Moved my clients from legacy to instances and I'm getting warnings in my log because I haven't set some advanced options:
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
This is solved by adding remote-cert-tls server.
NOTICE: --prng option ignored (SSL library PRNG is used)
Was using prng sha256 64.
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Not too sure what causing this one as I never got it before.
Was under the impression I could just add these via client server overrides, is there anyway to add them to the client using the command line?
Checked the OpenVPN 2.6 Reference manual and the prng options have been deprecated and now just use the SSL prng library so I imagine that's why that notice is there.
Setting script security to 3 is listed as potentially unsafe, is it set that way so that these two scripts can run?
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
My VPN has the following options in their .ovpn files:
nobind
resolv-retry infinite
explicit-exit-notify 5
push-peer-info
comp-lzo no
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-256-CBC
Most of these are redundant and I wouldn't really bother adding them, these though:
auth-nocache
mlock
remote-cert-tls server
The first two are just a little hardening and the last is the reason I'm getting the warning in the first place. I also think it's a good idea for the client to make sure the servers cert is correct.
If I edit the .conf files in /var/etc/openvpn, as soon as I change something in the WebGUI for OpenVPN and hit save it's going to remove those changes?
Do I have to file an issue to get some of these options added to the WebGUI?
Yes, a feature request filed in github with using the template is best :)
How about I add it to this one?
https://github.com/opnsense/core/issues/6703 (https://github.com/opnsense/core/issues/6703)
These options would be client specific overrides right?