On 19/07/20 9:09 pm, Gert Doering wrote:
> Hi,
>
> On Sun, Jul 19, 2020 at 05:09:59PM +1200, Richard Hector wrote:
>> I have 4 machines (actually VPSes) that have a full mesh of VPNs between
>> them. I'm using a slightly-modified version of the 'client' example
>> config. Since it appears TLS, and the use of certificates, requires
>> named client and server peers, I'm using a PSK (one for the whole set).
>
> This is a slight misconception. All you need is a common CA for
> a pair of client+server (you could use the same CA for all your machines,
> or if you want fancy, a different CA for each pair but that does not
> make much sense).
>
> The certs can be named whatever you want ("cert1, cert2, cert3") and
> this is not related to DNS names, user names, or anything.
>
> There is one catch: a "server" cert has some extra bits set which
> the client *can* verify (--remote-cert-tls server) - but as long as
> this is not active in your client configs, a "server" can use the same
> cert as a "client".
Thanks Gert,
I'm aware of the flags in the cert, and (IIRC) managed to enable both
client and server flags, and both client and server worked with the same
cert.
What I wasn't able to do is have identical (well, reversed) config files
on all the servers, using the certificate mode.
I guess I could have some algorithm to decide which is the 'server' of
each pair - perhaps the lower ip address - but I'd rather keep the
configs as similar as possible.
Cheers,
Richard
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
