Removing auto added rules + ns-cert-type issues



  • 2 questions

    In http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3 it appears one may add filtering capabilities to OpenVPN by removing the auto added rules (or perhaps disabling them) after tunnel is created.

    I have a setup working (but see below) and seem not to be able to block clients from surfing. What I am trying is one specific thing, to make clients use a specific DNS server, by allowing that one and then disallowing all others.

    I have added interfaces and so on.

    Obviously the "allow all rule" for OpenVPN clients is in use. It appears I can not do full block either.

    Is there a way for me to remove the auto added rules afterwards or do I have to re-install the whole FW? I did add the first tunnel with the auto added rules setting active..

    To the second question, weird cert problem with "ns-cert-type server"

    I'm aware this is an openVPN issue perhaps, rather than pfSense, but maybe someone could comment.

    My setup is workingt very well it seems, but I would like to add a few tweaks. One that to my surprise is not working is the ns-cert-type server setting in client's config. I get errors (somewhat) clearly stating issues with it and after commenting that line out everything works.

    This is interesting for several resons. First, several docs makes use of this, like http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN. Also the eas-rsa docs mentions it, in the example config file for client the following is printed:

    To use this feature, you will need to generate

    your server certificates with the nsCertType

    field set to "server".  The build-key-server

    script in the easy-rsa folder will do this.

    ns-cert-type server

    So, since I indeed used the OpenVPN build-key.bat script (on Win32 obviously) I find it very interesting that the produced server certificate is not accepted by openVPN..

    Content from script below:

    @echo off
    cd %HOME%
    rem build a request for a cert that will be valid for ten years
    openssl req -days 3650 -nodes -new -keyout %KEY_DIR%%1.key -out %KEY_DIR%%1.csr -config %KEY_CONFIG%
    rem sign the cert request with our ca, creating a cert/key pair
    openssl ca -days 3650 -out %KEY_DIR%%1.crt -in %KEY_DIR%%1.csr -extensions server -config %KEY_CONFIG%
    rem delete any .old files created in this process, to avoid future file creation errors
    del /q %KEY_DIR%*.old

    Everything else with server and client certificates are working.

    Anyone has any ideas to share? What am I missing?



  • After having thought a bit more about the wordings in pfSense book at 15.6.2 I believe I may have made the incorrect assumption. It looks like one may at any time enable or disable them using that setting at System | Advanced.

    If this is the case, can someone help my understand why the FW rules for the interface isn't working?

    TIA,


Locked