Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Supported OpenVPN Capabilities

    Scheduled Pinned Locked Moved
    OpenVPN
    2
    5
    3.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      Wasca
      last edited by

      Hi Guys

      Just wondering what OpenVPN capabilities are NOT supported, just want to make sure I'm not using them in my config.

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        As far as i know nothing is not supported.
        A few options might not be availlable directly through the gui, but you always can add custom options.

        Could you be a bit more clear on what you are trying to achieve?

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • W
          Wasca
          last edited by

          Hi Guys

          Ok below are my server and client configs. Just want to make sure all these settings will work. In particular "fragment 1200" on the server and client and "mssfix 1200" , "route-method exe" on the client, these are settings I needed to get some Vista clients working on a previous OpenVPN server on another server.

          Why is user nobody and group nobody commented out in the defualt install of OpenVPN on PFSense?
          My immediate problem I see is that I have user nobody and group nobody on the client config but not in the server, will this be a problem?

          Another question is, do I have to push all of the routes to my directly attached networks on the PFSense router? i.e. I have OPT3 and OPT4 with subnet addresses of 192.168.3.0/24 and  192.168.4.0/24. Do I need to push these routes to the clients?

          My immediate problem I see is that I have user nobody and group nobody on the client config but not in the server

          Server

          writepid /var/run/openvpn_server0.pid
          #user nobody
          #group nobody
          daemon
          keepalive 10 60
          ping-timer-rem
          persist-tun
          persist-key
          dev tun
          proto udp
          cipher BF-CBC
          up /etc/rc.filter_configure
          down /etc/rc.filter_configure
          client-to-client
          server 192.168.2.0 255.255.255.0
          client-config-dir /var/etc/openvpn_csc
          push "route 192.168.1.0 255.255.255.0"
          lport 1194
          push "dhcp-option NBT 1"
          ca /var/etc/openvpn_server0.ca
          cert /var/etc/openvpn_server0.cert
          key /var/etc/openvpn_server0.key
          dh /var/etc/openvpn_server0.dh
          comp-lzo
          persist-remote-ip
          float
          fragment 1200
          tls-auth /var/etc/ta.key 0
          tls-server
          persist-remote-ip
          push "dhcp-option DNS 192.168.1.1"

          Client

          client
          proto udp
          dev tun
          ca ca.crt
          dh dh2048.pem
          cert username.crt
          key username.key
          remote 203.xxx.xxx.xxx 1194
          tls-auth ta.key 1
          cipher BF-CBC
          user nobody
          group nogroup
          verb 2
          mute 20
          fragment 1200
          mssfix 1200
          keepalive 10 120
          comp-lzo
          persist-key
          persist-tun
          float
          resolv-retry infinite
          nobind
          route-method exe
          route-delay 2
          ns-cert-type server

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            Ok below are my server and client configs. Just want to make sure all these settings will work. In particular "fragment 1200" on the server and client and "mssfix 1200" , "route-method exe" on the client, these are settings I needed to get some Vista clients working on a previous OpenVPN server on another server.

            The field "Custom options" is what you are looking for :)
            Just add your commands.

            Also the route-method is only on the vista-client i suppose. So it wont have any impact on pfSense.

            Why is user nobody and group nobody commented out in the defualt install of OpenVPN on PFSense?
            My immediate problem I see is that I have user nobody and group nobody on the client config but not in the server, will this be a problem?

            I'm not really sure. I suppose the developer that made the OpenVPN part could answer that.
            No it wont be a problem.
            This only defines how the rights of the openVPN process are after the tunnel has been initialized.
            Different settings on the client and server have no effect on each other.
            @http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html:

            –user user
                Change the user ID of the OpenVPN process to user after initialization, dropping privileges in the process. This option is useful to protect the system in the event that some hostile party was able to gain control of an OpenVPN session. Though OpenVPN's security features make this unlikely, it is provided as a second line of defense.

            By setting user to nobody or somebody similarly unprivileged, the hostile party would be limited in what damage they could cause. Of course once you take away privileges, you cannot return them to an OpenVPN session. This means, for example, that if you want to reset an OpenVPN daemon with a SIGUSR1 signal (for example in response to a DHCP reset), you should make use of one or more of the --persist options to ensure that OpenVPN doesn't need to execute any privileged operations in order to restart (such as re-reading key files or running ifconfig on the TUN device).

            Another question is, do I have to push all of the routes to my directly attached networks on the PFSense router? i.e. I have OPT3 and OPT4 with subnet addresses of 192.168.3.0/24 and  192.168.4.0/24. Do I need to push these routes to the clients?

            Yes you need a push for every subnet to which your clients need access.
            The field "local network" adds one of these pushes.
            All additional pushes –> custom options.

            I see that you have in your current config tls-auth:
            If you really "need" that you need to add the tls-file manually.
            I think there is somewhere a thread around from someone that did that.
            Not sure if/how that worked.
            (could you leave it away?)

            EDIT: found it :)
            Enable TLS Auth support: http://forum.pfsense.org/index.php/topic,2747.0.html
            How do I make my ta.key permanent? http://forum.pfsense.org/index.php/topic,7956.0.html

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • W
              Wasca
              last edited by

              I see that you have in your current config tls-auth:
              If you really "need" that you need to add the tls-file manually.
              I think there is somewhere a thread around from someone that did that.
              Not sure if/how that worked.
              (could you leave it away?)

              EDIT: found it Smiley
              Enable TLS Auth support: http://forum.pfsense.org/index.php/topic,2747.0.html
              How do I make my ta.key permanent? http://forum.pfsense.org/index.php/topic,7956.0.html

              Thanks for all your help. I got all the tls stuff under wraps, I've already had a read about all that.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post