On 21/07/20 11:23 pm, Jan Just Keijser wrote: > Hi Richard, > > On 19/07/20 12:04, Richard Hector wrote:
>> That's what I couldn't manage - a p2p network (no client or server) >> using certificates. In the end I concluded it couldn't be done, but I'm >> happy to be corrected. >> > this can be achieved using the following configs: > > ## server ## > > tls-server > proto udp > port 1194 > dev tun > > ifconfig 10.200.0.1 10.200.0.2 > > dh dh2048.pem > tls-auth ta.key 0 > ca ca.crt > cert server.crt > key server.key > > keepalive 10 60 > > cipher aes-256-gcm > auth sha256 > > ## > ## client ## > tls-client > proto udp > remote <remote server> > port 1194 > dev tun > nobind #or use rport XXXX > > ifconfig 10.200.0.2 10.200.0.1 > > remote-cert-tls server > tls-auth ta.key 1 > ca ca.crt > cert client1.crt > key client1.key > > cipher aes-256-gcm > auth sha256 > > ## That doesn't achieve the goal of "no client or server", since there are 2 distinct config files. > a few notes: > - even in PSK p2p mode one of the sides is more server-like (I tend to > call it the listener) and the other side is the client (the one > initiating the connection). In p2p psk mode, I can have files that only differ in address, port and device numbers/names - they're symmetrical. And it works, barring the startup with systemd. > So even with certificates you always have one end being the "tls-server" > (i.e. waiting for an incoming connection) and one end the "tls-client" > (the one initating the connection). 'With certificates', yes. 'Even with certificates' implies that it isn't possible without either, which it seems to be. > - in this mode, NCP is disabled and hence you would not get GCM > encrpytion - thus you need to specify it explicitly. I wasn't familiar with either of those. It seems NCP isn't needed because I'm configuring both sides explicitly. Is GCM something I need? > I have not tested whether things like persist-tun or persist-key work, > but I don't see any reason why they should not. Thanks, Richard _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
