Pfsense 2.6.0 openVPN shared key mode?

Greg_E · February 16, 2023, 3:41pm

So I just updated one of my firewalls to 2.60, yes I know it is long overdue and the other end needs attention too!

Now my site to site openVPN no longer connects. I just checked the user docs and found this:

Danger

Shared key mode has been deprecated by OpenVPN as it is no longer considered sufficiently secure for modern requirements.

Shared key mode will be removed from future versions of OpenVPN. Users should not create any new shared key tunnels and should immediately convert any existing shared key tunnels to SSL/TLS mode.

When an SSL/TLS instance is configured with a /30 tunnel network it behaves in a similar manner to shared key mode. The primary difference is the need to create and distribute the certificate structure to peers. See OpenVPN Site-to-Site Configuration Example with SSL/TLS for information on configuring OpenVPN in SSL/TLS mode.

Is shared key actually removed now and that’s my problem? Or could there be a different thing? Will a locally generated certificate work for the encryption?

Paul · February 16, 2023, 4:42pm

Can not answer your question, I know it is being removed - which version I do not know

Why not move to wireguard Basic Site-to-Site VPN Using WireGuard and pfSense - YouTube

Paul · February 16, 2023, 4:45pm

Check this post from Feb 2022 - HEADS UP: OpenVPN deprecating shared key mode, requires TLS, deprecating cipher selection | Netgate Forum

Greg_E · February 16, 2023, 4:55pm

OpenVPN was simple to set up, but if I need to invest time then Wireguard might be the better option going forward. Faster and less bandwidth when not in use. I don’t need the vpn often, it is between work and home and leftover from the plague closures a few years ago. I was just going to check some things from home a few nights ago and work on my lab system which is stored at work, and had all sorts of problems (most from my ISP) which lead me to upgrade to pfsense 2.6.0 to see if that fixed anything, and it caused more issues. I’ll have to look into WG and see if I can make it go.

I did read more on oVPN and it seems that local certificates are OK, they give a run down of creating them in the documents.

neogrid · February 16, 2023, 5:05pm

I use certs on my OpenVPN, it’s pretty straight forward to setup, setup the Cert Authority, then configure the RAS to use the CA.

The main benefit that I can see is that you can easily revoke the certs if you lose your laptop say, plus another layer of security.

I’d suggest setting it up so that you can see how it works, the effort is not so much if you are already familiar with OpenVPN on pfSense.

xMAXIMUSx · February 18, 2023, 5:47pm

The OpenVPN wizard is pretty good quick but to be fair, wiregard might be faster to setup. I think it comes down to preference and support on the devices you want connect back to your firewall.

If they all support wireguard and you want the fastest was to set them up then that would be the way to go. Otherwise OpenVPN would be the choice.