Cryptography- Can it be changed and how?



  • I've got OpenVPN working with BF-CBC, but I was thinking about trying something else and cannot get it to work after the change.  I'm currently able to connect from a client computer into pfSense, but as soon as I change the Cryptography for server the client no longer connects.  I'm not sure if there is something I need to do after changing the setting, like rebooting the pfSense box or if that should be a seamless process.  When I originally generated the keys and certs I did it using client PC under OpenVPN program.  I then pasted them into pfSense and wherever else I needed them.  I am guessing I need to have a client that supports the Cryptography type, but I don't know if that is the case.

    Thanks in advance.



  • You have to specify the cipher in the client config if you change the server.



  • Would that be the ca.crt file?  Because my client didn't have me specify BF-CBC anywhere in the configuration.



  • because BF-CBC is the default, if you use something else you have to specify it. The actual client config not the certs, usually something.ovpn. Just use the same line as the server config has, which you can find by running from Diag>Command:
    grep cipher /var/etc/openvpn_server0.conf

    assuming it's your first OpenVPN server. If it's the second, change that to server1, etc.



  • Looked through my config for the client and found the cipher setting but it was being ignored, so I am trying to force it to something else.  I'll post again if I have problems; thanks for your help CMB!



  • Success!  Thanks CMB!  That makes sense; I guess I just happened to luck out that the client had the same default cipher as pfSense.  Now to work the magic with a DD-WRT router; I've heard they are a bear to get working.


Locked