8000 Samples could use `tls-crypt` over `tls-auth`? · Issue #757 · OpenVPN/openvpn · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Samples could use tls-crypt over tls-auth? #757
New issue
New issue
Open
Open
Samples could use tls-crypt over tls-auth?#757
@Matthew1471

Description

@Matthew1471
Matthew1471
opened on Jun 1, 2025

A suggestion (and no is a valid answer) but:

TLS Crypt

TLS Crypt improves upon TLS Auth by adding symmetric encryption to the control channel. This extra layer of encryption applies even to the key exchange before the TLS session starts. Like TLS Auth, it also provides protection against TLS-level attacks with post-quantum resistance if the pre-shared keys are kept secret.

Source: https://openvpn.net/as-docs/tls-control-channel.html#tls-auth

But the current samples still suggest optionally enabling tls-auth (which has the added annoyance/complication of needing to explain and set a direction).. perhaps tls-crypt would be better to include in the samples?

openvpn/sample/sample-config-files/server.conf

Lines 247 to 258 in c2776ee

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey tls-auth ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret

openvpn/sample/sample-config-files/client.conf

Lines 111 to 113 in c2776ee

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0