GUI allows selecting missing diffe-helman Paremeters for OpenVPN
When trying to use a 3072-bit Diffie-Hellman parameter with the OpenVPN server, the following error is logged and the OpenVPN service fails to start:
Nov 24 14:05:55 openvpn 75899 Options error: --dh fails with '/etc/dh-parameters.3072': No such file or directory
It appears that pfSense fails to generate non-standard Diffie-Hellman parameters, even when they are selected for use by OpenVPN and shown in the OpenVPN Diffie-Hellman options dropdown menu.
Restarting pfSense or OpenVPN does not resolve the error.
Manually generating the missing parameter file resolves the issue:
/usr/bin/openssl dhparam 3072 > /etc/dh-parameters.3072
Tested on 2.3.2-RELEASE-p1, but likely present in other versions as well.
Is this the expected behavior or a bug? Having OpenVPN crash when certain dropdown options are selected seem non-ideal.
Uhm... generating these "on demand" is a horrible idea. Should be either pre-shipped or user told to do the job. Users certainly do NOT want to wait hours/days for the job to complete when doing some GUI configuration. (There's also a 16K option in the menu, yikes...)
#2 Updated by Jim Pingle 10 months ago
- Project changed from pfSense Packages to pfSense
- Subject changed from Missing diffe-helman Paremeters for OpenVPN to GUI allows selecting missing diffe-helman Paremeters for OpenVPN
- Category set to OpenVPN
- Status changed from New to Confirmed
- Assignee set to Steve Beaver
- Target version set to 2.4.0
- Affected Architecture set to All
The GUI should probably grey out or otherwise note the selections without available files. Or maybe check for
/etc/dh-parameters.* and list any files it finds.
Due to the processor time requirements for generating DH parameters, generating them on demand is not viable nor is having a GUI to manage them. Given the wide range of systems that run pfSense there wouldn't be any way to properly estimate how long that would take for any given size.
Generating the DH parameters manually is already documented in a few places, such as https://doc.pfsense.org/index.php/Importing_OpenVPN_DH_Parameters
#3 Updated by Andy Sayler 10 months ago
My vote would be either to grey out or remove the missing parameters from the OpenVPN dropdown, or to kick off a background generation task when they are selected. While on-the-fly generation can take some time, the process could run in the background and display a notice to the user that OpenVPN will not be available until generation has completed.