Bug #706
closed
OpenVPN client export needs to include remote-cert-tls server
100%
Description
OpenVPN client export needs to include the following line in all client configurations.
remote-cert-tls server
Updated by Jim Pingle almost 14 years ago
According to the OpenVPN config file reference, that should be safe to add in all cases, even when TLS is not in use.
Updated by Jim Pingle almost 14 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset commit:"9c46da2615a9fccf1e90f7658e8dfc2fee3ff52b".
Updated by Anonymous over 13 years ago
The export does not include the option "remote-cert-tls server"
Exported config file:
dev tun
persist-tun
persist-key
proto udp
cipher AES-128-CBC
tls-client
client
resolv-retry infinite
remote x.x.x.x x
auth-user-pass
pkcs12 x.p12
tls-auth x.key 1
PFsense version:
2.0-BETA4 Built On: Tue Nov 30 13:09:03 EST 2010
Updated by Jim Pingle over 13 years ago
- Status changed from Feedback to Closed
We discovered that it was not compatible with the way we built the server certificates. See https://rcs.pfsense.org/projects/pfsense-packages/repos/mainline/commits/dd7fb03ee362cfee1765749fc80f015e78389504
Updated by Mike Noordermeer almost 11 years ago
Nowadays Pfsense seems to be able to generate server certificates, so I don't see any reason to not add 'remote-cert-tls server' to client configs. It helps preventing MITM attacks.
Updated by Mike Noordermeer almost 11 years ago
Hmm, nevermind, it seems to include 'ns-cert-type server' nowadays, that should suffice.