How do I make my ta.key permanent?
-
My company's openvpn servers require tls-authorization. (See http://openvpn.net/index.php/documentation/howto.html#security)
I have uploaded the ta.key file to /tmp via the web interface and put the line
tls-auth \tmp\ta.key 1
in the optional window on the vpn setup page and everything works fine. The ta.key does not survive reboots. If I go into the shell and try to save it somewhere it spits back that I am on a read only file system. How do I make it permanent?
Thanks
-
Try putting the key in /var/etc where other openvpn configuration/key data is kept. This location will survive a reboot.
Also,I believe you should be using forward slashes.
ie.
tls-auth /var/etc/ta.key 1
-
Thanks, but it did not survive a reboot in /var/etc either.
-
Im using this path tls-auth /etc/tls_auth.key without any problems…
-
Thanks. I should have mentioned that I'm using an embedded system. Still can't find a way to do it, must be missing something.
-
Thanks. I should have mentioned that I'm using an embedded system. Still can't find a way to do it, must be missing something.
/var is dynamically created on bootup on embedded systems. You will need to somehow use the config.xml xml directives.
-
or have a look at http://pfsense.trendchiller.com
i created some patches for 1.2 that add tls :-) -
SaWeet!
Works on my full install. On the embedded it failes with a message about read only file system.
Is there a way to mount the file system as read-write for the duration of the update?Thanks
GT -
I installed your patches and notice one thing that seems to be a feature but I think is a bug. We have openvpn servers that are running tcp and udp. They all use tls. If I try to set tls on a udp connection everything is ok, but if try to set tls on a tcp connection an error message pops up stating that you can not use tls on a tcp connection. You can use tls on a tcp connection. I don't think openvpn cares about the transport protocol when it is doing tls.
Thank you.
ddvzlnz
-
So… please test with my updates if TLS is now working for TCP, too...
On my test-systems it seems to run... -
Hi,
This has kind of already been covered in another topic…. See http://forum.pfsense.org/index.php/topic,2747.0.html (Bredys post)
To recap:
1. Open your tls authorization key in a text editor (Wordpad)
2. Select all (CTRL-A) then copy (CTRL-C)
3. Log in to pfSense WebGUI and goto "Diagnostics" > "Edit File"
4. Type "/etc/ta.key" into the "Save / Load from path" box, paste the previously copied key into the large box, then click save
5. Now edit your OpenVPN config, "VPN" > "OpenVPN" > "e"
6. At the bottom of the screen, enter "tls-auth /etc/ta.key 0;" into the "Custom options" box.
7. Save (and OpenVPN should restart)Trendchiller, your script won't work on Embedded systems because it downloads files to the root directory, which is read-only (to save the CF card). Perhaps you could adjust it to use /tmp? (Writeable filesystem)
Hope this helps, it works for me.
PS. "tls-auth /etc/ta.key 0;" is for a server (Which my setup is). Change the 0 at the end to 1 for a client.
-
the downloads to root-directory are a self-update.
for embedded simply use:fetch -o /etc/inc/openvpn.inc http://pfsense.trendchiller.com/patches/openvpn/_etc_inc/openvpn.inc
fetch -o /usr/local/pkg/openvpn.xml http://pfsense.trendchiller.com/patches/openvpn/_usr_local_pkg/openvpn.xml
fetch -o /usr/local/pkg/openvpn_cli.xml http://pfsense.trendchiller.com/patches/openvpn/_usr_local_pkg/openvpn_cli.xml
fetch -o /usr/local/pkg/openvpn_csc.xml http://pfsense.trendchiller.com/patches/openvpn/_usr_local_pkg/openvpn_csc.xmlshould work, i hope ?
-
The patch works perfectly; Thank you.
-
also works on 1.2.1 now…