Hi Rui, On 12/08/15 16:49, Rui Santos wrote: > Hi all, > > I'm now hardening our OpenVPN Production Server. > I've managed to hardened all required aspects, except the HMAC/TLS-AUTH > option. > > AFAICT, activating the HMAC extra security mechanism, will force me to > reconfigure all clients, with the risk of failure and a lot of downtime. > The only way a client/remote network can connect is through a specific > CCD file. > > Is there any way I can have this feature, but optional ? Something like > activating tls-auth on a ccd file only. This way it would be a smooth > transition. Otherwise I would have to schedule a maintenance window, > which would be be cumbersome. > nope, that is not possible - the tls-auth handshake is done at a very early stage and a ccd-file does not come into play yet. your only option is downtime, or to set up a second instance on a different port, and migrate the clients slowly to the second instance.
HTH, JJK ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
