Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN requirements…

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 2 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sup3rior
      last edited by

      Hi,

      Having browsed through the various sticky threads as well as the pfSense docs, I can't seem to find the answer to these questions:

      • When using OpenVPN, is both server and client certificates a requirement for the remote access option(s) or does one of them permits using it with eg. only server certificates?
        Can the OpenVPN server be run in a CARP array where the configuration replicate, or must it be configured on each node? In case it can't, will it still answer traffic coming to a VIP interface?

      Regards,
      Anders

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        You either have to have a shared key on client and server, or certs on client and server.

        You can run servers on CARP IPs and sync the config over so it transparently fails over (mostly,the clients will have to detect they dropped and reconnect, which takes 1 minute in a default config).

        1 Reply Last reply Reply Quote 0
        • S
          Sup3rior
          last edited by

          @cmb:

          You either have to have a shared key on client and server, or certs on client and server.

          You can run servers on CARP IPs and sync the config over so it transparently fails over (mostly,the clients will have to detect they dropped and reconnect, which takes 1 minute in a default config).

          But as I see the config options for remote access, I have SSL/TLS and Local Auth? Or do I mis-interpret the meaning of remote access (which I see as for VPN dial-in) and peer-to-peer (as being for site-to-site)?

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Remote access types are all TLS, shared key has a 1:1 client to server relationship which is very rarely the case with remote access VPNs.

            1 Reply Last reply Reply Quote 0
            • S
              Sup3rior
              last edited by

              @cmb:

              Remote access types are all TLS, shared key has a 1:1 client to server relationship which is very rarely the case with remote access VPNs.

              Thats what I got… But when using TLS, both server and client certificate is needed?

              So to answer my original question, when using OpenVPN (for VPN dial-in) both client and server certificates are needed?

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                yes

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.