Since it can happen that port 1194 (among others) can be blocked by firewalls, I was wondering if the VPN works also on port 443 by setting it up in “server port” option in place of of the default port 1194
Lawrence uses the Shared key option in Server mode, but I read around that for a more secure tunnel you can go for the SSL/TLS mode instead. So, What are the pros and cons of a method over the other one, apart from that the Shared key one is wa to simple to set up?
Is The Shared Key way still a realiable and safe way to set it up?
Thanks
I’m running several RAS’s, the only time I had the occasion of the connection being blocked was where I think the UDP protocol was being blocked rather than the port (I wasn’t using 443 or 1194). You might want to have a RAS setup with TCP instead of UDP as a fallback.
From what I recall reading somewhere, I believe OpenVPN will deprecate shared key so pfsense will eventually catch up to not using that form of authentication.
I don’t use it myself so it’s not an issue, but having a shared key seemed to be a problem from the start, if I lose my phone, I then have to change all other certs. Using a CA I can issue certs per device and just revoke it if I lose any device without affecting anyone else.
It’s not that difficult to setup the CA and issue certs, some trial and error will probably be involved but it’s one time.
No, not necessarily. Only if you think your clients will be on networks that block outgoing UDP.
It wouldn’t surprise me to learn that there are network admins who block UDP port 443 in their infinite “wisdom”, but I sure hope it’s not the norm (it has a legimitate use case in HTTP/3).