openVPN site-to-site shared key with 4096

chemlud · July 07, 2020, 06:10:37 PM

Hi!

I asked last year, but got no answer

https://forum.opnsense.org/index.php?topic=15297

Had a look in the documentation:

https://docs.opnsense.org/manual/how-tos/sslvpn_s2s.html

Code Select

...DH Parameters Length 4096..

but here in my opnsenses there is no option to choose 4096 key length in the respective menu.

Maybe somebody can elucidate me on that?

chemlud · July 10, 2020, 11:41:34 AM

Anyone?

AhnHEL · July 10, 2020, 06:07:55 PM

disregard, not for site to site shared

mimugmail · July 10, 2020, 08:11:47 PM

Better use certificates instead of keys

chemlud · July 11, 2020, 10:44:10 AM

Many thanks for replying!

Certs are complicated... private key for CA not on FW, certs expire. And so on...

Any good (!) tutorials for that? In the opnsense documentation I only found the static key how-to... :-(

mimugmail · July 11, 2020, 10:55:23 AM

Just give it a spin, you need one CA managed on one FW. On the other import the CA, but only the cert not the key. On CA create one server certificate and one client certificate, export/import cert and key. On Server use RA SSL on client P2P SSL, select CA and certificate on both sides, DH 4096, AES256, SHA26 .. give both a tunnel networks, specify left/right networks .. should be it.

chemlud · July 11, 2020, 11:14:56 AM

Quote from: mimugmail on July 11, 2020, 10:55:23 AM
...On Server use RA SSL on client P2P SSL...

Thanks! Why use remote access on server side? Currently I use peer-to-peer and that is functionally what I want..

openVPN site-to-site shared key with 4096

chemlud

July 07, 2020, 06:10:37 PM

chemlud

July 10, 2020, 11:41:34 AM #1

AhnHEL

July 10, 2020, 06:07:55 PM #2

mimugmail

July 10, 2020, 08:11:47 PM #3

chemlud

July 11, 2020, 10:44:10 AM #4

mimugmail

July 11, 2020, 10:55:23 AM #5

chemlud

July 11, 2020, 11:14:56 AM #6