Change Details

When trying to configure OpenVPN site-to-site from the [[ https://docs.vyos.io/en/latest/configuration/interfaces/openvpn.html#setting-up-openvpn | documentation ]] it doesn't start ``` vyos@Site1# run show conf com | match "pki|openvpn" set interfaces openvpn vtun1 local-address 10.255.1.1 set interfaces openvpn vtun1 local-port '1195' set interfaces openvpn vtun1 mode 'site-to-site' set interfaces openvpn vtun1 persistent-tunnel set interfaces openvpn vtun1 protocol 'udp' set interfaces openvpn vtun1 remote-address '10.255.1.2' set interfaces openvpn vtun1 remote-host '203.0.113.11' set interfaces openvpn vtun1 remote-port '1195' set interfaces openvpn vtun1 tls certificate 'openvpn-local' set interfaces openvpn vtun1 tls peer-fingerprint '1C:AA:37:5E:17:13:D6:70:A4:34:98:BC:CA:4C:BC:A9:10:19:E0:46:72:57:5B:29:8E:D4:1A:33:2E:84:17:AD' set pki certificate openvpn-local certificate '...' ``` generated config file ``` vyos@vyos# cat /run/openvpn/vtun1.conf ### Autogenerated by interfaces_openvpn.py ### # # See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage # for individual keyword definition # # # verb 3 dev-type tun dev vtun1 persist-key proto udp lport 1195 rport 1195 remote 198.51.100.10 persist-tun disable-dco # # OpenVPN site-2-site mode # ping 10 ping-restart 60 ifconfig 10.255.1.2 10.255.1.1 # TLS options cert /run/openvpn/vtun1_cert.pem key /run/openvpn/vtun1_cert.key dh none <peer-fingerprint> CF:FE:6D:9A:DC:15:E2:D4:A2:9A:A7:4A:2F:51:D4:44:24:32:6B:AC:79:AC:03:A5:95:6C:93:5E:91:D2:C5:21 </peer-fingerprint> # Encryption options providers default ``` logs ``` May 21 11:18:26 systemd[1]: openvpn@vtun1.service: Scheduled restart job, restart counter is at 60. May 21 11:18:26 systemd[1]: Stopped openvpn@vtun1.service - OpenVPN connection to vtun1. May 21 11:18:26 systemd[1]: Starting openvpn@vtun1.service - OpenVPN connection to vtun1... May 21 11:18:26 openvpn-vtun1[4375]: WARNING: Ignoring option 'dh' in tls-client mode, please only include this in your server configuration May 21 11:18:26 openvpn-vtun1[4375]: Using certificate fingerprint to verify peer (no CA option set). May 21 11:18:26 openvpn-vtun1[4375]: DEPRECATION: No tls-client or tls-server option in configuration detected. OpenVPN 2.7 will remove the functionality to run a VPN without TLS. See the examples section in the manual page for examples of a similaquick setup with peer-fingerprint. May 21 11:18:26 openvpn-vtun1[4375]: Options error: Parameter cert_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified. May 21 11:18:26 openvpn-vtun1[4375]: Use --help for more information. May 21 11:18:26 systemd[1]: openvpn@vtun1.service: Main process exited, code=exited, status=1/FAILURE May 21 11:18:26 systemd[1]: openvpn@vtun1.service: Failed with result 'exit-code'. May 21 11:18:26 systemd[1]: Failed to start openvpn@vtun1.service - OpenVPN connection to vtun1. ```

When trying to configure OpenVPN site-to-site from the [[ https://docs.vyos.io/en/latest/configuration/interfaces/openvpn.html#setting-up-openvpn | documentation ]] it doesn't start ``` vyos@Site1# run show conf com | match "pki|openvpn" set interfaces openvpn vtun1 local-address 10.255.1.1 set interfaces openvpn vtun1 local-port '1195' set interfaces openvpn vtun1 mode 'site-to-site' set interfaces openvpn vtun1 persistent-tunnel set interfaces openvpn vtun1 protocol 'udp' set interfaces openvpn vtun1 remote-address '10.255.1.2' set interfaces openvpn vtun1 remote-host '203.0.113.11' set interfaces openvpn vtun1 remote-port '1195' set interfaces openvpn vtun1 tls certificate 'openvpn-local' set interfaces openvpn vtun1 tls peer-fingerprint 