Supported OpenVPN Capabilities

Wasca

Hi Guys

Just wondering what OpenVPN capabilities are NOT supported, just want to make sure I'm not using them in my config.

GruensFroeschli

As far as i know nothing is not supported.
A few options might not be availlable directly through the gui, but you always can add custom options.

Could you be a bit more clear on what you are trying to achieve?

Wasca

Hi Guys

Ok below are my server and client configs. Just want to make sure all these settings will work. In particular "fragment 1200" on the server and client and "mssfix 1200" , "route-method exe" on the client, these are settings I needed to get some Vista clients working on a previous OpenVPN server on another server.

Why is user nobody and group nobody commented out in the defualt install of OpenVPN on PFSense?
My immediate problem I see is that I have user nobody and group nobody on the client config but not in the server, will this be a problem?

Another question is, do I have to push all of the routes to my directly attached networks on the PFSense router? i.e. I have OPT3 and OPT4 with subnet addresses of 192.168.3.0/24 and  192.168.4.0/24. Do I need to push these routes to the clients?

My immediate problem I see is that I have user nobody and group nobody on the client config but not in the server

Server

writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto udp
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
client-to-client
server 192.168.2.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
push "route 192.168.1.0 255.255.255.0"
lport 1194
push "dhcp-option NBT 1"
ca /var/etc/openvpn_server0.ca
cert /var/etc/openvpn_server0.cert
key /var/etc/openvpn_server0.key
dh /var/etc/openvpn_server0.dh
comp-lzo
persist-remote-ip
float
fragment 1200
tls-auth /var/etc/ta.key 0
tls-server
persist-remote-ip
push "dhcp-option DNS 192.168.1.1"

Client

client
proto udp
dev tun
ca ca.crt
dh dh2048.pem
cert username.crt
key username.key
remote 203.xxx.xxx.xxx 1194
tls-auth ta.key 1
cipher BF-CBC
user nobody
group nogroup
verb 2
mute 20
fragment 1200
mssfix 1200
keepalive 10 120
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
nobind
route-method exe
route-delay 2
ns-cert-type server

GruensFroeschli

Ok below are my server and client configs. Just want to make sure all these settings will work. In particular "fragment 1200" on the server and client and "mssfix 1200" , "route-method exe" on the client, these are settings I needed to get some Vista clients working on a previous OpenVPN server on another server.

The field "Custom options" is what you are looking for :)
Just add your commands.

Also the route-method is only on the vista-client i suppose. So it wont have any impact on pfSense.

Why is user nobody and group nobody commented out in the defualt install of OpenVPN on PFSense?
My immediate problem I see is that I have user nobody and group nobody on the client config but not in the server, will this be a problem?

I'm not really sure. I suppose the developer that made the OpenVPN part could answer that.
No it wont be a problem.
This only defines how the rights of the openVPN process are after the tunnel has been initialized.
Different settings on the client and server have no effect on each other.
@http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html:

–user user
    Change the user ID of the OpenVPN process to user after initialization, dropping privileges in the process. This option is useful to protect the system in the event that some hostile party was able to gain control of an OpenVPN session. Though OpenVPN's security features make this unlikely, it is provided as a second line of defense.

By setting user to nobody or somebody similarly unprivileged, the hostile party would be limited in what damage they could cause. Of course once you take away privileges, you cannot return them to an OpenVPN session. This means, for example, that if you want to reset an OpenVPN daemon with a SIGUSR1 signal (for example in response to a DHCP reset), you should make use of one or more of the --persist options to ensure that OpenVPN doesn't need to execute any privileged operations in order to restart (such as re-reading key files or running ifconfig on the TUN device).

Another question is, do I have to push all of the routes to my directly attached networks on the PFSense router? i.e. I have OPT3 and OPT4 with subnet addresses of 192.168.3.0/24 and  192.168.4.0/24. Do I need to push these routes to the clients?

Yes you need a push for every subnet to which your clients need access.
The field "local network" adds one of these pushes.
All additional pushes –> custom options.

I see that you have in your current config tls-auth:
If you really "need" that you need to add the tls-file manually.
I think there is somewhere a thread around from someone that did that.
Not sure if/how that worked.
(could you leave it away?)

EDIT: found it :)
Enable TLS Auth support: http://forum.pfsense.org/index.php/topic,2747.0.html
How do I make my ta.key permanent? http://forum.pfsense.org/index.php/topic,7956.0.html

Wasca

I see that you have in your current config tls-auth:
If you really "need" that you need to add the tls-file manually.
I think there is somewhere a thread around from someone that did that.
Not sure if/how that worked.
(could you leave it away?)

EDIT: found it Smiley
Enable TLS Auth support: http://forum.pfsense.org/index.php/topic,2747.0.html
How do I make my ta.key permanent? http://forum.pfsense.org/index.php/topic,7956.0.html

Thanks for all your help. I got all the tls stuff under wraps, I've already had a read about all that.