Jump to content
Not connected, Your IP: 18.225.31.159
AirVPN
ableounceony

AirVPN's OpenVPN Options in pfSense 2.4.3

By ableounceony, ... in Troubleshooting and Problems

Recommended Posts

ableounceony    6

ableounceony
Posted ...
In the guide for setting up pfSense 2.3 with AirVPN, there are several OpenVPN options that he's got going into the pfSense Custom Option area that I'm wondering about for pfSense 2.4.3.  If anyone can help with these, I'd appreciate it:

 

- "keepalive 5 30":  That's supposed to be a shortcut type of option to help set OpenVPN's --ping and --ping-restart options.  Does anyone know what the defaults are or what, if anything, AirVPN pushes from its servers?  Do I actually need "keepalive" in my client's setup?

 

- "keysize 256":  First, this has been deprecated and will be removed in OpenVPN 2.6.  But, regardless, since we pick specific encryption algorithms and keysizes in the menus of pfSense 2.4.3 (VPN > OpenVPN > Clients > Encryption Algorithm (and NCP Algorithms)), is this even needed?  More importantly, couldn't it lead to conflicits?

 

- "key-method 2":  As with "keysize" this has been deprecated and removed in OpenVPN 2.5.  Apparently, it specifies the data channel key negotiation method.  It looks like this might be handled by pfSense's "TLS Key Usage Mode".  Anyone know if that's true and what it should be set to for AirVPN?

 

- "mlock":  Disables paging so someone can't use the swap file to gather secured information.  But according to the OpenVPN manual, it requires that OpenVPN be initially run as root.  Does anyone know if pfSense 2.4.3 even does that?  Should I use this?

 

- "prng sha512 64":  According to the OpenVPN manual, that's using sha512 as the digest algorithm with a nonce size of 64 bytes.  I really don't even know what that means.  But, my default AirVPN hardware key uses SHA1 and pfSense's "Auth digest algorithm" is set to SHA1.  Is this a conflict?  

sellist reacted to this

Share this post

Link to post

go558a83nk    352

go558a83nk
Posted ...

 

In the guide for setting up pfSense 2.3 with AirVPN, there are several OpenVPN options that he's got going into the pfSense Custom Option area that I'm wondering about for pfSense 2.4.3.  If anyone can help with these, I'd appreciate it:
 
- "keepalive 5 30":  That's supposed to be a shortcut type of option to help set OpenVPN's --ping and --ping-restart options.  Does anyone know what the defaults are or what, if anything, AirVPN pushes from its servers?  Do I actually need "keepalive" in my client's setup?
 
- "keysize 256":  First, this has been deprecated and will be removed in OpenVPN 2.6.  But, regardless, since we pick specific encryption algorithms and keysizes in the menus of pfSense 2.4.3 (VPN > OpenVPN > Clients > Encryption Algorithm (and NCP Algorithms)), is this even needed?  More importantly, couldn't it lead to conflicits?
 
- "key-method 2":  As with "keysize" this has been deprecated and removed in OpenVPN 2.5.  Apparently, it specifies the data channel key negotiation method.  It looks like this might be handled by pfSense's "TLS Key Usage Mode".  Anyone know if that's true and what it should be set to for AirVPN?
 
- "mlock":  Disables paging so someone can't use the swap file to gather secured information.  But according to the OpenVPN manual, it requires that OpenVPN be initially run as root.  Does anyone know if pfSense 2.4.3 even does that?  Should I use this?
 
- "prng sha512 64":  According to the OpenVPN manual, that's using sha512 as the digest algorithm with a nonce size of 64 bytes.  I really don't even know what that means.  But, my default AirVPN hardware key uses SHA1 and pfSense's "Auth digest algorithm" is set to SHA1.  Is this a conflict?  

 

prng is pseudo random number generator.  Apparently there were/are some hardware random number generators that were/are flawed.  This is a way to be a little more secure.

Share this post

Link to post

amires    10

amires
Posted ...
 

 

In the guide for setting up pfSense 2.3 with AirVPN, there are several OpenVPN options that he's got going into the pfSense Custom Option area that I'm wondering about for pfSense 2.4.3.  If anyone can help with these, I'd appreciate it:
 
- "keepalive 5 30":  That's supposed to be a shortcut type of option to help set OpenVPN's --ping and --ping-restart options.  Does anyone know what the defaults are or what, if anything, AirVPN pushes from its servers?  Do I actually need "keepalive" in my client's setup?
 