'E3:B0:DA:C4:35:48:6D:1F:E5:1A:26:1F:0F:D9:E5:3C:A7:A8:C0:9E:9D:89:75:52:5C:6B:AB:89:5A:3E:35:AE' set pki certificate openvpn-local certificate ''MIIDsTCCApmgAwIBAgIUarDuk6EtfCDNbYFpSUpMBz4H5zwwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yNDA1MjAxMjE2NDJaFw0yNTA1MjAxMjE2NDJaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB3Z5b3MuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo9SihO9Sl2Mgyi23j4PXzTRkSHgTMVKHNFz4tnoTrpaoRjvlpVQVGoiuiPUqUlFSu2GX6yDtCxRF9WPKtFBocMV/THAX+5MjnVDIgFjguKFtdop+OvgwUoEqabbaC4S1se0pzR5WkNw0NmSiTi1IMlzw9VbcnOysHJiidW4PVJuSEAE8alFkH6fpAFyVtnwvBJZiwOjGXONxpMqPAB4JVDqtIMstam8K7bC9zskB8WksgL8HOMnaqyqjoLVQbHFWbVOUKfktKIRbzyUaMkP1MP/03ba1ZHuMd4B31HqaaHb2ywn0XbGY/vnypaTwH12Jd8kztOkNtPP3o556cPBzjAgMBAAGjdTBzMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBQMj1AbFztIGoQRcasReiW+l4poFjAfBgNVHSMEGDAWgBQMj1AbFztIGoQRcasReiW+l4poFjANBgkqhkiG9w0BAQsFAAOCAQEAK4y1GvWD/Yx6U471oh7inIuXL9uzaCU58bcaPEK4t7FPEywFATcvLgGHV/ZpBrfaEtb7diiWMw2j9GxYF3Ao+fFnKLxo9BNgvz3BaE6+9V+c8UR/XxWj/DcJqIn8BslMkYRjROqvIHAsVo48LXHgqBWF0SkKgnEgXDW8tR/SWkiSp2AY+wWNKjVYGjeZ7OhEWgczVPz0wvWGjjQmVRrNiAWfVfi/v1kwZhB/PxK62PfFiPbnbeg/POrMeFC/z1ghBut51o+8wwz+y7xDSdRni6FQ5Axsx2cuR6pa3B1hRiKkkUarVQoaItqAr5/FRuYCfGZpbGtzpl3gJO8HuEN4ug==' ``` generated config file ``` vyos@vyos# cat /run/openvpn/vtun1.conf ### Autogenerated by interfaces_openvpn.py ### # # See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage # for individual keyword definition # # # verb 3 dev-type tun dev vtun1 persist-key proto udp lport 1195 rport 1195 remote 198.51.100.10 persist-tun disable-dco # # OpenVPN site-2-site mode # ping 10 ping-restart 60 ifconfig 10.255.1.2 10.255.1.1 # TLS options cert /run/openvpn/vtun1_cert.pem key /run/openvpn/vtun1_cert.key dh none <peer-fingerprint> CF:FE:6D:9A:DC:15:E2:D4:A2:9A:A7:4A:2F:51:D4:44:24:32:6B:AC:79:AC:03:A5:95:6C:93:5E:91:D2:C5:21 </peer-fingerprint> # Encryption options providers default ``` logs ``` May 21 11:18:26 systemd[1]: openvpn@vtun1.service: Scheduled restart job, restart counter is at 60. May 21 11:18:26 systemd[1]: Stopped openvpn@vtun1.service - OpenVPN connection to vtun1. May 21 11:18:26 systemd[1]: Starting openvpn@vtun1.service - OpenVPN connection to vtun1... May 21 11:18:26 openvpn-vtun1[4375]: WARNING: Ignoring option 'dh' in tls-client mode, please only include this in your server configuration May 21 11:18:26 openvpn-vtun1[4375]: Using certificate fingerprint to verify peer (no CA option set). May 21 11:18:26 openvpn-vtun1[4375]: DEPRECATION: No tls-client or tls-server option in configuration detected. OpenVPN 2.7 will remove the functionality to run a VPN without TLS. See the examples section in the manual page for examples of a similaquick setup with peer-fingerprint. May 21 11:18:26 openvpn-vtun1[4375]: Options error: Parameter cert_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified. May 21 11:18:26 openvpn-vtun1[4375]: Use --help for more information. May 21 11:18:26 systemd[1]: openvpn@vtun1.service: Main process exited, code=exited, status=1/FAILURE May 21 11:18:26 systemd[1]: openvpn@vtun1.service: Failed with result 'exit-code'. May 21 11:18:26 systemd[1]: Failed to start openvpn@vtun1.service - OpenVPN connection to vtun1. ```

