When trying to configure OpenVPN site-to-site from the documentation it doesn't start
vyos@Site1# run show conf com | match "pki|openvpn" set interfaces openvpn vtun1 local-address 10.255.1.1 set interfaces openvpn vtun1 local-port '1195' set interfaces openvpn vtun1 mode 'site-to-site' set interfaces openvpn vtun1 persistent-tunnel set interfaces openvpn vtun1 protocol 'udp' set interfaces openvpn vtun1 remote-address '10.255.1.2' set interfaces openvpn vtun1 remote-host '203.0.113.11' set interfaces openvpn vtun1 remote-port '1195' set interfaces openvpn vtun1 tls certificate 'openvpn-local' set interfaces openvpn vtun1 tls peer-fingerprint 'E3:B0:DA:C4:35:48:6D:1F:E5:1A:26:1F:0F:D9:E5:3C:A7:A8:C0:9E:9D:89:75:52:5C:6B:AB:89:5A:3E:35:AE' set pki certificate openvpn-local certificate 'MIIDsTCCApmgAwIBAgIUarDuk6EtfCDNbYFpSUpMBz4H5zwwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yNDA1MjAxMjE2NDJaFw0yNTA1MjAxMjE2NDJaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB3Z5b3MuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo9SihO9Sl2Mgyi23j4PXzTRkSHgTMVKHNFz4tnoTrpaoRjvlpVQVGoiuiPUqUlFSu2GX6yDtCxRF9WPKtFBocMV/THAX+5MjnVDIgFjguKFtdop+OvgwUoEqabbaC4S1se0pzR5WkNw0NmSiTi1IMlzw9VbcnOysHJiidW4PVJuSEAE8alFkH6fpAFyVtnwvBJZiwOjGXONxpMqPAB4JVDqtIMstam8K7bC9zskB8WksgL8HOMnaqyqjoLVQbHFWbVOUKfktKIRbzyUaMkP1MP/03ba1ZHuMd4B31HqaaHb2ywn0XbGY/vnypaTwH12Jd8kztOkNtPP3o556cPBzjAgMBAAGjdTBzMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBQMj1AbFztIGoQRcasReiW+l4poFjAfBgNVHSMEGDAWgBQMj1AbFztIGoQRcasReiW+l4poFjANBgkqhkiG9w0BAQsFAAOCAQEAK4y1GvWD/Yx6U471oh7inIuXL9uzaCU58bcaPEK4t7FPEywFATcvLgGHV/ZpBrfaEtb7diiWMw2j9GxYF3Ao+fFnKLxo9BNgvz3BaE6+9V+c8UR/XxWj/DcJqIn8BslMkYRjROqvIHAsVo48LXHgqBWF0SkKgnEgXDW8tR/SWkiSp2AY+wWNKjVYGjeZ7OhEWgczVPz0wvWGjjQmVRrNiAWfVfi/v1kwZhB/PxK62PfFiPbnbeg/POrMeFC/z1ghBut51o+8wwz+y7xDSdRni6FQ5Axsx2cuR6pa3B1hRiKkkUarVQoaItqAr5/FRuYCfGZpbGtzpl3gJO8HuEN4ug==' set pki certificate openvpn-local private key 'MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCo9SihO9Sl2Mgyi23j4PXzTRkSHgTMVKHNFz4tnoTrpaoRjvlpVQVGoiuiPUqUlFSu2GX6yDtCxRF9WPKtFBocMV/THAX+5MjnVDIgFjguKFtdop+OvgwUoEqabbaC4S1se0pzR5WkNw0NmSiTi1IMlzw9VbcnOysHJiidW4PVJuSEAE8alFkH6fpAFyVtnwvBJZiwOjGXONxpMqPAB4JVDqtIMstam8K7bC9zskB8WksgL8HOMnaqyqjoLVQbHFWbVOUKfktKIRbzyUaMkP1MP/03ba1ZHuMd4B31HqaaHb2ywn0XbGY/vnypaTwH12Jd8kztOkNtPP3o556cPBzjAgMBAAECggEAAVYzNJdbFtbQuqmkvG1OtNaS0LRhGFbBEvTQnp7G8XBVmJ73dTBhgs4Mp1Nx0BweUWXP5LyJz3zspv+5p8nlbPytA+gQWhRoTIA7h0p1tlPGaUa8mW4CfXVJMdCVZZKvf9C35ZKW6f4vgcCI9CXhh8z4gom3kb1jmUJhhuEu+VQ6oA0KwxVmlfiMRzZYJq+k6BhL4gNrUAFkSNICAN9HxfLrqKj/0EyBDj9aNCAusLTkIJfOj5f65uYIuXNIjUvHa7F3WPw/Z5SM09xcdyVyLgQgY4CQLTvjBzz7Xgrvs6uVcfBYmjQcSb+YsFO7LKL6pWlgmrlf6JPcZckZKwip9QKBgQDsxukpf7lLcPtr98XLUVWBqjuI1oN9hbroo47RovjpaQM6hHJ96m+A2Sk8jQIDlBEhVaBHm2ZEZtDn1MvIOZiz7fjYXSX5OukB+9AIzpHn+W7eQPcQeSYHvhddZq7/loDrCx+nqdbDf5QqwMOKz1kE9HBj5VI8w9PlUKv4pjm73wKBgQC2rLb2JQUu+ti1Z9srr0YJmeZesdGyn9UzHKOpMWgjTPejVRPBkJovPqKCloNmMFSZ4FEw7aepj8uHkEqWNcdppv81L+PaqUkpQXJKk1UUG51Te00NDV0zsMBOff44XZPg9j4XkEma66u1bvtaotEsF8iBiz/YRkjE1bRjfSC/fQKBgC77WRCO82lwxbKqu2iYfur3qFCCoBysCGZY7eHTAKjv2WAnH8C0X+OlM3V8VUX4f12p69/JigVQkWsu4jCcnRw2wAXOldZaRhnKqYDV3EW3TLR1F5EBOPaYVXKHCXpVlscMsf9GyAKKsg+5qBNHCVbeWd64hhTglo8N7tGryhDpAoGANTDneZbgAoUCUxgxpm+7+hG5Fbu7bsLBpsdhFGQRia3gscuVHBjJ/JXFZjcDfd7203OQ0Kly15nKTugB/+ka7rW0vDz8oPAIIJ4w9GwgKuG7ltJhZjqM9/8wj+p5+tmstKWfAOd/tz+GWSc+w26Db85hEO+GIKieicocY5fM0FUCgYEAhdgOGQdBWeSy3rnmTOVb6rmgzEC5g1/8RfvNIHvcgNUmujPHZ159waV6nbxi7rXnCo3xmnj9aELnB+MoAhrqJtYbECZO6a5hg4p55BdUjShgGWWSeCFXu6Px2E0DqDESw6yjAEUAOW9+bTGLNZXgGduVQ7C2gLyCoczNkrLjOfU='
generated config file
vyos@vyos# cat /run/openvpn/vtun1.conf ### Autogenerated by interfaces_openvpn.py ### # # See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage # for individual keyword definition # # # verb 3 dev-type tun dev vtun1 persist-key proto udp lport 1195 rport 1195 remote 198.51.100.10 persist-tun disable-dco # # OpenVPN site-2-site mode # ping 10 ping-restart 60 ifconfig 10.255.1.2 10.255.1.1 # TLS options cert /run/openvpn/vtun1_cert.pem key /run/openvpn/vtun1_cert.key dh none <peer-fingerprint> E3:B0:DA:C4:35:48:6D:1F:E5:1A:26:1F:0F:D9:E5:3C:A7:A8:C0:9E:9D:89:75:52:5C:6B:AB:89:5A:3E:35:AE </peer-fingerprint> # Encryption options providers default
logs
May 21 11:18:26 systemd[1]: [email protected]: Scheduled restart job, restart counter is at 60. May 21 11:18:26 systemd[1]: Stopped [email protected] - OpenVPN connection to vtun1. May 21 11:18:26 systemd[1]: Starting [email protected] - OpenVPN connection to vtun1... May 21 11:18:26 openvpn-vtun1[4375]: WARNING: Ignoring option 'dh' in tls-client mode, please only include this in your server configuration May 21 11:18:26 openvpn-vtun1[4375]: Using certificate fingerprint to verify peer (no CA option set). May 21 11:18:26 openvpn-vtun1[4375]: DEPRECATION: No tls-client or tls-server option in configuration detected. OpenVPN 2.7 will remove the functionality to run a VPN without TLS. See the examples section in the manual page for examples of a similaquick setup with peer-fingerprint. May 21 11:18:26 openvpn-vtun1[4375]: Options error: Parameter cert_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified. May 21 11:18:26 openvpn-vtun1[4375]: Use --help for more information. May 21 11:18:26 systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE May 21 11:18:26 systemd[1]: [email protected]: Failed with result 'exit-code'. May 21 11:18:26 systemd[1]: Failed to start [email protected] - OpenVPN connection to vtun1.