Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New OpenVPN server config

    Scheduled Pinned Locked Moved
    OpenVPN
    2
    2
    309
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BlazeStar
      last edited by

      Hello all,

      I'm about to configure a fresh new OpenVPN server.

      I've been running two OpenVPN servers for over 10 years without (much) changes. I'd like to start with a good config and would like advices on the preferred options that would be ideal in 2023.

      I'm using a Netgate 4100 with pfSense latest.

      I want to make a road warrior style setup, so I'm assuming a Remote Access service mode (SSL + User Auth).
      I have several servers, for example a SMB server, on my network.
      The OpenVPN server will be used to allow external users to connect to the network, and they will be working from home or remotely.

      The connexion is a 200 M/s download, 50 M/s upload.

      I want to have a very secure setup, but not overkill to the point that the performance are degraded significantly.

      I would like guidance on these options:

      • TLS Key
      • Usage Mode
      • TLS keydir direction
      • OCSP Check
      • DH Parameter Length
      • ECDH Curve
      • Data Encryption Algorithms (and fallback)
      • Auth digest algorithm
      • Hardware Crypto
      • Certificate Depth
      • Allow Compression
      • Topology
      • UDP Fast I/O
      • Gateway creation

      And anything else I may want to address.

      Thank you!

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @BlazeStar
        last edited by

        @BlazeStar

        pfSense 23.05.1 uses OpenVPN 2.6.2., so here it is https://openvpn.net/community-resources/
        You'll see that "Allow Compression" is something of the past.

        See also here https://openvpn.net/community-downloads/, goto the 2.6.2 release info.
        Look especially for the info "what was done using 2.4 and 2.5, and goes away with 2.6".

        My next best proposal, must see info are thee : Youtube => Netgate => Videos. There are at least 3 OpenVPN server videos. You 'must' see the first 2 of them.
        Even if they are old, they are still very valid. These videos are quiet long, but will give you the main oversight of all the aspects.
        Look at the the 7 minutes Configuring OpenVPN Remote Access in pfSense Software which will answer already most of your question.

        Last but not least : HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection.

        Btw : OpenVPN is one of the VPN methods. There are others.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 1
        • First post
          Last post