OpenVPN requirements…



  • Hi,

    Having browsed through the various sticky threads as well as the pfSense docs, I can't seem to find the answer to these questions:

    • When using OpenVPN, is both server and client certificates a requirement for the remote access option(s) or does one of them permits using it with eg. only server certificates?
      Can the OpenVPN server be run in a CARP array where the configuration replicate, or must it be configured on each node? In case it can't, will it still answer traffic coming to a VIP interface?

    Regards,
    Anders



  • You either have to have a shared key on client and server, or certs on client and server.

    You can run servers on CARP IPs and sync the config over so it transparently fails over (mostly,the clients will have to detect they dropped and reconnect, which takes 1 minute in a default config).



  • @cmb:

    You either have to have a shared key on client and server, or certs on client and server.

    You can run servers on CARP IPs and sync the config over so it transparently fails over (mostly,the clients will have to detect they dropped and reconnect, which takes 1 minute in a default config).

    But as I see the config options for remote access, I have SSL/TLS and Local Auth? Or do I mis-interpret the meaning of remote access (which I see as for VPN dial-in) and peer-to-peer (as being for site-to-site)?



  • Remote access types are all TLS, shared key has a 1:1 client to server relationship which is very rarely the case with remote access VPNs.



  • @cmb:

    Remote access types are all TLS, shared key has a 1:1 client to server relationship which is very rarely the case with remote access VPNs.

    Thats what I got… But when using TLS, both server and client certificate is needed?

    So to answer my original question, when using OpenVPN (for VPN dial-in) both client and server certificates are needed?



  • yes


Locked