ableounceony 6 Posted ... In the guide for setting up pfSense 2.3 with AirVPN, there are several OpenVPN options that he's got going into the pfSense Custom Option area that I'm wondering about for pfSense 2.4.3. If anyone can help with these, I'd appreciate it: - "keepalive 5 30": That's supposed to be a shortcut type of option to help set OpenVPN's --ping and --ping-restart options. Does anyone know what the defaults are or what, if anything, AirVPN pushes from its servers? Do I actually need "keepalive" in my client's setup? - "keysize 256": First, this has been deprecated and will be removed in OpenVPN 2.6. But, regardless, since we pick specific encryption algorithms and keysizes in the menus of pfSense 2.4.3 (VPN > OpenVPN > Clients > Encryption Algorithm (and NCP Algorithms)), is this even needed? More importantly, couldn't it lead to conflicits? - "key-method 2": As with "keysize" this has been deprecated and removed in OpenVPN 2.5. Apparently, it specifies the data channel key negotiation method. It looks like this might be handled by pfSense's "TLS Key Usage Mode". Anyone know if that's true and what it should be set to for AirVPN? - "mlock": Disables paging so someone can't use the swap file to gather secured information. But according to the OpenVPN manual, it requires that OpenVPN be initially run as root. Does anyone know if pfSense 2.4.3 even does that? Should I use this? - "prng sha512 64": According to the OpenVPN manual, that's using sha512 as the digest algorithm with a nonce size of 64 bytes. I really don't even know what that means. But, my default AirVPN hardware key uses SHA1 and pfSense's "Auth digest algorithm" is set to SHA1. Is this a conflict? 1 sellist reacted to this Quote Share this post Link to post
go558a83nk 364 Posted ... In the guide for setting up pfSense 2.3 with AirVPN, there are several OpenVPN options that he's got going into the pfSense Custom Option area that I'm wondering about for pfSense 2.4.3. If anyone can help with these, I'd appreciate it: - "keepalive 5 30": That's supposed to be a shortcut type of option to help set OpenVPN's --ping and --ping-restart options. Does anyone know what the defaults are or what, if anything, AirVPN pushes from its servers? Do I actually need "keepalive" in my client's setup? - "keysize 256": First, this has been deprecated and will be removed in OpenVPN 2.6. But, regardless, since we pick specific encryption algorithms and keysizes in the menus of pfSense 2.4.3 (VPN > OpenVPN > Clients > Encryption Algorithm (and NCP Algorithms)), is this even needed? More importantly, couldn't it lead to conflicits? - "key-method 2": As with "keysize" this has been deprecated and removed in OpenVPN 2.5. Apparently, it specifies the data channel key negotiation method. It looks like this might be handled by pfSense's "TLS Key Usage Mode". Anyone know if that's true and what it should be set to for AirVPN? - "mlock": Disables paging so someone can't use the swap file to gather secured information. But according to the OpenVPN manual, it requires that OpenVPN be initially run as root. Does anyone know if pfSense 2.4.3 even does that? Should I use this? - "prng sha512 64": According to the OpenVPN manual, that's using sha512 as the digest algorithm with a nonce size of 64 bytes. I really don't even know what that means. But, my default AirVPN hardware key uses SHA1 and pfSense's "Auth digest algorithm" is set to SHA1. Is this a conflict? prng is pseudo random number generator. Apparently there were/are some hardware random number generators that were/are flawed. This is a way to be a little more secure. Quote Share this post Link to post
amires 10 Posted ... In the guide for setting up pfSense 2.3 with AirVPN, there are several OpenVPN options that he's got going into the pfSense Custom Option area that I'm wondering about for pfSense 2.4.3. If anyone can help with these, I'd appreciate it: - "keepalive 5 30": That's supposed to be a shortcut type of option to help set OpenVPN's --ping and --ping-restart options. Does anyone know what the defaults are or what, if anything, AirVPN pushes from its servers? Do I actually need "keepalive" in my client's setup? - "keysize 256": First, this has been deprecated and will be removed in OpenVPN 2.6. But, regardless, since we pick specific encryption algorithms and keysizes in the menus of pfSense 2.4.3 (VPN > OpenVPN > Clients > Encryption Algorithm (and NCP Algorithms)), is