Setup a simple host-to-host VPN with openvpn

A VPN between two hosts is pretty easy to setup. You just need to install openvpn on server and client, generate a static key (just keep in mind that anybody who gets access to this key can compromise your vpn) which needs to be copied to the client (if generated on the server) and put a small configuration in place on client and server.

Install openvpn on server and client with

yum install openvpn

Change path to openvpn configuration directory on the server

cd /etc/openvpn

and generate your static key:

openvpn --genkey --secret static.key

You need to have the same key file on the client. This shoud be done via a secure connection (eg. scp). In a secure SSH setup you have no root login to the client host so you either need to enable root login for a short time or use your workstation as a "gateway".
With root login enabled do

scp -i authorized_key/etc/openvpn/static.key root@client-ip:/etc/openvpn/static.key

Do not forget to disable root access right afterwards (using another user as root might give other users access to the key file for a short time).
Check the permissions of the keyfile:

ls -l /etc/openvpn/static.key

This file should only be readable/writable by root.
Just in case change permissions:

chown root:root /etc/openvpn/static.key
chmod 600 /etc/openvpn/static.key

Next step is to create the configuration file on the server /etc/openvpn/server.conf:

dev tun
ifconfig 172.16.8.1 172.16.8.2
secret /etc/openvpn/static.key
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
user nobody
group nobody
daemon

You need to make sure to use an unused private ip-range from any of these networks:

10.0.0.0
172.16.0.0
192.168.0.0

On the client the configuration file looks similar - just pay attention for the remote stanza which contains the domain or ip address of your server and the ifconfig stanza which is swapped:

remote mydomain
dev tun
ifconfig 172.16.8.2 172.16.8.1
secret /etc/openvpn/static.key
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
user nobody
group nobody
daemon

Now you are already done. Just make sure that the UDP port 1194 on your server is not blocked (either by iptables or by an external firewall).
Start your VPN with

service openvpn start

on server and client.
You can check ifconfig for your new vpn devices

ifconfig -a

which should give a similar output like:

tun0     Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.16.8.2 P-t-P:172.16.8.1 Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
          RX packets:249 errors:0 dropped:0 overruns:0 frame:0
          TX packets:150 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:19984 (19.5 KiB) TX bytes:15936 (15.5 KiB)

To make sure everything is up and running ping the server from the client and vice versa.

openvpn

excelent

thanks