HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection

noplan · Mar 22, 2022, 10:21 AM

No it's not to early to bring this up

I think we already hit this topic in the last German user group meeting
Let's see maybe we bring it up again

1st Friday 17:00 sharp every month hosted by @JeGr

Plannin starts early

jimp · Mar 22, 2022, 1:06 PM

As others have said, those errors are unrelated. If you want help diagnosing that kind of problem, create a new thread and discuss it there. This thread is only for discussing and planning for upcoming changes in future releases, nothing that is already released..

Prez_Mgmt · Mar 22, 2022, 2:07 PM

@jimp
yes, I created this thread afterwards

brians · May 23, 2022, 2:10 PM

Good thing I noticed this.
I was about to send out an appliance using shared to to middle of nowhere and this saved me a bunch of future headache.

Whereas I could setup a shared key OpenVPN in mere minutes, the TLS method is a bit more complicated. I spent this afternoon learning it and testing - now I believe would be fairly fast to setup.

jimp · May 23, 2022, 2:10 PM

@brians said in HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection:

Good thing I noticed this.
I was about to send out an appliance using shared to to middle of nowhere and this saved me a bunch of future headache.

Whereas I could setup a shared key OpenVPN in mere minutes, the TLS method is a bit more complicated. I spent this afternoon learning it and testing - now I believe would be fairly fast to setup.

I'm working on writing a migration guide to help with that kind of transition. It's not really all that more difficult these days just a few extra steps involved.

Bob.Dig · May 23, 2022, 2:34 PM

@jimp said in HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection:

I'm working on writing a migration guide to help with that kind of transition.

Sadly your time of YouTube videos seems to be over?
But help is surely appreciated in any form.

jimp · May 23, 2022, 2:49 PM

IIRC There are already hangout videos for OpenVPN that cover setting up site-to-site with overrides. Not a lot new for this but I am aiming to try to make it as minimally painful as we can.

RandyW · Jun 25, 2022, 7:41 PM

@jimp
Hi, this was an interesting read. Unfortunately the v2.6 also killed my PureVPN connection and even the tecks couldn't find the reason for not even connecting at all to their servers. They even logged into my system and said that PFsense v2.6 is incompatible with their servers. BONG... what happened ?
I thought v2.6 was up to date on all of these changes.

jimp · Jun 25, 2022, 7:58 PM

@randyw said in HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection:

@jimp
Hi, this was an interesting read. Unfortunately the v2.6 also killed my PureVPN connection and even the tecks couldn't find the reason for not even connecting at all to their servers. They even logged into my system and said that PFsense v2.6 is incompatible with their servers. BONG... what happened ?
I thought v2.6 was up to date on all of these changes.

pfSense CE 2.6.0 does not use OpenVPN 2.6.0, this post is about OpenVPN 2.6.0 which is still not released yet. Start your own thread with details about your problem, it's most likely an issue in your settings. OpenVPN is OpenVPN and is very good about compatibility but occasionally needs some adjustments as they change options/protocol details.

mzaknoen · Dec 28, 2022, 6:04 PM

Thanks for the post! I've read through documentation and watched a few videos. This maybe a foolish question, but if I have multiple "clients" connecting to our server. Do I need recreate a new CA and Certificate for each "client" OR Do I simply need to generate unique client certificate's? And apply the same server TLS key to each client?

Cool_Corona · Dec 28, 2022, 6:12 PM

With certificate generation with Lets Encrypt integration?

brians · Dec 28, 2022, 7:14 PM

@mzaknoen said in HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection:

Thanks for the post! I've read through documentation and watched a few videos. This maybe a foolish question, but if I have multiple "clients" connecting to our server. Do I need recreate a new CA and Certificate for each "client" OR Do I simply need to generate unique client certificate's? And apply the same server TLS key to each client?

I have followed this guide:
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html

I export the CA and client certificates, then import them into the client netgate appliances. Read the entire doc because I missed some things at first regarding client specific overrides but after a couple times reading and actual hands-on it makes sense.

jimp · Jan 4, 2023, 1:19 PM

@mzaknoen said in HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection:

Thanks for the post! I've read through documentation and watched a few videos. This maybe a foolish question, but if I have multiple "clients" connecting to our server. Do I need recreate a new CA and Certificate for each "client" OR Do I simply need to generate unique client certificate's? And apply the same server TLS key to each client?

If your server is setup as SSL/TLS and allows multiple clients on a single server, then it's already not using shared key or P2P mode and it will be fine.

The problematic setups are ones using shared key mode specifically (one server with one client, no certificates).

If you have multiple servers each with a single client and want to convert them, you can do so individually (still one server for each client) or collectively (convert them to one sever and multiple clients). How you handle the CA structure is up to you. You can use a unique CA per server if you want, but it's not strictly necessary. Each server should have a unique TLS key though, which will also help ensure that a client with the "wrong" cert won't be able to connect to a server it shouldn't be using if you have multiple.

RootBear · Feb 27, 2023, 9:11 AM

@cool_corona Are you suggesting that everybody that can use LetsEncrypt should be able to connect to your VPN :-?

Bambos · Jan 18, 2024, 1:24 PM

Dear Admins,

Can we have a post with the successful procedure of migrating 2.6 to 2.7 , in relation to open VPN Shared key VS SSL/TLS method ?

Here are some referenced posts with issues:

https://forum.netgate.com/topic/183854/open-vpn-2-7-site-to-site-odd-routing-issue/16
https://forum.netgate.com/topic/183644/site-to-site-with-shared-key-gateway-bug/3

Are those resolved with 2.7.1 / 2.7.2 ? What is the recommendation for migrating ?

Gertjan · Jan 18, 2024, 1:24 PM

@Bambos

Something isn't / wasn't working ?
"Shared keys" was already depreciated many moons ago.

So : setup a server (create a second ?!), and when done, redeploy the client "opvn" files to the OpeVN clients / users.

login-to-view

I use "Remote Access (SSL/TLS)", you could also chose for "Remote Access (SSL/TLS + User Auth).

Bambos · Jan 19, 2024, 8:30 AM

@Gertjan thanks for the tips !

for the remote access VPN, if is SSL/TLS + User auth, does this working with freeradius as well ?

For site to site VPN with shared key, according this post: https://forum.netgate.com/topic/183644/site-to-site-with-shared-key-gateway-bug/3 there is no compatibility if server is V2.6 and client V2.7. Will the SSL/TLS tunnel will work between them ?? i have many 2.6 versions clients to upgrade.

Gertjan · Jan 19, 2024, 9:03 AM

@Bambos said in HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection:

for the remote access VPN, if is SSL/TLS + User auth, does this working with freeradius as well ?

I'm using FreeRadius myself for the captive portal.
Never tried to do this ...

You probably want also see this one also : FreeRadius on pfSense software for Two Factor Authentication although I presume that article was written for those who wanted to "why do things the easy way if much harder is so much better ?"

@Bambos said in HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection:

i have many 2.6 versions clients to upgrade

Keep in mind that 2.6.0 uses the "old" (now completly ditched because of security) OpenVPN (and now also old OpenSSL !!) libaries.
The recent pfSense uses the more modern OpenVPN and OpenSSL.

All this means that some options won't work anymore.
Some more options will work, but will be depreciated soon (as usual).
I Use OpenVPN myself, so I always have a look at the "source" : web pages like this and the classic openvpn support forum.

The OpenVPN client also changed to support the newer OpenVPN server.

And yes, I agree, syncing the entire openvpn user fleet can be a hassle.