VPN 客户端解析 AWS 中的私有 DNS 主机名
VPN clients to resolve private DNS hostnames in AWS
我最近在 AWS EC2 实例上设置了 OpenVPN 服务器,以便将我的办公室连接到 AWS VPC 环境。
我使用 TunnelBlick 作为 VPN 客户端,一切正常!我可以通过 SSH 连接到 VPC 中的私有 IP。但是,从我的办公室主机解析 DNS VPC 名称(如果我 运行 从 VPC 中的 EC2 实例解析它,我可以解析它)不起作用。
我目前的解决方案是在 EC2 实例上使用 Unbound 设置一个 DNS 转发器(这恰好是我的实例,也是 运行 OpenVPN 服务器) - 但由于某种原因它不起作用。一旦连接到 VPN 服务器以能够解析 VPC 中的私有主机名,您将如何启用您的 VPN 客户端?
我很迷茫,所以如果你有任何其他想法,或者可以根据我当前的设置找出问题所在,我将永远感激:)
OpenVPN 服务器配置
port 1194 #- change the port you want
proto udp #- protocol can be tcp or udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS <PUBLIC_IP_OF_THE_SERVER_RUNNING_OPENVPN_AND_UNBOUND>"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status server-tcp.log
verb 3
未绑定服务器配置
172.31.0.2 是 VPC DNS 服务器
server:
interface: 0.0.0.0
access-control: 0.0.0.0/0 allow
remote-control:
forward-zone:
name: "."
forward-addr: 172.31.0.2
VPN 客户端配置
##############################################
# Client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote <PUBLIC_IP_OF_THE_SERVER_RUNNING_OPENVPN_AND_UNBOUND> 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca /Users/antoniogomez/ca.crt
cert /Users/antoniogomez/client.crt
key /Users/antoniogomez/client.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
# This updates the resolvconf with dns settings
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
script-security 2
up /etc/openvpn/update-resolv-conf.sh
down /etc/openvpn/update-resolv-conf.sh
down-pre
现在,一旦我连接到 VPN,我的 resolv.conf(客户端)看起来像这样:
nameserver 8.8.8.8
nameserver 8.8.8.4
nameserver PUBLIC_IP_OF_THE_SERVER_RUNNING_OPENVPN_AND_UNBOUND
从客户端到 DNS 服务器的 Telnet 有效(正确应用 AWS 安全组)
[antoniogomez:~]$ telnet PUBLIC_IP_OF_THE_SERVER_RUNNING_OPENVPN_AND_UNBOUND 53
Trying PUBLIC_IP_OF_THE_SERVER_RUNNING_OPENVPN_AND_UNBOUND...
Connected to ec2-instance.us-west-1.compute.amazonaws.com.
Escape character is '^]'.
非常感谢大家的帮助,
安东尼奥
这就是我的工作方式!首先,我开始使用 Bind 而不是 Unbound (受此视频启发 here
绑定服务器配置
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
dnssec-enable no;
dnssec-validation no;
allow-query { any;};
allow-recursion { any;};
forward only;
forwarders { 172.31.0.2; }; # This is my VPC internal DNS Server
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
现在确保向您的 VPN 客户端推送您安装的 DNS 服务器的 IP(在本例中为绑定服务器)
OpenVPN 服务器配置
port 1194 #- change the port you want
proto udp #- protocol can be tcp or udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS <IP_OF_SERVER_RUNNING_BOTH_OPENVPN_AND_BIND>" # This line push your DNS server to be used by the VPN clients
keepalive 5 30
comp-lzo
persist-key
persist-tun
status server-tcp.log
verb 3
显然,linux 之上的 VPN 客户端 运行 需要“一些帮助”将“新”DNS 服务器与以下配置一起使用(请参阅配置中的最后几行,获取来自 here 的脚本):
VPN 客户端配置
##############################################
# Client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote <IP_OF_SERVER_RUNNING_BOTH_OPENVPN_AND_BIND> 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca /Users/myusername/name_of_my_ca.crt
cert /Users/myusername/name_of_my_client.crt
key /Users/myusername/name_of_my_client.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
# This updates the resolvconf with dns settings
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
script-security 2
up /etc/openvpn/update-resolv-conf.sh
down /etc/openvpn/update-resolv-conf.sh
down-pre
现在,一旦您的 VPN 服务器和绑定服务器正确设置了上述内容,您的 VPN 客户端(您的私人 mac/office 本地计算机等)在连接到 VPN 服务器时,不仅能够ssh 私有 IP,但也解析 VPC 中的内部 AWS 主机名,例如 ip-172-31-0-63.us-west-1.compute.internal
编辑:
以下内容有助于创建单个文件来设置 VPN 客户端,对移动设备很有用。
多合一 VPN 客户端配置
client
dev tun
proto udp
remote PUBLIC_IP 1194
tls-version-min 1.2
tls-cipher <CIPHERS>
cipher AES-256-CBC
auth SHA512
resolv-retry infinite
auth-retry none
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3
tls-client
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
<tls-auth>
...
