When preshared secret is used for security, OpenVPN works as follows:
- The administrator uses the generate openvpn key command to generate a file that contains a certain number of random data bytes, that is, the secret to be used to provide security.
- The administrator transfers the secret file to each of the two tunnel endpoints by using pre-established secure channels. For example, the file can be generated on one of the endpoints and then transferred to the other endpoint by using a secure file transfer protocol, such as SCP.
- When the two endpoints need to establish the VPN tunnel, the OpenVPN process on the one endpoint authenticates the other endpoint. Authentication is based on the assumption that the preshared secret is known only to the other endpoint; that is, authentication is based on the assumption that if any host knows the shared secret, that host must be the other endpoint.
- After the endpoints are authenticated, the OpenVPN process on each side derives a set of keys from the preshared secret. These keys are used for two purposes.
- Some keys are used in an encryption algorithm to encrypt the tunnel data. This encryption provides data confidentiality.
- The others are used in a message authentication code (MAC) that uses a hash algorithm with the keys on the tunnel data. This code provides data integrity.