Project

General

Profile

Actions

Bug #706

closed

OpenVPN client export needs to include remote-cert-tls server

Added by Chris Buechler over 11 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
Start date:
06/28/2010
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0
Affected Architecture:

Description

OpenVPN client export needs to include the following line in all client configurations.

remote-cert-tls server

Actions #1

Updated by Jim Pingle over 11 years ago

According to the OpenVPN config file reference, that should be safe to add in all cases, even when TLS is not in use.

Actions #2

Updated by Jim Pingle over 11 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

Applied in changeset commit:"9c46da2615a9fccf1e90f7658e8dfc2fee3ff52b".

Actions #3

Updated by Anonymous almost 11 years ago

The export does not include the option "remote-cert-tls server"

Exported config file:
dev tun
persist-tun
persist-key
proto udp
cipher AES-128-CBC
tls-client
client
resolv-retry infinite
remote x.x.x.x x
auth-user-pass
pkcs12 x.p12
tls-auth x.key 1

PFsense version:
2.0-BETA4 Built On: Tue Nov 30 13:09:03 EST 2010

Actions #4

Updated by Jim Pingle almost 11 years ago

  • Status changed from Feedback to Closed

We discovered that it was not compatible with the way we built the server certificates. See https://rcs.pfsense.org/projects/pfsense-packages/repos/mainline/commits/dd7fb03ee362cfee1765749fc80f015e78389504

Actions #5

Updated by Mike Noordermeer over 8 years ago

Nowadays Pfsense seems to be able to generate server certificates, so I don't see any reason to not add 'remote-cert-tls server' to client configs. It helps preventing MITM attacks.

Actions #6

Updated by Mike Noordermeer over 8 years ago

Hmm, nevermind, it seems to include 'ns-cert-type server' nowadays, that should suffice.

Actions

Also available in: Atom PDF