Adding Perfect Forward Secrecy to OpenVPN

Perfect Forward Secrecy is a methodology applied to encryption to frustrate the decoding of traffic captured and stored prior to the discovery of the secret key by an adverse party.  This is done by generating a new random key every time data is transmitted.

Enabling this in OpenVPN is quite easy, but does not appear to be well documented.  The steps to do this are:

Create a common private key, eg

openvpn --genkey --secret /path/to/store/pfs.key

Securely distribute this key to each OpenVPN client, then add the following to the server

tls-auth /path/to/store/pfs.key 0

and this to each client

tls-auth /path/to/store/pfs.key 1


It is also possible to embed the tls-auth certificate in the configuration file itself. To do this
open a <tls-auth> tag, embed the key and add a closing tag. Then add another directive key-direction X, where X is 0 for the server or
1 for the client (ie the same as the second argument on the tls-auth line when using a certificate file.

So the appropriate snipped would look something like:

# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-------
-----END OpenVPN Static key V1-------