pfsense 1.2 openvpn w/ tls-auth

I really like pfsense it makes a really good firewall, router, vpn connector – alone or together. The web interface is intuitive and the first-run wizard “just works”. I am using it to run an OpenVPN VPN.

OpenVPN comes with a feature called “TLS Auth”: which basically uses TLS to encrypt the SSL handshake between client and server. Ok that wasn’t basic: makes saying hello safe. However the pfsense GUI for configuring an OpenVPN server does not, yet, support tls-auth. As documented in the previous link you can add custom configuration options and manually create the file until v1.3 is released.

Here’s the point: The pfsense + openvpn boot scripts will write the OpenVPN configuration files and security certificates to: /var/etc/openvpn_serverX.* (X being the instance number). So for consistency you might be inclined to create your tls-auth file as /var/etc/openvpn_serverX.tls.

DON’T!

The /var/etc folder gets cleared on reboot. Which is a feature of pfsense’s PHP init scripts + in hind sight sensible.

So today’s lesson is: When manually specifying tls-auth support for OpenVPN on pfsense-1.2.X put the tls-auth file in /etc/openvpn_serverX.tls so that it is persistent.