VAPID keys are used to ensure that nobody else can communicate with your clients.
You can generate a private VAPID key by running:
openssl ecparam -name prime256v1 -genkey -noout -out vapid_private.pem
This creates a PEM private key. In order to use this with the server, you must first base64 encode it, then you can pass it in using an environment variable. (Make sure to remove any newlines)
base64 vapid_private.pem
To convert this to a public key, we run:
openssl ec -in vapid_private.pem -outform DER|tail -c 65|base64|tr '/+' '_-'|tr -d '\n'
The output of this command is what the clients will be receiving.