OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: Julien on November 23, 2017, 12:01:23 am

Title: Stragnge OPENVPN commands found
Post by: Julien on November 23, 2017, 12:01:23 am
Hi Guys,
on my OPENVPN.ovpn file I've found two strange commands

Code: [Select]
ping-exit 30
ns-cert-type server
I've googled the auth-nocache appear to be a command to stop caching your password in the memory of the PC, but other commands I don't know what they are for.
I've exported a OPENVPN from a different OPNsense and I don't seem to find those commands on the .ovpn

Thank you
Title: Re: Stragnge OPENVPN commands found
Post by: Oxygen61 on November 23, 2017, 09:14:13 pm
Hi Julien,

these are advanced OpenVPN options, which you can use to enhance or change the behaviour of your OpenVPN connection.

Here is what they mean in detail:

--ping-exit 30
Code: [Select]
Causes OpenVPN to exit after n seconds pass without reception of a ping or other packet from remote. This option can be combined with --inactive, --ping, and --ping-exit to create a two-tiered inactivity disconnect.
For example,

openvpn [options...] --inactive 3600 --ping 10 --ping-exit 60

when used on both peers will cause OpenVPN to exit within 60 seconds if its peer disconnects, but will exit after one hour if no actual tunnel data is exchanged.

Code: [Select]
Don't cache --askpass or --auth-user-pass username/passwords in virtual memory.
If specified, this directive will cause OpenVPN to immediately forget username/password inputs after they are used. As a result, when OpenVPN needs a username/password, it will prompt for input from stdin, which may be multiple times during the duration of an OpenVPN session.

--ns-cert-type server
Code: [Select]
Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server".
This is a useful security option for clients, to ensure that the host they connect with is a designated server.

See the easy-rsa/build-key-server script for an example of how to generate a certificate with the nsCertType field set to "server".

If the server certificate's nsCertType field is set to "server", then the clients can verify this with --ns-cert-type server.

This is an important security precaution to protect against a man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of --ns-cert-type, --tls-remote, or --tls-verify.

Source: https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html

Best regards,
Title: Re: Stragnge OPENVPN commands found
Post by: Julien on November 24, 2017, 12:48:08 am
Well explained Oxy,
thank you for this, probably my college has configured this in this case i'll ask him tomorrow.