Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN user/pass

    2.0-RC Snapshot Feedback and Problems - RETIRED
    2
    4
    2.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MrHorizontal
      last edited by

      Just a couple of notes with OpenVPN:

      1. A lot of VPN hosts now offer OpenVPN connectivity, but they need the 'auth-user-pass' config to be used. Yes I know it's not 'proper' OpenVPN usage since they use a common cert across all clients, but if people want to use their pfSense's to anonymize traffic, then they should. auth-user-pass point blank doesn't work in 1.2.3 (need OpenVPN to be compiled with ./configure –enable-password-save), but in 2.0 it does work, however it's necessary to create a file with 2 lines user/pass and add 'auth-user-pass /path/to/2linepasswordfile.up'. The problem of course is that the openvpn.conf file is created on the fly at boot up from the config.xml, so unless the user/pass file is stored in a different location to /var/etc, it will be lost across reboots on nanobsd installs.

      As such, can we add user pass as optional fields in the OpenVPN client form and build the 2 line file from the config.xml along with the other .conf files?

      2. Proxy details in the OpenVPN client config should also have user/pass details as well.

      3. I'm not sure if pfSense does this or not by default, or whether the 'engine dynamic' option of OpenVPN and OpenSSL automatically figure out to use 'engine cryptodev' on machines with a hifn/AMD Geode/VIA padlock, but if the hardware supports it, it should take full advantage of it by default as the performance increase is huge :)

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        #1 and 2 will be added soon as we're wrapping up the OpenVPN changes in 2.0. #3 is documented, you can add that as a custom option in all versions.

        1 Reply Last reply Reply Quote 0
        • M
          MrHorizontal
          last edited by

          Excellent!

          Regarding point 3, I see there's a ton of FreeBSD talk about this… There's also a patch for cryptodev (http://people.freebsd.org/~pjd/patches/hw_cryptodev.c.patch) allowing more hw accelerated algorithms available to OpenSSL. Can you confirm pfSense 2.0 has this? Using aes256 and md5/sha1 hw acceleration will benefit ALIX/nanobsd to an unbelievable extent though...

          Sorry I can't test this myself yet, but I need squid implemented (any chance of http://docs.huihoo.com/gnu_linux/squid/html/x2398.html also?) and interface configs (I believe there's still a big thorn with em / e1000 drivers?) to work like a dream before I can really put pfSense 2.0 through its paces in earnest, but the work you guys've done so far is very, very positive :)

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Squid isn't developed or maintained by us ("us" being those who work on the base system). dvserg said he'll fix it at some point. As for any enhancements, he'll have to answer that.

            The em driver problems appear to be gone since switching to RELENG_8 and adding a couple patches to fix edge cases like lagg.

            The cryptodev patch you linked is nearing 5 years old, and on a file that doesn't even exist in RELENG_8. Doubt it's applicable anymore. Last I tested, with 7.2, every algorithm we support was properly accelerated. It's not that much of an improvement with glxsb, though the hifn cards are considerably faster.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.