Hi Richard,
On 19/07/20 12:04, Richard Hector wrote:
[...]
This is also why I never really considered the static key p2p mode when
implementing these new unit files. The advantage of these unit files are
essentially that they add more hardening outside of OpenVPN as well and the
server side will automatically restart if the openvpn process suddenly dies.
Also consider that the static key p2p does not really have a client/server
relation. They are both equal nodes which configures "my end point" and "the
remote end point", reflected in the --ifconfig where the IP addresses are
reversed on the hosts. That said, you might have better luck using the
openvpn-server@.service unit files on both sides.
The lack of client/server relation is what I'm after. I don't want to
impose an artificial precedence between the machines that doesn't really
exist. I chose the client unit because that was recommended in some
readme; I don't remember which.
The p2p mode, however, is useful, and often enough for many use cases. But I
do recommend you to use a p2p using a PKI setup. This gives the p2p network
configuration simplicity and adds the PFS aspect. All you need to do here is
to create your own CA (using easy-rsa[2,3]) and create a client and server key
and certificates.
That's what I couldn't manage - a p2p network (no client or server)
using certificates. In the end I concluded it couldn't be done, but I'm
happy to be corrected.
this can be achieved using the following configs:
## server ##
tls-server
proto udp
port 1194
dev tun
ifconfig 10.200.0.1 10.200.0.2
dh dh2048.pem
tls-auth ta.key 0
ca ca.crt
cert server.crt
key server.key
keepalive 10 60
cipher aes-256-gcm
auth sha256
##
## client ##
tls-client
proto udp
remote <remote server>
port 1194
dev tun
nobind #or use rport XXXX
ifconfig 10.200.0.2 10.200.0.1
remote-cert-tls server
tls-auth ta.key 1
ca ca.crt
cert client1.crt
key client1.key
cipher aes-256-gcm
auth sha256
##
a few notes:
- even in PSK p2p mode one of the sides is more server-like (I tend to
call it the listener) and the other side is the client (the one
initiating the connection).
So even with certificates you always have one end being the "tls-server"
(i.e. waiting for an incoming connection) and one end the "tls-client"
(the one initating the connection).
- in this mode, NCP is disabled and hence you would not get GCM
encrpytion - thus you need to specify it explicitly.
I have not tested whether things like persist-tun or persist-key work,
but I don't see any reason why they should not.
HTH,
JJK
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
