On 19/07/20 10:08 pm, Gert Doering wrote: > Hi, > > On Sun, Jul 19, 2020 at 09:56:09PM +1200, Richard Hector wrote: >> I'm aware of the flags in the cert, and (IIRC) managed to enable both >> client and server flags, and both client and server worked with the same >> cert. > > Good :-) > >> What I wasn't able to do is have identical (well, reversed) config files >> on all the servers, using the certificate mode. > > This is true, one side needs to be --tls-server and one sides needs > to be --tls-client - which differs from --secret mode, which is true > "peer to peer with no difference in role". > >> I guess I could have some algorithm to decide which is the 'server' of >> each pair - perhaps the lower ip address - but I'd rather keep the >> configs as similar as possible. > > It's a tradeoff. TLS need these roles, but will give you better security > (due to PFS). p2p is simpler, but not recommended these days, and as > such, not as well integrated...
Ok. Looks like I need to do that, then. Oh well. I assume this is inherent in the TLS protocol, rather than OpenVPN's implementation? > Not sure what the original problem is, though. Are you using --bind > on both sides? I guess I am; --nobind was one of the options I had to override to make it work. > NAT with port translation in beteween? If the port > changes after a restart, and the other end has no --float in the config, > things will not work. Here a clear client/server role also helps, as > there is a well defined "setup connection" phase (p2p just sends off > packets, no handshake involved). No NAT. These are all VPSes from a (single) public provider. I use static ports, so I can configure them predictably and automatically, and avoid having them tread on each others' toes. Cheers, Richard _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
