next »

[Blinkiz]

Am requesting TLS Auth support from within the GUI.
Another box where a key can be inserted for OpenVPN. If the box are filled, TLS Auth should/can be enabled.


The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. It can protect against:

• DoS attacks or port flooding on the OpenVPN UDP port.
• Port scanning to determine which server UDP ports are in a listening state.
• Buffer overflow vulnerabilities in the SSL/TLS implementation.
• SSL/TLS handshake initiations from unauthorized machines (while such handshakes would ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).

http://openvpn.net/howto.html#security

In the mean time, I would like to get suggestions how to enable TLS Auth support on a pfsense linux box.

[jeroen234]

search for openvpn and freebsd

btw pfsense is bsd not linux

[Blinkiz]

search for openvpn and freebsd

btw pfsense is bsd not linux

Have searched the net a while now without finding anything useful.
As you can see am not an expert in the unix world.

Anyway, I was looking in the logfile for openVPN and found out that something was read from /var/etc catalog. I went over their and found openvpn_server1.conf! So now I got it to work.
My request about implement this feature into GUI still exist.

[Numbski]

Please provide the directive you added to the conf file here, and I'll see if I can get a dev to add it to the ui.

[Bredys]

Greetings,

you can use Custom options in OpenVPN settings for this feature :
tls-auth /etc/tls_auth.key 0

and then use Edit File and save your TLS key in this file : /etc/tls_auth.key

[Blinkiz]

you can use Custom options in OpenVPN settings for this feature :
tls-auth /etc/tls_auth.key 0
and then use Edit File and save your TLS key in this file : /etc/tls_auth.key

Thank you
Easier then editing a file.

[Tele]

I've done this the manual way, but a extra inputfield would be a valuable addition to the openvpn configuration GUI. 

[trendchiller]

I'll have a look for it and create some GUI-patch...

so watch out for answers of mine in this topic 

[trendchiller]

So... it's ready...

have a look at http://pfsense.trendchiller.com and look at the patches section...

[trendchiller]

some bugs fixed... if you downloaded... please do so again...

[dlstrout]

some bugs fixed... if you downloaded... please do so again...

Will these features becoming in a future SNAP or version?

[trendchiller]

Yes, features are freezed until 1.3 release...

Next release will be 1.2 and after release of 1.2 it will be in the new snaps :-)

[jmbo]

Hi all,

does your patch can be installed in a 1.2 RC2 ?

best regards

[trendchiller]

yes, it can...

i also created a script for re-adding this features after upgrading to a new snap 

from the gui:

fetch -o /trendchiller.sh http://pfsense.trendchiller.com/patches/trendchiller.update
chmod 744 /trendchiller.sh

then execute

/trendchiller.sh

 and have fun :-)

[trendchiller]

for embedded this should work...

fetch -o /etc/inc/openvpn.inc http://pfsense.trendchiller.com/patches/openvpn/_etc_inc/openvpn.inc
fetch -o /usr/local/pkg/openvpn.xml http://pfsense.trendchiller.com/patches/openvpn/_usr_local_pkg/openvpn.xml
fetch -o /usr/local/pkg/openvpn_cli.xml http://pfsense.trendchiller.com/patches/openvpn/_usr_local_pkg/openvpn_cli.xml
fetch -o /usr/local/pkg/openvpn_csc.xml http://pfsense.trendchiller.com/patches/openvpn/_usr_local_pkg/openvpn_csc.xml