For the next example, we borrow some bits from Chapter 3, PKIs and Certificates. In client/server mode, OpenVPN is configured using a Public Key Infrastructure (PKI), with X.509 certificates and private keys. It is also possible to use X.509 certificates and private keys to set up a point-to-point tunnel. The advantage of using X.509 certificates over pre-shared keys is that it offers Perfect Forwarding Secrecy (PFS), which greatly enhances the security of your VPN data. Without PFS, if an attacker manages to break the encryption at some point, then all previously recorded VPN traffic can be decrypted. With PFS, it is not possible to decrypt old data.

In order to set up a point-to-point tunnel using ...