Re: [Openvpn-users] peer-peer vpns and systemd

Sat, 25 Jul 2020 16:54:07 -0700 

Hi,

On 22/07/20 13:32, Richard Hector wrote:

On 21/07/20 11:23 pm, Jan Just Keijser wrote:

Hi Richard,

On 19/07/20 12:04, Richard Hector wrote:

That's what I couldn't manage - a p2p network (no client or server)
using certificates. In the end I concluded it couldn't be done, but I'm
happy to be corrected.


this can be achieved using the following configs:

## server ##

tls-server
proto udp
port 1194
dev tun

ifconfig 10.200.0.1 10.200.0.2

dh       dh2048.pem
tls-auth ta.key 0
ca       ca.crt
cert     server.crt
key      server.key

keepalive 10 60

cipher aes-256-gcm
auth   sha256

##
## client ##
tls-client
proto udp
remote <remote server>
port 1194
dev tun
nobind   #or use rport XXXX

ifconfig 10.200.0.2 10.200.0.1

remote-cert-tls server
tls-auth ta.key 1
ca       ca.crt
cert     client1.crt
key      client1.key

cipher aes-256-gcm
auth   sha256

##

That doesn't achieve the goal of "no client or server", since there are
2 distinct config files.
there will always be minor differences; if you build a "symmetric" certificate (client + server auth) then you can get the differences down to three lines: 

1c1
< tls-client
---
> tls-server
3d2
< remote <vpn-server-ip>
7c6
< ifconfig 10.200.0.2 10.200.0.1
---
> ifconfig 10.200.0.1 10.200.0.2
the only extra is the "tls-client/"tls-server" line compared to the PSK version. And this makes sense, as in PSK mode the key exchange+encryption is symmetric whereas in certificate mode it is not. 



a few notes:
- even in PSK p2p mode one of the sides is more server-like (I tend to
call it the listener) and the other side is the client (the one
initiating the connection).

In p2p psk mode, I can have files that only differ in address, port and
device numbers/names - they're symmetrical. And it works, barring the
startup with systemd.

if your systemd file states
  nobind
yet you specify a local port in the client config then it will not work...


So even with certificates you always have one end being the "tls-server"
(i.e. waiting for an incoming connection) and one end the "tls-client"
(the one initating the connection).

'With certificates', yes. 'Even with certificates' implies that it isn't
possible without either, which it seems to be.



HTH,

JJK




_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to