PSK vs. PKI
-
Based on this https://doc.pfsense.org/index.php/Why_won%27t_OpenVPN_push_routes, and the fact that I couldn't get things to work, I ended up setting up a PKI setup for a single site-to-site/internet setup.
Then I read here:
https://forum.pfsense.org/index.php?topic=12888.msg69533#msg69533
the following:If you only wish to VPN 2 or 3 sites together, the OVPN shared key method will certainly be simpler. The stalwart board moderator GruensFroeschli has suggested the following, and I wholeheartedly concur: "Up to 5 sites i wouldnt bother setting up a PKI."
Which is exactly my sentiment, except I couldn't get it to work, and then based on the docs, I did the PKI thing.
So, who's right? Is there a way I could simplify things and do a simple PSK setup?
-
I now use the PSK method. I had been using certificates and… but went back to PSK after a bit, because PSK was so easy and I don't have millions of site-to-site links.
I just setup the server end with Server Mode "Peer to Peer (Shared Key)", letting it automatically generate a shared key. Then setup the client and paste in the key from the server end.
It all works easy - so post some of what you have tried and we can help with what is not quite right. -
Stop using PSK, use 2048bit+ RSA/DSA keys, with group 14 or higher DH, PFS.
See: http://cdn.media.ccc.de/congress/2014/h264-sd/31c3-6258-en-Reconstructing_narratives_sd.mp4
-
Stop using PSK, use 2048bit+ RSA/DSA keys, with group 14 or higher DH, PFS.
See: http://cdn.media.ccc.de/congress/2014/h264-sd/31c3-6258-en-Reconstructing_narratives_sd.mp4
Thank you for the video !