OpenVPN Advanced Options

Started by jaskerx, March 07, 2024, 04:18:35 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 07, 2024, 04:18:35 AM
Moved my clients from legacy to instances and I'm getting warnings in my log because I haven't set some advanced options:

Code Select
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

This is solved by adding remote-cert-tls server.

Code Select
NOTICE: --prng option ignored (SSL library PRNG is used)

Was using prng sha256 64.

Code Select
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Not too sure what causing this one as I never got it before.

Was under the impression I could just add these via client server overrides, is there anyway to add them to the client using the command line?
March 08, 2024, 12:37:52 AM #1
Checked the OpenVPN 2.6 Reference manual and the prng options have been deprecated and now just use the SSL prng library so I imagine that's why that notice is there.

Setting script security to 3 is listed as potentially unsafe, is it set that way so that these two scripts can run?

Code Select
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown

My VPN has the following options in their .ovpn files:

Code Select
nobind
resolv-retry infinite
explicit-exit-notify 5
push-peer-info
comp-lzo no
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-256-CBC

Most of these are redundant and I wouldn't really bother adding them, these though:

Code Select
auth-nocache
mlock
remote-cert-tls server

The first two are just a little hardening and the last is the reason I'm getting the warning in the first place. I also think it's a good idea for the client to make sure the servers cert is correct.

If I edit the .conf files in /var/etc/openvpn, as soon as I change something in the WebGUI for OpenVPN and hit save it's going to remove those changes?

Do I have to file an issue to get some of these options added to the WebGUI?
March 08, 2024, 08:10:59 AM #2
Yes, a feature request filed in github with using the template is best :)
March 08, 2024, 02:48:09 PM #3
How about I add it to this one?

https://github.com/opnsense/core/issues/6703

These options would be client specific overrides right?
Print
Go Up Pages1
User actions