</tls-auth>
我最近在 AWS EC2 实例上设置了 OpenVPN 服务器,以便将我的办公室连接到 AWS VPC 环境。
我使用 TunnelBlick 作为 VPN 客户端,一切正常!我可以通过 SSH 连接到 VPC 中的私有 IP。但是,从我的办公室主机解析 DNS VPC 名称(如果我 运行 从 VPC 中的 EC2 实例解析它,我可以解析它)不起作用。
我目前的解决方案是在 EC2 实例上使用 Unbound 设置一个 DNS 转发器(这恰好是我的实例,也是 运行 OpenVPN 服务器) - 但由于某种原因它不起作用。一旦连接到 VPN 服务器以能够解析 VPC 中的私有主机名,您将如何启用您的 VPN 客户端?
我很迷茫,所以如果你有任何其他想法,或者可以根据我当前的设置找出问题所在,我将永远感激:)
OpenVPN 服务器配置
port 1194 #- change the port you want
proto udp #- protocol can be tcp or udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS <PUBLIC_IP_OF_THE_SERVER_RUNNING_OPENVPN_AND_UNBOUND>"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status server-tcp.log
verb 3
未绑定服务器配置
172.31.0.2 是 VPC DNS 服务器
server:
interface: 0.0.0.0
access-control: 0.0.0.0/0 allow
remote-control:
forward-zone:
name: "."
forward-addr: 172.31.0.2
VPN 客户端配置
##############################################
# Client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote <PUBLIC_IP_OF_THE_SERVER_RUNNING_OPENVPN_AND_UNBOUND> 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca /Users/antoniogomez/ca.crt
cert /Users/antoniogomez/client.crt
key /Users/antoniogomez/client.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
# This updates the resolvconf with dns settings
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
script-security 2
up /etc/openvpn/update-resolv-conf.sh
down /etc/openvpn/update-resolv-conf.sh
down-pre
现在,一旦我连接到 VPN,我的 resolv.conf(客户端)看起来像这样:
nameserver 8.8.8.8
nameserver 8.8.8.4
nameserver PUBLIC_IP_OF_THE_SERVER_RUNNING_OPENVPN_AND_UNBOUND
从客户端到 DNS 服务器的 Telnet 有效(正确应用 AWS 安全组)
[antoniogomez:~]$ telnet PUBLIC_IP_OF_THE_SERVER_RUNNING_OPENVPN_AND_UNBOUND 53
Trying PUBLIC_IP_OF_THE_SERVER_RUNNING_OPENVPN_AND_UNBOUND...
Connected to ec2-instance.us-west-1.compute.amazonaws.com.
Escape character is '^]'.
非常感谢大家的帮助,
安东尼奥
这就是我的工作方式!首先,我开始使用 Bind 而不是 Unbound (受此视频启发 here
绑定服务器配置
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
dnssec-enable no;
dnssec-validation no;
allow-query { any;};
allow-recursion { any;};
forward only;
forwarders { 172.31.0.2; }; # This is my VPC internal DNS Server
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
现在确保向您的 VPN 客户端推送您安装的 DNS 服务器的 IP(在本例中为绑定服务器)
OpenVPN 服务器配置
port 1194 #- change the port you want
proto udp #- protocol can be tcp or udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS <IP_OF_SERVER_RUNNING_BOTH_OPENVPN_AND_BIND>" # This line push your DNS server to be used by the VPN clients
keepalive 5 30
comp-lzo
persist-key
persist-tun
status server-tcp.log
verb 3
显然,linux 之上的 VPN 客户端 运行 需要“一些帮助”将“新”DNS 服务器与以下配置一起使用(请参阅配置中的最后几行,获取来自 here 的脚本):
VPN 客户端配置
##############################################
# Client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote <IP_OF_SERVER_RUNNING_BOTH_OPENVPN_AND_BIND> 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca /Users/myusername/name_of_my_ca.crt
cert /Users/myusername/name_of_my_client.crt
key /Users/myusername/name_of_my_client.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
# This updates the resolvconf with dns settings
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
script-security 2
up /etc/openvpn/update-resolv-conf.sh
down /etc/openvpn/update-resolv-conf.sh
down-pre
现在,一旦您的 VPN 服务器和绑定服务器正确设置了上述内容,您的 VPN 客户端(您的私人 mac/office 本地计算机等)在连接到 VPN 服务器时,不仅能够ssh 私有 IP,但也解析 VPC 中的内部 AWS 主机名,例如 ip-172-31-0-63.us-west-1.compute.internal
编辑: 以下内容有助于创建单个文件来设置 VPN 客户端,对移动设备很有用。
多合一 VPN 客户端配置
client
dev tun
proto udp
remote PUBLIC_IP 1194
tls-version-min 1.2
tls-cipher <CIPHERS>
cipher AES-256-CBC
auth SHA512
resolv-retry infinite
auth-retry none
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3
tls-client
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
<tls-auth>
...
</tls-auth>