So I just updated one of my firewalls to 2.60, yes I know it is long overdue and the other end needs attention too!
Now my site to site openVPN no longer connects. I just checked the user docs and found this:
Danger
Shared key mode has been deprecated by OpenVPN as it is no longer considered sufficiently secure for modern requirements.
Shared key mode will be removed from future versions of OpenVPN. Users should not create any new shared key tunnels and should immediately convert any existing shared key tunnels to SSL/TLS mode.
When an SSL/TLS instance is configured with a /30 tunnel network it behaves in a similar manner to shared key mode. The primary difference is the need to create and distribute the certificate structure to peers. See OpenVPN Site-to-Site Configuration Example with SSL/TLS for information on configuring OpenVPN in SSL/TLS mode.
Is shared key actually removed now and that’s my problem? Or could there be a different thing? Will a locally generated certificate work for the encryption?
OpenVPN was simple to set up, but if I need to invest time then Wireguard might be the better option going forward. Faster and less bandwidth when not in use. I don’t need the vpn often, it is between work and home and leftover from the plague closures a few years ago. I was just going to check some things from home a few nights ago and work on my lab system which is stored at work, and had all sorts of problems (most from my ISP) which lead me to upgrade to pfsense 2.6.0 to see if that fixed anything, and it caused more issues. I’ll have to look into WG and see if I can make it go.
I did read more on oVPN and it seems that local certificates are OK, they give a run down of creating them in the documents.
The OpenVPN wizard is pretty good quick but to be fair, wiregard might be faster to setup. I think it comes down to preference and support on the devices you want connect back to your firewall.
If they all support wireguard and you want the fastest was to set them up then that would be the way to go. Otherwise OpenVPN would be the choice.