Supported OpenVPN Capabilities



  • Hi Guys

    Just wondering what OpenVPN capabilities are NOT supported, just want to make sure I'm not using them in my config.



  • As far as i know nothing is not supported.
    A few options might not be availlable directly through the gui, but you always can add custom options.

    Could you be a bit more clear on what you are trying to achieve?



  • Hi Guys

    Ok below are my server and client configs. Just want to make sure all these settings will work. In particular "fragment 1200" on the server and client and "mssfix 1200" , "route-method exe" on the client, these are settings I needed to get some Vista clients working on a previous OpenVPN server on another server.

    Why is user nobody and group nobody commented out in the defualt install of OpenVPN on PFSense?
    My immediate problem I see is that I have user nobody and group nobody on the client config but not in the server, will this be a problem?

    Another question is, do I have to push all of the routes to my directly attached networks on the PFSense router? i.e. I have OPT3 and OPT4 with subnet addresses of 192.168.3.0/24 and  192.168.4.0/24. Do I need to push these routes to the clients?

    My immediate problem I see is that I have user nobody and group nobody on the client config but not in the server

    Server

    writepid /var/run/openvpn_server0.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto udp
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    client-to-client
    server 192.168.2.0 255.255.255.0
    client-config-dir /var/etc/openvpn_csc
    push "route 192.168.1.0 255.255.255.0"
    lport 1194
    push "dhcp-option NBT 1"
    ca /var/etc/openvpn_server0.ca
    cert /var/etc/openvpn_server0.cert
    key /var/etc/openvpn_server0.key
    dh /var/etc/openvpn_server0.dh
    comp-lzo
    persist-remote-ip
    float
    fragment 1200
    tls-auth /var/etc/ta.key 0
    tls-server
    persist-remote-ip
    push "dhcp-option DNS 192.168.1.1"

    Client

    client
    proto udp
    dev tun
    ca ca.crt
    dh dh2048.pem
    cert username.crt
    key username.key
    remote 203.xxx.xxx.xxx 1194
    tls-auth ta.key 1
    cipher BF-CBC
    user nobody
    group nogroup
    verb 2
    mute 20
    fragment 1200
    mssfix 1200
    keepalive 10 120
    comp-lzo
    persist-key
    persist-tun
    float
    resolv-retry infinite
    nobind
    route-method exe
    route-delay 2
    ns-cert-type server



  • Ok below are my server and client configs. Just want to make sure all these settings will work. In particular "fragment 1200" on the server and client and "mssfix 1200" , "route-method exe" on the client, these are settings I needed to get some Vista clients working on a previous OpenVPN server on another server.

    The field "Custom options" is what you are looking for :)
    Just add your commands.

    Also the route-method is only on the vista-client i suppose. So it wont have any impact on pfSense.

    Why is user nobody and group nobody commented out in the defualt install of OpenVPN on PFSense?
    My immediate problem I see is that I have user nobody and group nobody on the client config but not in the server, will this be a problem?

    I'm not really sure. I suppose the developer that made the OpenVPN part could answer that.
    No it wont be a problem.
    This only defines how the rights of the openVPN process are after the tunnel has been initialized.
    Different settings on the client and server have no effect on each other.
    @http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html:

    –user user
        Change the user ID of the OpenVPN process to user after initialization, dropping privileges in the process. This option is useful to protect the system in the event that some hostile party was able to gain control of an OpenVPN session. Though OpenVPN's security features make this unlikely, it is provided as a second line of defense.

    By setting user to nobody or somebody similarly unprivileged, the hostile party would be limited in what damage they could cause. Of course once you take away privileges, you cannot return them to an OpenVPN session. This means, for example, that if you want to reset an OpenVPN daemon with a SIGUSR1 signal (for example in response to a DHCP reset), you should make use of one or more of the --persist options to ensure that OpenVPN doesn't need to execute any privileged operations in order to restart (such as re-reading key files or running ifconfig on the TUN device).

    Another question is, do I have to push all of the routes to my directly attached networks on the PFSense router? i.e. I have OPT3 and OPT4 with subnet addresses of 192.168.3.0/24 and  192.168.4.0/24. Do I need to push these routes to the clients?

    Yes you need a push for every subnet to which your clients need access.
    The field "local network" adds one of these pushes.
    All additional pushes –> custom options.

    I see that you have in your current config tls-auth:
    If you really "need" that you need to add the tls-file manually.
    I think there is somewhere a thread around from someone that did that.
    Not sure if/how that worked.
    (could you leave it away?)

    EDIT: found it :)
    Enable TLS Auth support: http://forum.pfsense.org/index.php/topic,2747.0.html
    How do I make my ta.key permanent? http://forum.pfsense.org/index.php/topic,7956.0.html



  • I see that you have in your current config tls-auth:
    If you really "need" that you need to add the tls-file manually.
    I think there is somewhere a thread around from someone that did that.
    Not sure if/how that worked.
    (could you leave it away?)

    EDIT: found it Smiley
    Enable TLS Auth support: http://forum.pfsense.org/index.php/topic,2747.0.html
    How do I make my ta.key permanent? http://forum.pfsense.org/index.php/topic,7956.0.html

    Thanks for all your help. I got all the tls stuff under wraps, I've already had a read about all that.


Locked