-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 21-05-15 14:45, Gert Doering wrote: > On Thu, May 21, 2015 at 02:37:36PM +0200, David Sommerseth wrote: >> It's not that easy, unfortunately. And you've already been down >> that path once already. >> >> To switch to TLS mode, you need to use --ca, --cert and --key. >> In addition on the server side you need --dh as well. This means >> you need to have a CA where you issue certificates. >> >> In addition, you're back to the need to use --client-config-dir >> and - --iroute as well to make LAN-to-LAN-over-VPN work. >> >> And then you can add --tls-auth as well, on top of all of this. > > I seem to remember that there is a way to do peer-to-peer (so, not > call "--server" and "--client") but still do TLS - by having the > "TLS server" configured with --ca, --cert, --key and > "--tls-server", and the peer with "--tls-client". That is correct, and we use it all the time in our 'make check' tests. For an example, look at the loopback config files for inspiration: https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/loopback-server https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/loopback-client Do note that the networking bits of these configs are *not* usable in the real world. But the crypto bits (tls-{client,server}, dh, ca, key, cert, tls-auth) show how to get a point-to-point tls connection going. - -Steffan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJVXl3BAAoJEJgCyj0AftKI9p8H/jHSF4+s7ET5LiGleURJ3YB6 8ef1TJaz62lQr8okF5KnEKz8IX/GuyRY1bwF31rGmpSfIZcs73i/pfbOMVc2uTYA MmgJUR8RxiKfjeEGp9RnLjnCxs1MpM5vaSsr81BQtzyxyiyZEh3+TBzXjbsLPdVa RZIeDv4z8m7wF3GBPESrgfAXXGhKBu2I+uhGxcUHGD13eHeT1PYS3XtCNSVUKuIc MMFrOiZyHzIP7raBcbAZ2CXoQXdqJl2RTWmxFRkhJjM8cIMJ/nvm6EwBMLngXq/f /7Hvr3JuidHkBlnG6wkAeSrz0Xp7gHRb0WW9gfdjTpOr+LdKHoPyyzDczzPwTFQ= =kBKG -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
