Request: Howto for a one-to-one setup using TLS and peer-fingerprints in OpenVPN 2.6.0 wanted.

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
oldbsdguy
OpenVpn Newbie
Posts: 3
Joined: Wed Mar 08, 2023 8:24 pm

Request: Howto for a one-to-one setup using TLS and peer-fingerprints in OpenVPN 2.6.0 wanted.

Post by oldbsdguy » Wed Mar 08, 2023 8:44 pm

Summary:
I'm looking for best practices and/or a guide/howto to connect ONE client to ONE server now that pre-shared static keys (--secret) has been deprecated and TLS will be a requirement from OpenVPN 2.7.0. There's plenty of info on how to setup a one-to-many server with full PKI or peer-fingerprints but my specific need is simply a one-to-one setup unless there are good arguments to use a one-to-many setup even in my case.

Kind regards
Morgan

Background:
The following information is not required reading. I simply add it here for those who may be interested in what my setup is and what I have tested so far.

I manage several FreeBSD-based routers for myself and also help my friends with similar setups. I use OpenVPN to connect some of them in P2P mode and with a pre-shared static key. I now need to convert them all to TLS-based tunnels.

- For administrative reasons I want explicit control of the endpoint IP addresses and the subnets they belong to.
- I prefer to use a /30 subnet which has exactly the two IP addresses I need for the endpoints.
- I prefer not to maintain a full PKI setup just for a simple point-to-point tunnel.

I've used the peer-fingerprint guide at https://github.com/openvpn/openvpn/blob ... rprint.rst as a start but note that this guide only shows an example of a one-to-many setup. I adapted it to a p2p configuration to the best of my abilities and I do indeed have a working setup but there's one annoyance and I lack the knowledge to make it go away. If I start the server without starting the client, the server[sic] will start logging a "Server poll timeout" and soft restarting the tunnel every 2 minutes (the default server poll timeout). I fail to understand this behaviour since I have no remote statement in the server config and I expect it to just be in listening mode at this point. The likely culprit is probably my ignorance which brings us back to my initial request in the summary.
I also made some futile attempts with topology subnet but was never able to get any data to traverse the tunnel. There were various errors depending on what I tried but since I was on very thin ice knowledge wise, I'll leave the details of those failures out of this discussion for now. :)

Below are my server and client configs. Perhaps anyone can see some mistakes in them or give feedback?

Server Config
cert keymaster.pem
key keymaster.pem
dh none
dev tun2
proto udp4
lport 31170
tls-server
ifconfig 10.0.0.5 10.0.0.6
tun-mtu 1400
peer-fingerprint "[redacted]"
explicit-exit-notify 1
keepalive 10 120
cipher AES-256-GCM
user openvpn
group openvpn
persist-key
persist-tun
ping-timer-rem
status /var/log/openvpn_lenovo-status.log
log /var/log/openvpn_lenovo.log
verb 3


Client Config
cert lenovo.pem
key lenovo.pem
remote [redacted] 31170
dev tun2
proto udp4
nobind
tls-client
ifconfig 10.0.0.6 10.0.0.5
tun-mtu 1400
peer-fingerprint "[redacted]"
cipher AES-256-GCM
user openvpn
group openvpn
keepalive 10 60
persist-key
persist-tun
ping-timer-rem
status /var/log/openvpn.lenovo-status.log
log-append /var/log/openvpn.lenovo.log
verb 3
Last edited by oldbsdguy on Wed Mar 08, 2023 11:34 pm, edited 1 time in total.

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: Request: Howto for a one-to-one setup using TLS and peer-fingerprints wanted.

Post by Pippin » Wed Mar 08, 2023 9:34 pm

Hi,

If I'm not mistaken you can use /31 on server:
Remove:

Code: Select all

tls-server
ifconfig 10.0.0.5 10.0.0.6
Add:

Code: Select all

server 10.0.0.0 255.255.255.254
topology subnet

For the client:
Remove:

Code: Select all

tls-client
ifconfig 10.0.0.6 10.0.0.5
Add:

Code: Select all

client
Also see manual 2.6:
https://build.openvpn.net/man/openvpn-2 ... vpn.8.html
.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

oldbsdguy
OpenVpn Newbie
Posts: 3
Joined: Wed Mar 08, 2023 8:24 pm

Re: Request: Howto for a one-to-one setup using TLS and peer-fingerprints wanted.

Post by oldbsdguy » Wed Mar 08, 2023 11:31 pm

Pippin wrote:
Wed Mar 08, 2023 9:34 pm
If I'm not mistaken you can use /31 on server:
The server log disagrees: :D

Code: Select all

Options error: --server directive when used with --dev tun must define a subnet of 255.255.255.248 (/29) or lower
I can almost say I know the man page by heart now but it's always good with some new ideas. Thank you for your suggestion. :)

Before losing myself in the detailed configuration, I'd value some insights in the best practices for my scenario - especially if topology p2p or subnet is the way forward and why. I can't imagine I'm the only one with this particular setup.

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Request: Howto for a one-to-one setup using TLS and peer-fingerprints in OpenVPN 2.6.0 wanted.

Post by ordex » Thu Mar 09, 2023 12:19 am

Hi, topology p2p is fine (default value).
Then use --ifconfig to setup the IPs. Basically what you are already doing in the configs you posted in the first message.

The introduction of TLS (either via PKI or peer-fingerprint) only affects the handshake and the key management. Networking (i.e. IP assignment) still works like before.

oldbsdguy
OpenVpn Newbie
Posts: 3
Joined: Wed Mar 08, 2023 8:24 pm

Re: Request: Howto for a one-to-one setup using TLS and peer-fingerprints in OpenVPN 2.6.0 wanted.

Post by oldbsdguy » Thu Mar 09, 2023 3:46 pm

Yes, that's how I'm running it for now. It's just that annoying "Server poll timeout" that spams the server log every 2 minutes if the client isn't connected. Unfortunately I don't have a 2.5.x setup handy to verify the behaviour, and fingerprints aren't supported there anyway, so I'm beginning to wonder if that message is a bug. I just needed some assurance first that the method I used is the preferred one in my situation.

Post Reply