Project

General

Profile

Bug #706

OpenVPN client export needs to include remote-cert-tls server

Added by Chris Buechler about 9 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
Start date:
06/28/2010
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

OpenVPN client export needs to include the following line in all client configurations.

remote-cert-tls server

History

#1 Updated by Jim Pingle about 9 years ago

According to the OpenVPN config file reference, that should be safe to add in all cases, even when TLS is not in use.

#2 Updated by Jim Pingle about 9 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

Applied in changeset commit:"9c46da2615a9fccf1e90f7658e8dfc2fee3ff52b".

#3 Updated by Anonymous over 8 years ago

The export does not include the option "remote-cert-tls server"

Exported config file:
dev tun
persist-tun
persist-key
proto udp
cipher AES-128-CBC
tls-client
client
resolv-retry infinite
remote x.x.x.x x
auth-user-pass
pkcs12 x.p12
tls-auth x.key 1

PFsense version:
2.0-BETA4 Built On: Tue Nov 30 13:09:03 EST 2010

#4 Updated by Jim Pingle over 8 years ago

  • Status changed from Feedback to Closed

We discovered that it was not compatible with the way we built the server certificates. See https://rcs.pfsense.org/projects/pfsense-packages/repos/mainline/commits/dd7fb03ee362cfee1765749fc80f015e78389504

#5 Updated by Mike Noordermeer about 6 years ago

Nowadays Pfsense seems to be able to generate server certificates, so I don't see any reason to not add 'remote-cert-tls server' to client configs. It helps preventing MITM attacks.

#6 Updated by Mike Noordermeer about 6 years ago

Hmm, nevermind, it seems to include 'ns-cert-type server' nowadays, that should suffice.

Also available in: Atom PDF