Hi, On Sun, Jul 19, 2020 at 05:09:59PM +1200, Richard Hector wrote: > I have 4 machines (actually VPSes) that have a full mesh of VPNs between > them. I'm using a slightly-modified version of the 'client' example > config. Since it appears TLS, and the use of certificates, requires > named client and server peers, I'm using a PSK (one for the whole set).
This is a slight misconception. All you need is a common CA for
a pair of client+server (you could use the same CA for all your machines,
or if you want fancy, a different CA for each pair but that does not
make much sense).
The certs can be named whatever you want ("cert1, cert2, cert3") and
this is not related to DNS names, user names, or anything.
There is one catch: a "server" cert has some extra bits set which
the client *can* verify (--remote-cert-tls server) - but as long as
this is not active in your client configs, a "server" can use the same
cert as a "client".
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
