Hi,
I recently switched to OPNsense, as another update from another..uhm..sense product killed my setup.
Sadly the OPNsense OpenVPN GUI is kind of.. depricated.
No worries I thought and altered the /var/etc/openvpn/server[n].conf myself.
Restarted the demon and had to realize that my newly altered conf was overwritten.
I am willing to alter server and client(export) conf myself, as it is a onetime setup. OpenVPN >2.4 has some nice features, e.g. tls-crypt instead of tls-auth since.. 2018? compress lz4 and others.
In theory: OPNsense does have the latest stable, so altering the conf should be without side effect.
How can I prevent the destruction of my manual changes?
You can use the custom options field if that works.
custom fields doesn't overwrite existing fields - it just adds new one.
If I, for example, set: "keepalive 30 180", it will be appended to the config, while the default value is still maintained some columns up - so I end up with this option two times in the conf.
Also tls-auth to tls-crypt won't work - it is one or the other.
Not being able to modify it manually is kind of counterproductive. I am willing to self-help me, but I am held back.
I now would have to setup another openvpn server and integrate it into my network. Only because I can't change 3-4 columns.
I understand that the GUI should be aligned with the conf or vice versa, but a asterisk or another notification would be enough to notify.
Why and from where is the config overwritten? (So I can maybe use this to modify the params accordingly to a secure OpenVPN 2.4 settings of 2020 instead to be frozen in 2017)
As user I want to make use of OpenVPN 2.4 settings, so I feel state-of-the-art protected and not wasting my time to setup another host for a service I already have. This don't have to done via GUI, but if done by manual changes, these changes need to survive at least reboots.
Acceptance criteria:
- tls-crypt is used instead of tls-auth
- keep alive can be set to save mobile power
- compress lz4 can be used, to save data without being vulnerable to lzo compression attack vectors
Bonus criteria:
- NCP can be used to let the client choose a most powerfriendly codec
Offer: I am willing to contribute to the OpenVPN GUI, but I don't know where to begin.
Interesting forum here. Beside some obvious "help", no further dialog. I really would like to like opnsense - but you have to improve. At least if someone offers help, I would suggest to give him a start. But hey.. ;)
Start here... https://github.com/opnsense/core (https://github.com/opnsense/core)
Hi there,
> How can I prevent the destruction of my manual changes?
Isn't this the wrong question considering both *sense share the same approach to config files? :)
On GitHub we can discuss the tls-crypt integration. So far it hasn't been the most pressing issue for the community. Some things are behind, some are more forward in general depending on where work is spent.
Ping me at https://github.com/opnsense/core/issues/2048
Cheers,
Franco
You can put your certificate between <tls-crypt> and </tls-crypt> tags in the Custom Configuration box.