Hi, On Thu, May 21, 2015 at 02:37:36PM +0200, David Sommerseth wrote: > It's not that easy, unfortunately. And you've already been down that > path once already. > > To switch to TLS mode, you need to use --ca, --cert and --key. In > addition on the server side you need --dh as well. This means you > need to have a CA where you issue certificates. > > In addition, you're back to the need to use --client-config-dir and > - --iroute as well to make LAN-to-LAN-over-VPN work. > > And then you can add --tls-auth as well, on top of all of this.
I seem to remember that there is a way to do peer-to-peer (so, not call
"--server" and "--client") but still do TLS - by having the "TLS server"
configured with --ca, --cert, --key and "--tls-server", and the peer
with "--tls-client".
But this is more from stumbling across the options than from actually
having tried it.
(--server is a macro that among others activates --tls-server and all
the to-multiple-clients thing, while --client implies --tls-client,
but both --tls-* options can be used standalone)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpgwr6Xl9HRP.pgp
Description: PGP signature
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
