I'm looking for best practices and/or a guide/howto to connect ONE client to ONE server now that pre-shared static keys (--secret) has been deprecated and TLS will be a requirement from OpenVPN 2.7.0. There's plenty of info on how to setup a one-to-many server with full PKI or peer-fingerprints but my specific need is simply a one-to-one setup unless there are good arguments to use a one-to-many setup even in my case.
Kind regards
Morgan
Background:
The following information is not required reading. I simply add it here for those who may be interested in what my setup is and what I have tested so far.
I manage several FreeBSD-based routers for myself and also help my friends with similar setups. I use OpenVPN to connect some of them in P2P mode and with a pre-shared static key. I now need to convert them all to TLS-based tunnels.
- For administrative reasons I want explicit control of the endpoint IP addresses and the subnets they belong to.
- I prefer to use a /30 subnet which has exactly the two IP addresses I need for the endpoints.
- I prefer not to maintain a full PKI setup just for a simple point-to-point tunnel.
I've used the peer-fingerprint guide at https://github.com/openvpn/openvpn/blob ... rprint.rst as a start but note that this guide only shows an example of a one-to-many setup. I adapted it to a p2p configuration to the best of my abilities and I do indeed have a working setup but there's one annoyance and I lack the knowledge to make it go away. If I start the server without starting the client, the server[sic] will start logging a "Server poll timeout" and soft restarting the tunnel every 2 minutes (the default server poll timeout). I fail to understand this behaviour since I have no remote statement in the server config and I expect it to just be in listening mode at this point. The likely culprit is probably my ignorance which brings us back to my initial request in the summary.
I also made some futile attempts with topology subnet but was never able to get any data to traverse the tunnel. There were various errors depending on what I tried but since I was on very thin ice knowledge wise, I'll leave the details of those failures out of this discussion for now.
Below are my server and client configs. Perhaps anyone can see some mistakes in them or give feedback?
Server Config
cert keymaster.pem
key keymaster.pem
dh none
dev tun2
proto udp4
lport 31170
tls-server
ifconfig 10.0.0.5 10.0.0.6
tun-mtu 1400
peer-fingerprint "[redacted]"
explicit-exit-notify 1
keepalive 10 120
cipher AES-256-GCM
user openvpn
group openvpn
persist-key
persist-tun
ping-timer-rem
status /var/log/openvpn_lenovo-status.log
log /var/log/openvpn_lenovo.log
verb 3
key keymaster.pem
dh none
dev tun2
proto udp4
lport 31170
tls-server
ifconfig 10.0.0.5 10.0.0.6
tun-mtu 1400
peer-fingerprint "[redacted]"
explicit-exit-notify 1
keepalive 10 120
cipher AES-256-GCM
user openvpn
group openvpn
persist-key
persist-tun
ping-timer-rem
status /var/log/openvpn_lenovo-status.log
log /var/log/openvpn_lenovo.log
verb 3
Client Config
cert lenovo.pem
key lenovo.pem
remote [redacted] 31170
dev tun2
proto udp4
nobind
tls-client
ifconfig 10.0.0.6 10.0.0.5
tun-mtu 1400
peer-fingerprint "[redacted]"
cipher AES-256-GCM
user openvpn
group openvpn
keepalive 10 60
persist-key
persist-tun
ping-timer-rem
status /var/log/openvpn.lenovo-status.log
log-append /var/log/openvpn.lenovo.log
verb 3
key lenovo.pem
remote [redacted] 31170
dev tun2
proto udp4
nobind
tls-client
ifconfig 10.0.0.6 10.0.0.5
tun-mtu 1400
peer-fingerprint "[redacted]"
cipher AES-256-GCM
user openvpn
group openvpn
keepalive 10 60
persist-key
persist-tun
ping-timer-rem
status /var/log/openvpn.lenovo-status.log
log-append /var/log/openvpn.lenovo.log
verb 3