mirror of
https://github.com/angristan/openvpn-install.git
synced 2025-12-20 02:27:01 +01:00
df242ee069
## Summary Implements support for OpenVPN's `--peer-fingerprint` option, enabling PKI-less authentication using SHA256 certificate fingerprints instead of a CA chain. Closes #1361 ## Changes - Add `--auth-mode` option (`pki` or `fingerprint`) for install command - Use Easy-RSA's `self-sign-server` and `self-sign-client` commands for fingerprint mode - Server stores client fingerprints in `<peer-fingerprint>` block in `server.conf` - Clients verify server using `peer-fingerprint` directive instead of CA - Revocation removes fingerprint from config and reloads OpenVPN (instant effect) - Version check ensures OpenVPN 2.6+ when fingerprint mode is selected ## Usage ```bash # Interactive mode prompts for auth mode choice # CLI mode ./openvpn-install.sh install --auth-mode fingerprint ``` ## Comparison | Aspect | PKI Mode | Fingerprint Mode | |--------|----------|------------------| | Server cert | CA-signed | Self-signed | | Client cert | CA-signed | Self-signed | | Revocation | CRL-based | Remove fingerprint | | OpenVPN | Any version | 2.6.0+ required | | Best for | Large deployments | Small/home setups |