Hi, On Sun, Jul 19, 2020 at 09:56:09PM +1200, Richard Hector wrote: > I'm aware of the flags in the cert, and (IIRC) managed to enable both > client and server flags, and both client and server worked with the same > cert.
Good :-)
> What I wasn't able to do is have identical (well, reversed) config files
> on all the servers, using the certificate mode.
This is true, one side needs to be --tls-server and one sides needs
to be --tls-client - which differs from --secret mode, which is true
"peer to peer with no difference in role".
> I guess I could have some algorithm to decide which is the 'server' of
> each pair - perhaps the lower ip address - but I'd rather keep the
> configs as similar as possible.
It's a tradeoff. TLS need these roles, but will give you better security
(due to PFS). p2p is simpler, but not recommended these days, and as
such, not as well integrated...
Not sure what the original problem is, though. Are you using --bind
on both sides? NAT with port translation in beteween? If the port
changes after a restart, and the other end has no --float in the config,
things will not work. Here a clear client/server role also helps, as
there is a well defined "setup connection" phase (p2p just sends off
packets, no handshake involved).
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
