Openvpn status on server
-
Bother. I had the server mode set to peer/peer instead of remote access. That didn't click until I tried to connect a second client. New to OpenVPN, it's not bad once you get it sorted thru.
Thanks for all the feedback!
-
Hi,
i have to agree cubsfan. I set up a testenvironment with Openvpn PKI and 2 Sites. I followed tutorial.
Testet preshared Key and Certs…all seems to work fine :)
On client, mode "peer to peer (ssl/tls)" everythink is ok. statuspage has entry when lokal port is set.
On Server, if servermode is "peer to peer (ssl/tls)" there is no client shown in OpenVPN status!
If i switch mode to remote access (ssl/tls) client is visible there.
Is that a normal behaviour Jimp?
Cya
-
That is normal, OpenVPN's status function doesn't report peer-to-peer connections in the same way. It's a limitation of OpenVPN, I believe.
-
Ah thank u.
Nice to know. Is there a difference between these modes? Are there some problems if i use remote access in my case?
I ask because OpenVPN status on dashboard is a nice feature :)
Cya
-
It's really a difference between PKI and Shared Key, I thought. you can do site-to-site setups either way, really. Just takes a bit more work to do them with PKI.
-
With Pfsense 2.0 its about one minute more work (generate Ca + Certs -> copy to openvpn Client).
thats really not much more^^
there are 2 questions left:
1. to use auth for TLS pakets is recommeded right? I found nothing about in pfsense book.
2. engine cryptodev is automaticaly applied if option glxsb is set right?
ty
-
For PKI site-to-site you also have to setup client-specific-config entries with iroutes, and custom route statements. It's not all automatic.
cryptodev isn't active unless you put it in the custom options, I think that is still the case. I should probably add an option for that. If it were automatic, it wouldn't just be keyed on glxsb, there are plenty of other accelerators (Padlock, Hifn, etc).
-
y, ur right i forgot.
but im not sure about servermode because u dont answer my question. :)
It's really a difference between PKI and Shared Key, I thought. you can do site-to-site setups either way, really. Just takes a bit more work to do them with PKI.
plz only consider Serverside :
"peer to peer (ssl/tls)" (Openvpn status empty)
"remote access (ssl/tls)" (Openvpn status works)
both are with PKI. Its the same configuration with ca and certs, no preshared keys at all. So where is the difference?
ty
-
I'm not sure then, I'd have to track down what might be going on behind the scenes then. If you look at the openvpn config (under /var/etc/openvpn/) you might be able to see the difference in the config.
I don't think the gui in the status even checks peer-to-peer vs remote access.
-
ur right i ll check config.
"peer to peer (ssl/tls)" is 1:1 connection
"remote access (ssl/tls)" is 1:n connection, so u need to use remote access for 3 sites and more i think, i ll test it.
good night.
thx for replies
