Perfect Forward Secrecy is a methodology applied to encryption to frustrate the decoding of traffic captured and stored prior to the discovery of the secret key by an adverse party. This is done by generating a new random key every time data is transmitted.
Enabling this in OpenVPN is quite easy, but does not appear to be well documented. The steps to do this are:
Create a common private key, eg
openvpn --genkey --secret /path/to/store/pfs.key
Securely distribute this key to each OpenVPN client, then add the following to the server
tls-server tls-auth /path/to/store/pfs.key 0
and this to each client
tls-client tls-auth /path/to/store/pfs.key 1
It is also possible to embed the tls-auth certificate in the configuration file itself. To do this
open a <tls-auth> tag, embed the key and add a closing tag. Then add another directive key-direction X, where X is 0 for the server or
1 for the client (ie the same as the second argument on the tls-auth line when using a certificate file.
So the appropriate snipped would look something like:
# # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1------- . . -----END OpenVPN Static key V1-------