LZ8Y6/0
ptr4cgNs8wCk1fzy6tNPM7xfF6MfTZJypi3bFJ6Cfy/Oqt+bH9ELSNKM4MjbkqNf
jyoqEohwmORUQ1hnNeu2u5ZXKwlgywjh5Y84oeQd6Kr/eNC6O0Z+YOkhgE6/u5XA
r4rNt9FTdSrTM7WkZ0FshxFpmHmjhGramUqlO0XEzc4qQ8ggfGk0lv94RQQrq8uq
WsnWjQPLj12kyxHYxL+/IgSyxiTDyqAI5IcaIo6vWQ+F8hjge9JsaqemaCgFYkiL
2QNxgtqqylgzF2Wn89mYFdtIpg75p+Pys/SiKgigIQKBgQDgzCeKNErg5VemOb6C
+5hclyOsMo46jX2AkVIp7ySwKmqh2tdbbyXYSzLdgunoi3F3ytm8q36XTZnb8k49
lQCmdTlHxQNX62rOzR8WBZp2bCSt9Z4tZzPuWbzQGgZQyUKzfrWlPdjqaVnWvJAp
VrAatLXgojytjxhG4C36nCrZ8QKBgQDWFhwcYjR1knZ0PXhYvjx4GZjVLQ4yfmaX
RXQeq3SElWOIkWFtTAYTCerH4dog+SJol05ojDl3xBEUliJtbjoQGGbvvxtolAQa
I2DgI/sLbnL1aU7J3B7z+8DnwUuq/FSrtxIVYAx/NulUWKFWe6kzyZUAecUEIdAS
GeM9CIcepQKBgQDdpu9lymH6lqhx8oXyyPlWcoBuDftHqLOSzbdiObbHLUuvBAVM
1q9OMfeZirfw322mXJGNAtvzfES1JpoXBpB5kSRFq/C8BBhwiLiaEjRXiBIypPiu
dBA0eK8/0ilgBtKKAepBYFY97Fr07UCIQj2qV3zuXYnO6EVbvTgY31sxQQKBgQDO
h9Xmq/bf1cPgr8yCEERVuJvwS97+Z2KhXKeBTvbBUT0MavQKdOUHSPHukrvUQ4Qm
UpGZ2m02VTgFHDFqUIRDMsdbUoomgWTTsn2qvgtaI9tTVZxksK5Lwft/mMJe2b71
SU9wv5BOybKfZEGBJRs+kqHkK5UdP2FzlPXb03ZG4QKBgF4Bfua6JtcwktRXbW/O
3NASW7aM7t3sv6oGcw54IsTLYDZ89TFxtLs+piC3Zhy2WRDCk+pXXKzp9cltaIG7
yxHsQkeL0fsuRWXUzZNeWAg4+KyjN45lo/ZnMH5FnRRCt6E6Yg4Dmr2cmuWF0kWf
B1RWuHlGLvKnH9W/pMKm+tqS
-----END PRIVATE KEY-----
</key>
<ca>
-----BEGIN CERTIFICATE-----
MIIDOTCCAiGgAwIBAgIUTgAu2xJoxTSeukoPb7u9IeVAMgkwDQYJKoZIhvcNAQEL
BQAwEDEOMAwGA1UEAwwFTXlWUE4wHhcNMjQwNTA0MDAwNjE3WhcNMzQwNTAyMDAw
NjE3WjAQMQ4wDAYDVQQDDAVNeVZQTjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAOyQ/RXd1pu4a4Ee13EWPbhs8Ope4kl5YI2WoVfquRkPhq3RoN/JbreE
PWH7vi5Y80Xozse4IVjKffilgZXKZtF9aYqP4AcOcmjENDITw+wptL/z0wvq8Aw8
8aZ5WXMequQENUMIBLdg0/wJ8SC4YM7jGjm6YWncfiAPw9cA5QMQakcCPNfpXfB4
qfNRKzKRCpx5EY9p1V2v5/ozFrYH69hoaKnbRcTfLNSLIr0JZySSyypS3PQEnTSM
JQ0kzrnuLlOq1nlmS2Omy/Kn73KPJMwHNIh895d+4zEwlnH/36ZSNQaedbH2qzXQ
ANxA2R0tO0G6+QDMe2jzmeIZ+ByJPbMCAwEAAaOBijCBhzAMBgNVHRMEBTADAQH/
MB0GA1UdDgQWBBQvzjtnyDHFLLrHMcz40JFVdnHXJTBLBgNVHSMERDBCgBQvzjtn
yDHFLLrHMcz40JFVdnHXJaEUpBIwEDEOMAwGA1UEAwwFTXlWUE6CFE4ALtsSaMU0
nrpKD2+7vSHlQDIJMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAkvtM
493y3rCv9JLrQAB4AT2VjlVet4lGKztcCj2vU3kAimQwNDDiHet5elWxt8b/1FSp
