I need BF-CBC

ipguy

I understand the security implications.

However, I am some old legacy devices that only support BF-CBC, they are in the process of being replaced but until this happens I need to get them to connect to the OpenVPN tunnel

24.11-RELEASE (amd64)
built on Fri Nov 22 15:34:00 AEDT 2024
FreeBSD 15.0-CURRENT

What's the best way to add support for BF-CBC for OpenVPN ?

chrcoluk

@ipguy It is ancient at this point, you would probably need to run a very old build of pfSense.

although the solution someone posted here might work, if support is compiled in.

https://forums.openvpn.net/viewtopic.php?t=35809#p111709

ipguy

@chrcoluk said in I need BF-CBC:

@ipguy It is ancient at this point, you would probably need to run a very old build of pfSense.

although the solution someone posted here might work, if support is compiled in.

https://forums.openvpn.net/viewtopic.php?t=35809#p111709

hey thanks, compiled in to what specifically ?

Gertjan

@ipguy said in I need BF-CBC:

https://forums.openvpn.net/viewtopic.php?t=35809#p111709

These openvpn options :

providers legacy default
data-ciphers-fallback BF-CBC
compat-mode 2.3.18

check if they still exist in the version used by pfSense.
First : check the Openvpn version used by pfSense. Then, with that version number, look them up in the openvpn user manual.
If it's the case, then use them here :

for example, I use the option

status /var/log/openvpn.status;
status-version 1;

for my own needs.

When yous aved tehse option, check how OpenVPN sarts up (the logs) and see if it doesn't scream with errors.
Also check the openvpn config file (the one created with the GUI parameters) for consistency.
You can find the file here :
/var/etc/openvpn/server1/ and look for the file "config.ovpn". It's an ordinary text file.
Don't (bother) edit(ing) this file as it is auto generated by the GUI.