Bug #6962

GUI allows selecting missing diffe-helman Paremeters for OpenVPN

Added by Andy Sayler about 4 years ago. Updated about 4 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:


When trying to use a 3072-bit Diffie-Hellman parameter with the OpenVPN server, the following error is logged and the OpenVPN service fails to start:

Nov 24 14:05:55    openvpn    75899    Options error: --dh fails with '/etc/dh-parameters.3072': No such file or directory

It appears that pfSense fails to generate non-standard Diffie-Hellman parameters, even when they are selected for use by OpenVPN and shown in the OpenVPN Diffie-Hellman options dropdown menu.

Restarting pfSense or OpenVPN does not resolve the error.

Manually generating the missing parameter file resolves the issue:

/usr/bin/openssl dhparam 3072 > /etc/dh-parameters.3072

Tested on 2.3.2-RELEASE-p1, but likely present in other versions as well.

Is this the expected behavior or a bug? Having OpenVPN crash when certain dropdown options are selected seem non-ideal.


#1 Updated by Kill Bill about 4 years ago

Uhm... generating these "on demand" is a horrible idea. Should be either pre-shipped or user told to do the job. Users certainly do NOT want to wait hours/days for the job to complete when doing some GUI configuration. (There's also a 16K option in the menu, yikes...)

#2 Updated by Jim Pingle about 4 years ago

  • Project changed from pfSense Packages to pfSense
  • Subject changed from Missing diffe-helman Paremeters for OpenVPN to GUI allows selecting missing diffe-helman Paremeters for OpenVPN
  • Category set to OpenVPN
  • Status changed from New to Confirmed
  • Assignee set to Steve Beaver
  • Target version set to 2.4.0
  • Affected Architecture All added
  • Affected Architecture deleted ()

The GUI should probably grey out or otherwise note the selections without available files. Or maybe check for /etc/dh-parameters.* and list any files it finds.

Due to the processor time requirements for generating DH parameters, generating them on demand is not viable nor is having a GUI to manage them. Given the wide range of systems that run pfSense there wouldn't be any way to properly estimate how long that would take for any given size.

Generating the DH parameters manually is already documented in a few places, such as

#3 Updated by Andy Sayler about 4 years ago

My vote would be either to grey out or remove the missing parameters from the OpenVPN dropdown, or to kick off a background generation task when they are selected. While on-the-fly generation can take some time, the process could run in the background and display a notice to the user that OpenVPN will not be available until generation has completed.

#4 Updated by Jim Pingle about 4 years ago

  • Status changed from Confirmed to Resolved
  • Assignee changed from Steve Beaver to Jim Pingle

I fixed this up among the other OpenVPN improvements this week.

Also available in: Atom PDF