D4kZnRsc1+3MjIQVmf7WG3mJBvO0cHpgtPCmgJ38JBMnk9Oc17TsWE72kocW0Kdr
iUVOb6M0bfRwLaSAHffXGgXjSVMcetT9mWF/rC3pxC7gBkAbbGvLhIqzWgTFk4RV
7PuRYI6NIUwd0/rfBDjWpEpbjM6P1OBXtoStXe64V/Sb7asvz3EXmxDwbgpgDbK7
yI7udV+giSnxqi7pPvoNoIk0GqhhueZWl5FWLkqwEysXGN6P3cUHtmLhztNZKRgk
uZgSQ2/4NTNwlDf02g==
-----END CERTIFICATE-----
</ca>
# metadata Easy-TLS-version 2.7.0.0 - TLS-Crypt-v2 key
# metadata CA-serial: 4E002EDB1268C5349EBA4A0F6FBBBD21E5403209
# metadata tlskey-serial: 9067cf9ed065d6578c0edacd4b4cffcb0f07eed403e3af5df011abbef1d41626
# metadata Creation-Date: 2024/05/04-00:09:02
# metadata Custom-Group: EASYTLS
# metadata Server-Common-Name: whiskey
# metadata Client-Common-Name: delta
# metadata Key-status: Open
setenv UV_TLSKEY_SERIAL 9067cf9ed065d6578c0edacd4b4cffcb0f07eed403e3af5df011abbef1d41626
push-peer-info
<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 client key-----
SUBj285DWSj8JzarMINcAnQ3zgDKByMmDwNOURwN5bi3bgH1qu4oh6gCdBxzjHhM
LuYUpTDB9z/O0OP6Iqxd1gjBADI1lVZFsw76uRjG0KmGMfUuHz6YZgGYAyYdzdSD
n8pCvBBeArejQ9b/KtvJ7rVEtblf647Tqfq2GWOXw+XvEFQXGTVd9Ogir/SDG8oP
BR4cV+o3mtDo5jbGFpLHYqvbI2I/r1v9IzNQxhsiBp5fDmCwessbEatzGbSGUqIQ
Kj1EJ+wOCHzUmCy7+Ejr7ZOJitwxveLQuiH4I4SRW+nIfXKirhp5whVQaKFaHdc8
37ncTfoNBvMMSQvS8N/KJFHfH1oQdlYuCjYRpA5K5qNj2sMqluZUulWf9Q7uBN7W
ZRCKo2eXjyKlKLVzJ3q8pRAc14IfrVm4Wmm+mJDSVk9piPQM2Cuxrqc2FbDM7RpY
tMXO7cFTyHUOp7dkMLL8oIJ97btWlyNMiraUklhEmWo1pcE5jXpriMrl5O5sqUuh
DYLKmJEyuK3dttj1E0lgemaKEC67fJgZYMJz0yscs9GfQAAxH71ifItkdcVLMn8J
/uEJgF5LICfqVXCNUQwTBcsXH37iyWUiKv5hwr4G9BOOTSXAY8RlwHfWpgDg4LuB
D10g9iAGgl/eVwzJ+0q1nxCf9X6fWOqHxu22+Xt+rDbYfzltW19I/Lr6twXptDXE
jAP0mbV96aMp5CPaDHsdzA2nyIoTPNA5L6dIF5tq5hOyH7/jLGb9hEVBd0LiTpwy
c1tlIUgOQi1Qc0Eg8y9WBQL59kA9Pu1vhwVvWpfcmSh61fWtTmSpgzwW7iw2aPlj
4vA5uCvdAHHeATvo3+VREbZVuZl8f9l04HyAo6VXaIBpB63PL3PNt2bxGn0GayT8
zIj41gTJ1NthIRnmthGlEEd5OKE5/7s2gxuRJRCxm3kqi1rUoNsm4JfXOjipjM6z
oyXaZ4EesdAKwyXhl6U+dJnVEILH607IJsqgO0FhYcw2dga2msaM1//PfanDeIkU
AmgYEG9xMZNkKau7bg7aLvXtU8TPS5DW1FkCHA==
-----END OpenVPN tls-crypt-v2 client key-----
</tls-crypt-v2>
remote-cert-tls server
verb 3
Since this file includes inline keys, you must securely transfer it to your client.