OpenVPN Migration - Move "dhparam.pem" as well?

I am migrating my home network from Turris 1.0 to Turris Omnia and I would like my various OpenVPN client config files to keep working without having to replace them. I have moved over all files from /etc/ssl/ca/openvpn except dhparam.pem (which is a link to /usr/share/turris-cagen/dhparam.pem). Everything seems to be working fine, but I am wondering if I should also replace the dhparam.pem file. The file being a link gives me pause. What is the correct course of action? Will either replacing it with the old one or keeping the new one have unintended consequences down the line?

I went throuch same process of migration and solved this by coping all the config files from /etc/ssl/ca/openvpn as well as dhparam.pem, dh2048.pem and dh-default from folder /etc/dhparam on Turris 1x to omnia. Depending on branch you use openvpn version is slightly newer than in Turris 1 so you can debug it what it write into log by cat /var/log/messages | grep openvpn . The newer version complained slightly about old deprecated directions in /etc/config/openvpn. I think those were ones that I updated:

option proto ‘udp4’
option comp_lzo ‘yes’
option topology ‘subnet’

As original configuration is made in forris those parameters should be updated in reFORIS as well so it produce new config properly. That’s what imho should be done in TOS 6.

This option is insecure and not recommended.

Thanks for the input. Since everything seems to be working fine without moving over the DH-related stuff, it seems it’s not tied in any way to the client certificates or configurations. So I will leave my setup as is.

EDIT: I would like to postpone marking this as a solution (and thus auto-locking the thread) in case someone comes by and offers a reason to migrate DH files as well - or explicitly says it is not needed (which is my “hunch” so far).

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.