Enable TLS Auth support
-
Am requesting TLS Auth support from within the GUI.
Another box where a key can be inserted for OpenVPN. If the box are filled, TLS Auth should/can be enabled.The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. It can protect against:
-
DoS attacks or port flooding on the OpenVPN UDP port.
-
Port scanning to determine which server UDP ports are in a listening state.
-
Buffer overflow vulnerabilities in the SSL/TLS implementation.
-
SSL/TLS handshake initiations from unauthorized machines (while such handshakes would ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).
http://openvpn.net/howto.html#security
In the mean time, I would like to get suggestions how to enable TLS Auth support on a pfsense linux box.
-
-
search for openvpn and freebsd
btw pfsense is bsd not linux
-
search for openvpn and freebsd
btw pfsense is bsd not linux
Have searched the net a while now without finding anything useful.
As you can see am not an expert in the unix world.Anyway, I was looking in the logfile for openVPN and found out that something was read from /var/etc catalog. I went over their and found openvpn_server1.conf! So now I got it to work.
My request about implement this feature into GUI still exist. -
Please provide the directive you added to the conf file here, and I'll see if I can get a dev to add it to the ui.
-
Greetings,
you can use Custom options in OpenVPN settings for this feature :
tls-auth /etc/tls_auth.key 0and then use Edit File and save your TLS key in this file : /etc/tls_auth.key
-
you can use Custom options in OpenVPN settings for this feature :
tls-auth /etc/tls_auth.key 0
and then use Edit File and save your TLS key in this file : /etc/tls_auth.keyThank you
Easier then editing a file. -
I've done this the manual way, but a extra inputfield would be a valuable addition to the openvpn configuration GUI. :)
-
I'll have a look for it and create some GUI-patch…
so watch out for answers of mine in this topic ;D
-
So… it's ready...
have a look at http://pfsense.trendchiller.com and look at the patches section…
-
some bugs fixed… if you downloaded... please do so again...
-
some bugs fixed… if you downloaded... please do so again...
Will these features becoming in a future SNAP or version?
-
Yes, features are freezed until 1.3 release…
Next release will be 1.2 and after release of 1.2 it will be in the new snaps :-)
-
Hi all,
does your patch can be installed in a 1.2 RC2 ? ???
best regards
-
yes, it can…
i also created a script for re-adding this features after upgrading to a new snap ;)
from the gui:
fetch -o /trendchiller.sh http://pfsense.trendchiller.com/patches/trendchiller.update
chmod 744 /trendchiller.sh
then execute/trendchiller.sh
and have fun :-)
-
for embedded this should work…
fetch -o /etc/inc/openvpn.inc http://pfsense.trendchiller.com/patches/openvpn/_etc_inc/openvpn.inc
fetch -o /usr/local/pkg/openvpn.xml http://pfsense.trendchiller.com/patches/openvpn/_usr_local_pkg/openvpn.xml
fetch -o /usr/local/pkg/openvpn_cli.xml http://pfsense.trendchiller.com/patches/openvpn/_usr_local_pkg/openvpn_cli.xml
fetch -o /usr/local/pkg/openvpn_csc.xml http://pfsense.trendchiller.com/patches/openvpn/_usr_local_pkg/openvpn_csc.xml