Project

General

Profile

Bug #706

OpenVPN client export needs to include remote-cert-tls server

Added by Chris Buechler over 10 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
Start date:
06/28/2010
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

OpenVPN client export needs to include the following line in all client configurations.

remote-cert-tls server

History

#1 Updated by Jim Pingle over 10 years ago

According to the OpenVPN config file reference, that should be safe to add in all cases, even when TLS is not in use.

#2 Updated by Jim Pingle over 10 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

Applied in changeset commit:"9c46da2615a9fccf1e90f7658e8dfc2fee3ff52b".

#3 Updated by Anonymous almost 10 years ago

The export does not include the option "remote-cert-tls server"

Exported config file:
dev tun
persist-tun
persist-key
proto udp
cipher AES-128-CBC
tls-client
client
resolv-retry infinite
remote x.x.x.x x
auth-user-pass
pkcs12 x.p12
tls-auth x.key 1

PFsense version:
2.0-BETA4 Built On: Tue Nov 30 13:09:03 EST 2010

#4 Updated by Jim Pingle almost 10 years ago

  • Status changed from Feedback to Closed

We discovered that it was not compatible with the way we built the server certificates. See https://rcs.pfsense.org/projects/pfsense-packages/repos/mainline/commits/dd7fb03ee362cfee1765749fc80f015e78389504

#5 Updated by Mike Noordermeer over 7 years ago

Nowadays Pfsense seems to be able to generate server certificates, so I don't see any reason to not add 'remote-cert-tls server' to client configs. It helps preventing MITM attacks.

#6 Updated by Mike Noordermeer over 7 years ago

Hmm, nevermind, it seems to include 'ns-cert-type server' nowadays, that should suffice.

Also available in: Atom PDF