- "keysize 256":  First, this has been deprecated and will be removed in OpenVPN 2.6.  But, regardless, since we pick specific encryption algorithms and keysizes in the menus of pfSense 2.4.3 (VPN > OpenVPN > Clients > Encryption Algorithm (and NCP Algorithms)), is this even needed?  More importantly, couldn't it lead to conflicits?
 
- "key-method 2":  As with "keysize" this has been deprecated and removed in OpenVPN 2.5.  Apparently, it specifies the data channel key negotiation method.  It looks like this might be handled by pfSense's "TLS Key Usage Mode".  Anyone know if that's true and what it should be set to for AirVPN?
 
- "mlock":  Disables paging so someone can't use the swap file to gather secured information.  But according to the OpenVPN manual, it requires that OpenVPN be initially run as root.  Does anyone know if pfSense 2.4.3 even does that?  Should I use this?
 
- "prng sha512 64":  According to the OpenVPN manual, that's using sha512 as the digest algorithm with a nonce size of 64 bytes.  I really don't even know what that means.  But, my default AirVPN hardware key uses SHA1 and pfSense's "Auth digest algorithm" is set to SHA1.  Is this a conflict?  

 

 

Hi, I remember a while back I spent some times with these custom options and trying them all. Most of these options are either the default values or are unnecessary. You can check the generated openvpn config file at /var/etc/openvpn/client1.conf and see the full config.

 

These are the only options you need and nothing more :

 

auth-nocache;

mlock;

remote-cert-tls server;

explicit-exit-notify 5

 

 

I have been running my pfsense box using only these four custom options for a while now and never had any issues.

ableounceony reacted to this

Share this post

Link to post

ableounceony    6

ableounceony
Posted ...

Thanks for the path to pfSense's OpenVPN config file.  With that, I can see what pfSense generates from its OpenVPN settings and do some experimenting.  I've been running with a handful of options for over a year now (that I picked up from several pfSense/OpenVPN/AirVPN guides.  I recently realized that there were several options in AirVPN's .ovpn file that I hadn't added in to pfSense and decided I'd better be a bit more rigorous in finding out what I'd done.

 

EDIT:  And, I did find a post over on the pfSense forums that pfSense does run OpenVPN as root.  So, the mlock option does look like it will work there.

amires reacted to this

Share this post

Link to post

ableounceony    6

ableounceony
Posted ...

...

These are the only options you need and nothing more :

 

auth-nocache;

mlock;

remote-cert-tls server;

explicit-exit-notify 5

 

 

I have been running my pfsense box using only these four custom options for a while now and never had any issues.

Looking on the OpenVPN manual pages on the web, I see the following under the --daemon option:

 

Note: as soon as OpenVPN has daemonized, it can not ask for usernames, passwords, or key pass phrases anymore. This has certain consequences, namely that using a password-protected private key will fail unless the --askpass option is used to tell OpenVPN to ask for the pass phrase (this requirement is new in v2.3.7, and is a consequence of calling daemon() before initializing the crypto layer).

Further, using --daemon together with --auth-user-pass (entered on console) and --auth-nocache will fail as soon as key renegotiation (and reauthentication) occurs.

That worries me since the pfSense config file does have a daemon section (at least I think that's what I'm seeing).

Share this post

Link to post

ableounceony    6

ableounceony
Posted ...

Looking at my /var/etc/openvpn/client2.conf file, it looks like pfSense automatically includes a keepalive option under the daemon section:

 

keepalive 10 60

 

Currently, I've got a keepalive option in the Custom Options section and it shows up in the client section:

 

keepalive 5 30

 

Does it matter where keepalive is in the file?  IOW, is keepalive under daemon different from keepalive under client?  Right now, I'm assuming they're the same and that I should just remove mine from the Custom Options section.

 

EDIT:  And, it looks like I've got the same questions for:

 

persist-tun
persist-key
 
pfSense automatically adds them to the daemon section, but I've also added them to the client section via Custom Options.

Share this post

Link to post

ableounceony    6

ableounceony
Posted ...

prng is pseudo random number generator.  Apparently there were/are some hardware random number generators that were/are flawed.  This is a way to be a little more secure.

OK.  I was confusing the random number generator with ciphers.  It looks like the prng option just changes to a (possibly) more secure random number generator for the seeds that OpenVPN uses.  Seems like a good option to keep.

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Go To Topic Listing
×
×
  • Create New...