Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How do I make my ta.key permanent?

    OpenVPN
    7
    14
    10.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      ddvzlnz
      last edited by

      Thanks, but it did not survive a reboot in /var/etc either.

      1 Reply Last reply Reply Quote 0
      • B
        Bredys
        last edited by

        Im using this path tls-auth /etc/tls_auth.key without any problems…

        1 Reply Last reply Reply Quote 0
        • D
          ddvzlnz
          last edited by

          Thanks.  I should have mentioned that I'm using an embedded system.  Still can't find a way to do it, must be missing something.

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            @ddvzlnz:

            Thanks.  I should have mentioned that I'm using an embedded system.  Still can't find a way to do it, must be missing something.

            /var is dynamically created on bootup on embedded systems.  You will need to somehow use the config.xml xml directives.

            1 Reply Last reply Reply Quote 0
            • T
              trendchiller
              last edited by

              or have a look at http://pfsense.trendchiller.com
              i created some patches for 1.2 that add tls :-)

              1 Reply Last reply Reply Quote 0
              • D
                ddvzlnz
                last edited by

                SaWeet!

                Works on my full install.  On the embedded it failes with a message about read only file system. 
                Is there a way to mount the file system as read-write for the duration of the update?

                Thanks
                GT

                1 Reply Last reply Reply Quote 0
                • D
                  ddvzlnz
                  last edited by

                  I installed your patches and notice one thing that seems to be a feature but I think is a bug.  We have openvpn servers that are running tcp and udp.  They all use tls.  If I try to set tls on a udp connection  everything is ok, but if try to set tls on a tcp connection an error message pops up stating that you can not use tls on a tcp connection.  You can use tls on a tcp connection.  I don't think openvpn cares about the transport protocol when it is doing tls.

                  Thank you.

                  ddvzlnz

                  1 Reply Last reply Reply Quote 0
                  • T
                    trendchiller
                    last edited by

                    So… please test with my updates if TLS is now working for TCP, too...
                    On my test-systems it seems to run...

                    1 Reply Last reply Reply Quote 0
                    • S
                      spindizzy
                      last edited by

                      Hi,

                      This has kind of already been covered in another topic…. See http://forum.pfsense.org/index.php/topic,2747.0.html (Bredys post)

                      To recap:
                      1. Open your tls authorization key in a text editor (Wordpad)
                      2. Select all (CTRL-A) then copy (CTRL-C)
                      3. Log in to pfSense WebGUI and goto "Diagnostics" > "Edit File"
                      4. Type "/etc/ta.key" into the "Save / Load from path" box, paste the previously copied key into the large box, then click save
                      5. Now edit your OpenVPN config, "VPN" > "OpenVPN" > "e"
                      6. At the bottom of the screen, enter "tls-auth /etc/ta.key 0;" into the "Custom options" box.
                      7. Save (and OpenVPN should restart)

                      Trendchiller, your script won't work on Embedded systems because it downloads files to the root directory, which is read-only (to save the CF card). Perhaps you could adjust it to use /tmp? (Writeable filesystem)

                      Hope this helps, it works for me.

                      PS. "tls-auth /etc/ta.key 0;" is for a server (Which my setup is). Change the 0 at the end to 1 for a client.

                      1 Reply Last reply Reply Quote 0
                      • T
                        trendchiller
                        last edited by

                        the downloads to root-directory are a self-update.
                        for embedded simply use:

                        fetch -o /etc/inc/openvpn.inc http://pfsense.trendchiller.com/patches/openvpn/_etc_inc/openvpn.inc
                        fetch -o /usr/local/pkg/openvpn.xml http://pfsense.trendchiller.com/patches/openvpn/_usr_local_pkg/openvpn.xml
                        fetch -o /usr/local/pkg/openvpn_cli.xml http://pfsense.trendchiller.com/patches/openvpn/_usr_local_pkg/openvpn_cli.xml
                        fetch -o /usr/local/pkg/openvpn_csc.xml http://pfsense.trendchiller.com/patches/openvpn/_usr_local_pkg/openvpn_csc.xml

                        should work, i hope ?

                        1 Reply Last reply Reply Quote 0
                        • S
                          shadow
                          last edited by

                          The patch works perfectly; Thank you.

                          1 Reply Last reply Reply Quote 0
                          • T
                            trendchiller
                            last edited by

                            also works on 1.2.1 now…

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.