When trying to configure OpenVPN site-to-site from the [[ https://docs.vyos.io/en/latest/configuration/interfaces/openvpn.html#setting-up-openvpn | documentation ]] it doesn't start ``` vyos@Site1# run show conf com | match "pki|openvpn" set interfaces openvpn vtun1 local-address 10.255.1.1 set interfaces openvpn vtun1 local-port '1195' set interfaces openvpn vtun1 mode 'site-to-site' set interfaces openvpn vtun1 persistent-tunnel set interfaces openvpn vtun1 protocol 'udp' set interfaces openvpn vtun1 remote-address '10.255.1.2' set interfaces openvpn vtun1 remote-host '203.0.113.11' set interfaces openvpn vtun1 remote-port '1195' set interfaces openvpn vtun1 tls certificate 'openvpn-local' set interfaces openvpn vtun1 tls peer-fingerprint '1C:AA:37:5E:17:13:D6:70:A4:34:98:BC:CA:4C:BC:A9:10:19:E0:46:72:57:5B:29:8E:D4:1A:33:2E:84:17:AD''E3:B0:DA:C4:35:48:6D:1F:E5:1A:26:1F:0F:D9:E5:3C:A7:A8:C0:9E:9D:89:75:52:5C:6B:AB:89:5A:3E:35:AE' set pki certificate openvpn-local certificate '...'MIIDsTCCApmgAwIBAgIUarDuk6EtfCDNbYFpSUpMBz4H5zwwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yNDA1MjAxMjE2NDJaFw0yNTA1MjAxMjE2NDJaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB3Z5b3MuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo9SihO9Sl2Mgyi23j4PXzTRkSHgTMVKHNFz4tnoTrpaoRjvlpVQVGoiuiPUqUlFSu2GX6yDtCxRF9WPKtFBocMV/THAX+5MjnVDIgFjguKFtdop+OvgwUoEqabbaC4S1se0pzR5WkNw0NmSiTi1IMlzw9VbcnOysHJiidW4PVJuSEAE8alFkH6fpAFyVtnwvBJZiwOjGXONxpMqPAB4JVDqtIMstam8K7bC9zskB8WksgL8HOMnaqyqjoLVQbHFWbVOUKfktKIRbzyUaMkP1MP/03ba1ZHuMd4B31HqaaHb2ywn0XbGY/vnypaTwH12Jd8kztOkNtPP3o556cPBzjAgMBAAGjdTBzMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBQMj1AbFztIGoQRcasReiW+l4poFjAfBgNVHSMEGDAWgBQMj1AbFztIGoQRcasReiW+l4poFjANBgkqhkiG9w0BAQsFAAOCAQEAK4y1GvWD/Yx6U471oh7inIuXL9uzaCU58bcaPEK4t7FPEywFATcvLgGHV/ZpBrfaEtb7diiWMw2j9GxYF3Ao+fFnKLxo9BNgvz3BaE6+9V+c8UR/XxWj/DcJqIn8BslMkYRjROqvIHAsVo48LXHgqBWF0SkKgnEgXDW8tR/SWkiSp2AY+wWNKjVYGjeZ7OhEWgczVPz0wvWGjjQmVRrNiAWfVfi/v1kwZhB/PxK62PfFiPbnbeg/POrMeFC/z1ghBut51o+8wwz+y7xDSdRni6FQ5Axsx2cuR6pa3B1hRiKkkUarVQoaItqAr5/FRuYCfGZpbGtzpl3gJO8HuEN4ug==' ``` generated config file ``` vyos@vyos# cat /run/openvpn/vtun1.conf ### Autogenerated by interfaces_openvpn.py ### # # See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage # for individual keyword definition # # # verb 3 dev-type tun dev vtun1 persist-key proto udp lport 1195 rport 1195 remote 198.51.100.10 persist-tun disable-dco # # OpenVPN site-2-site mode # ping 10 ping-restart 60 ifconfig 10.255.1.2 10.255.1.1 # TLS options cert /run/openvpn/vtun1_cert.pem key /run/openvpn/vtun1_cert.key dh none <peer-fingerprint> CF:FE:6D:9A:DC:15:E2:D4:A2:9A:A7:4A:2F:51:D4:44:24:32:6B:AC:79:AC:03:A5:95:6C:93:5E:91:D2:C5:21 </peer-fingerprint> # Encryption options providers default ``` logs ``` May 21 11:18:26 systemd[1]: openvpn@vtun1.service: Scheduled restart job, restart counter is at 60. May 21 11:18:26 systemd[1]: Stopped openvpn@vtun1.service - OpenVPN connection to vtun1. May 21 11:18:26 systemd[1]: Starting openvpn@vtun1.service - OpenVPN connection to vtun1... May 21 11:18:26 openvpn-vtun1[4375]: WARNING: Ignoring option 'dh' in tls-client mode, please only include this in your server configuration May 21 11:18:26 openvpn-vtun1[4375]: Using certificate fingerprint to verify peer (no CA option set). May 21 11:18:26 openvpn-vtun1[4375]: DEPRECATION: No tls-client or tls-server option in configuration detected. OpenVPN 2.7 will remove the functionality to run a VPN without TLS. See the examples section in the manual page for examples of a similaquick setup with peer-fingerprint. May 21 11:18:26 openvpn-vtun1[4375]: Options error: Parameter cert_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified. May 21 11:18:26 openvpn-vtun1[4375]: Use --help for more information. May 21 11:18:26 systemd[1]: openvpn@vtun1.service: Main process exited, code=exited, status=1/FAILURE May 21 11:18:26 systemd[1]: openvpn@vtun1.service: Failed with result 'exit-code'. May 21 11:18:26 systemd[1]: Failed to start openvpn@vtun1.service - OpenVPN connection to vtun1. ```