On Mon, Dec 15, 2025 at 09:37:13PM +0100, Thomas Bohl wrote: > Warning: You don't have authentication between blackblock and dina! (That is > why you need 2603:c026:306:9211::300 in your <localnet> table.) Even with > "verify". All that does is: "Yep, I know and trust that CA."
For these situations where both machines are under your direct control and only communicating with each other, one possibility is to use a self-signed certificate and specify the private ca using the 'ca' option in the action and listen directives. Usually using auth, or filtering at the IP level is more practical, but it's certainly possible using a private ca. Good to see that the relaying is working at last, though :-).