this even needed? More importantly, couldn't it lead to conflicits? - "key-method 2": As with "keysize" this has been deprecated and removed in OpenVPN 2.5. Apparently, it specifies the data channel key negotiation method. It looks like this might be handled by pfSense's "TLS Key Usage Mode". Anyone know if that's true and what it should be set to for AirVPN? - "mlock": Disables paging so someone can't use the swap file to gather secured information. But according to the OpenVPN manual, it requires that OpenVPN be initially run as root. Does anyone know if pfSense 2.4.3 even does that? Should I use this? - "prng sha512 64": According to the OpenVPN manual, that's using sha512 as the digest algorithm with a nonce size of 64 bytes. I really don't even know what that means. But, my default AirVPN hardware key uses SHA1 and pfSense's "Auth digest algorithm" is set to SHA1. Is this a conflict? Hi, I remember a while back I spent some times with these custom options and trying them all. Most of these options are either the default values or are unnecessary. You can check the generated openvpn config file at /var/etc/openvpn/client1.conf and see the full config. These are the only options you need and nothing more : auth-nocache;mlock;remote-cert-tls server;explicit-exit-notify 5 I have been running my pfsense box using only these four custom options for a while now and never had any issues. 1 ableounceony reacted to this Quote Share this post Link to post
ableounceony 6 Posted ... Thanks for the path to pfSense's OpenVPN config file. With that, I can see what pfSense generates from its OpenVPN settings and do some experimenting. I've been running with a handful of options for over a year now (that I picked up from several pfSense/OpenVPN/AirVPN guides. I recently realized that there were several options in AirVPN's .ovpn file that I hadn't added in to pfSense and decided I'd better be a bit more rigorous in finding out what I'd done. EDIT: And, I did find a post over on the pfSense forums that pfSense does run OpenVPN as root. So, the mlock option does look like it will work there. 1 amires reacted to this Quote Share this post Link to post
ableounceony 6 Posted ... ...These are the only options you need and nothing more : auth-nocache;mlock;remote-cert-tls server;explicit-exit-notify 5 I have been running my pfsense box using only these four custom options for a while now and never had any issues.Looking on the OpenVPN manual pages on the web, I see the following under the --daemon option: Note: as soon as OpenVPN has daemonized, it can not ask for usernames, passwords, or key pass phrases anymore. This has certain consequences, namely that using a password-protected private key will fail unless the --askpass option is used to tell OpenVPN to ask for the pass phrase (this requirement is new in v2.3.7, and is a consequence of calling daemon() before initializing the crypto layer).Further, using --daemon together with --auth-user-pass (entered on console) and --auth-nocache will fail as soon as key renegotiation (and reauthentication) occurs.That worries me since the pfSense config file does have a daemon section (at least I think that's what I'm seeing). Quote Share this post Link to post
ableounceony 6 Posted ... Looking at my /var/etc/openvpn/client2.conf file, it looks like pfSense automatically includes a keepalive option under the daemon section: keepalive 10 60 Currently, I've got a keepalive option in the Custom Options section and it shows up in the client section: keepalive 5 30 Does it matter where keepalive is in the file? IOW, is keepalive under daemon different from keepalive under client? Right now, I'm assuming they're the same and that I should just remove mine from the Custom Options section. EDIT: And, it looks like I've got the same questions for: persist-tunpersist-key pfSense automatically adds them to the daemon section, but I've also added them to the client section via Custom Options. Quote Share this post Link to post
ableounceony 6 Posted ... prng is pseudo random number generator. Apparently there were/are some hardware random number generators that were/are flawed. This is a way to be a little more secure.OK. I was confusing the random number generator with ciphers. It looks like the prng option just changes to a (possibly) more secure random number generator for the seeds that OpenVPN uses. Seems like a good option to keep. Quote Share this post Link to post