On 29/03/2025 14:16, Bo Berglund wrote: [...snip...] > It seems like that solution is based on the clients being "registered" on the > server with a fingerprint created client side, but how can you do such things > on > a mobile phone? > So a Linux client would work but not a phone..
Kinda ... The client config still need a client certificate and a key. That information will not be created on the mobil device - and that is exactly the same as with the CA/easy-rsa approach. You prepare a config file containing everything, and that file is imported on the mobile device. What is different is that you run an 'openssl x509' command to retrieve the SHA-256 fingerprint of the client and server certificates. The client certificate fingerprint is put into the <peer-fingerprint> "blob" in the server config. And in the client config, the server certificate fingerprint is given to the peer-fingerprint option. IIRC, on *older* OpenVPN versions on the client side (not supporting peer-fingerprint), the server certificate can be used in the <ca> "blob" in the client config. > We need the phone to also be able to connect to the server and be geolocated > there. > And that has worked for many years using the ovpn file (same file for the > client > irrespective of device used). That should not be any different. What peer-fingerprint does is basically removing the need for client and server certificates to be signed by a CA. So the CA certificate is no longer needed when using peer-fingerprint. Client and server certificates are self-signed when using peer-fingerprint. -- kind regards, David Sommerseth OpenVPN Inc _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
