Feedback request: Recent OpenVPN Changes
-
Last week I made some backend structural changes to OpenVPN which reorganized the directory structure and file layout. I haven't noticed any problems in my testing (before or after committing the changes), but as always with components as flexible as OpenVPN there is no feasible way to test every combination of settings.
There should be no noticeable functional difference to users, but if you noticed an undesirable change in OpenVPN behavior in snapshots from the last week, especially with regard to CRL processing, please provide the details of the problem. Preferably in a new thread here.
New structure is much easier to follow and keeps everything together. It was changed from
/var/etc/openvpn[-csc]/<mode><id>.<file>
to/var/etc/openvpn/<mode><id>/<x>
. It also uses the newcapath
style CA/CRL structure.- https://redmine.pfsense.org/issues/9915
- https://github.com/pfsense/pfsense/commit/348c2af1671d8f11c5d9ca67a32cbb28940ef19a
- https://github.com/pfsense/pfsense/commit/475d712b910e197256c06634051e1ad75be4bdfe
In addition to that, there are a number of other recent OpenVPN commits which need testing.
-
i didn't even know about this ..
i have a simple openvpn peer to peer (shared key) from home (2.5.0) to work (2.4.4-p3). no trouble so far -
@jimp as you mention CRL processing: not sure while reading the commits but would that make it possible to read CRLs from a remote system so it only has to be managed at one location without "syncing"?
-
@kiokoman said in Feedback request: Recent OpenVPN Changes:
i didn't even know about this ..
Then I did something right :-)
Now wait until you hear about the massive IPsec changes I made last week that (hopefully) were also imperceptible to most people...
@JeGr said in Feedback request: Recent OpenVPN Changes:
would that make it possible to read CRLs from a remote system so it only has to be managed at one location without "syncing"
No, it's only about how OpenVPN reads/processes them locally, using
capath
to setup a CA+CRL structure directory, rather than using separateca
andcrl-verify
directives.