How do I make my ta.key permanent?

ddvzlnz · Feb 20, 2008, 5:58 AM

Thanks, but it did not survive a reboot in /var/etc either.

Bredys · Feb 27, 2008, 1:17 PM

Im using this path tls-auth /etc/tls_auth.key without any problems…

ddvzlnz · Feb 28, 2008, 2:38 AM

Thanks. I should have mentioned that I'm using an embedded system. Still can't find a way to do it, must be missing something.

sullrich · Feb 28, 2008, 4:35 AM

@ddvzlnz:

Thanks. I should have mentioned that I'm using an embedded system. Still can't find a way to do it, must be missing something.

/var is dynamically created on bootup on embedded systems. You will need to somehow use the config.xml xml directives.

trendchiller · Feb 28, 2008, 10:09 AM

or have a look at http://pfsense.trendchiller.com
i created some patches for 1.2 that add tls :-)

ddvzlnz · Mar 2, 2008, 4:31 PM

SaWeet!

Works on my full install. On the embedded it failes with a message about read only file system.
Is there a way to mount the file system as read-write for the duration of the update?

Thanks
GT

ddvzlnz · Mar 2, 2008, 6:34 PM

I installed your patches and notice one thing that seems to be a feature but I think is a bug. We have openvpn servers that are running tcp and udp. They all use tls. If I try to set tls on a udp connection everything is ok, but if try to set tls on a tcp connection an error message pops up stating that you can not use tls on a tcp connection. You can use tls on a tcp connection. I don't think openvpn cares about the transport protocol when it is doing tls.

Thank you.

ddvzlnz

trendchiller · Mar 4, 2008, 12:43 AM

So… please test with my updates if TLS is now working for TCP, too...
On my test-systems it seems to run...

spindizzy · Mar 7, 2008, 6:07 PM

Hi,

This has kind of already been covered in another topic…. See http://forum.pfsense.org/index.php/topic,2747.0.html (Bredys post)

To recap:
1. Open your tls authorization key in a text editor (Wordpad)
2. Select all (CTRL-A) then copy (CTRL-C)
3. Log in to pfSense WebGUI and goto "Diagnostics" > "Edit File"
4. Type "/etc/ta.key" into the "Save / Load from path" box, paste the previously copied key into the large box, then click save
5. Now edit your OpenVPN config, "VPN" > "OpenVPN" > "e"
6. At the bottom of the screen, enter "tls-auth /etc/ta.key 0;" into the "Custom options" box.
7. Save (and OpenVPN should restart)

Trendchiller, your script won't work on Embedded systems because it downloads files to the root directory, which is read-only (to save the CF card). Perhaps you could adjust it to use /tmp? (Writeable filesystem)

Hope this helps, it works for me.

PS. "tls-auth /etc/ta.key 0;" is for a server (Which my setup is). Change the 0 at the end to 1 for a client.

trendchiller · Mar 8, 2008, 8:04 PM

the downloads to root-directory are a self-update.
for embedded simply use:

fetch -o /etc/inc/openvpn.inc http://pfsense.trendchiller.com/patches/openvpn/_etc_inc/openvpn.inc
fetch -o /usr/local/pkg/openvpn.xml http://pfsense.trendchiller.com/patches/openvpn/_usr_local_pkg/openvpn.xml
fetch -o /usr/local/pkg/openvpn_cli.xml http://pfsense.trendchiller.com/patches/openvpn/_usr_local_pkg/openvpn_cli.xml
fetch -o /usr/local/pkg/openvpn_csc.xml http://pfsense.trendchiller.com/patches/openvpn/_usr_local_pkg/openvpn_csc.xml

should work, i hope ?

shadow · Apr 28, 2008, 5:29 PM

The patch works perfectly; Thank you.

trendchiller · Dec 27, 2008, 1:10 PM

also works on 1.2.1 now…