Some OpenVPN Options Covered by pfSense 2.4.3 Menu Options?
-
I'm not sure, but it looks like several OpenVPN options (the ones that would go in the Custom Options area at VPN > OpenVPN > Clients) are actually handled by the menu options on that page. In my case, I'm wondering about the following OpenVPN options that my VPN provider (AirVPN) has in its .OVPN file:
-
"cipher AES-256-CBC": is that handled by "Encryption Algorithm" and/or "NCP Algorithms"? And, while I'm at it, I'm not clear on the difference between those two menu items. Can anyone explain?
-
"comp-lzo no": is that handled by "Compression: Adaptive LZO Compression [Legacy style, comp-lzo adaptive]"? Also, from the description of that menu option, it turns off compression if it doesn't seem to be used. So, since AirVPN is using "comp-lzo no", should I use the above adaptive method or specify "Compression: No LZO Compression [Legacy style, comp-lzo no]"?
-
"dev tun": is that handled by "Device Mode: Layer 3 Tunnel Mode"?
-
"proto udp": is that handled by "Protocol: UDP on IPv4 only"?
-
"remote xxx.xxx.xxx.xxx yy": is that handled by "Server host or address" and "Server port"?
-
"verb 3": is that handled by "Verbosity level: 3 (recommended)"?
-
-
Someone in the AirVPN forums pointed me to
/var/etc/openvpn/client2.conf
to see the configuration pfSense actually generated. From that, it looks like I can answer at least some of my questions, above:
-
cipher AES-256-CBC: It looks like that is generated from the "Encryption Algorithm" menu item and put in the "daemon" area. Oddly, AirVPN's .ovpn file specifies -CBC, but I specified -GCM. It works, but that's probably because AirVPN does handle -GCM. I wonder why their .ovpn specifies CBC instead of anything else?
-
comp-lzo no: That's generated by the "Compression" menu item and put in the "client" area. Since Adaptive seems to give me no problems, I'll stick with that.
-
dev tun: This is an interesting one. It looks like it's sort of generated by the "Device Mode" menu item and stuck right at the top in several ways. The very first line in the file is:
dev ovpnc2
I can't find anything in the OpenVPN manual about a straight "dev" option other than tun and tap. I assume it's defining a label for the device ovpnc2 (for OpenVPN Configuration 2, or something). Then, there's the two lines:
dev-type tun
dev-node /dev/tun2I believe those are setting the equivalent of "dev tun" for this "ovpnc2" device.
-
proto udp: Hmmm. It looks like this is generated by the "Protocol" menu item and put in the "daemon" area. But, the option generated is "proto udp4" instead of "proto udp". I vaguely recall seeing posts around here about udp vs udp4, so I'm going to have to do more research to see if that's correct. EDIT: I found a post on the OpenVPN forums talking about using "proto udp4" to work around the problem of "proto udp" trying to set up UDP on both IPv4 and IPv6. If IPv6 is turned off (which it is on my system), then "proto udp4" is the thing to use. Odd that they don't list it in the manual page.
-
remote xxx.xxx.xxx.xxx.yy: It looks like that's generated by the "Server host or address" and "Server port" menu item and put in the "client" area.
-
verb 3: It looks like that's generated by the "Verbosity level" menu item and added right at the top under that "dev ovpnc2" area.
So, unless there's an issue with "proto udp" vs "proto udp4", it looks like I'm OK.
-