Hello all, I just set up my first openvpn tunnel, and have verified it is working (I successfully accessed a remote resource via the tunnel).
I was wondering if all the security layers are correctly configured, and it seems like I did something wrong with tls-auth. I generated a tls-auth key with : $ openvpn --genkey --secret ta.key and have configured it on both side of the tunnel. Now, when modifying manually the ta.key content on the client (changing existing bits by others) the tunnel can still initialize itself. When I arbitrarily add bytes to the key file, it fails to connect. Modifying *all* of the key bytes (putting "aaaa..." everywhere), the connection fails also. If the tls-auth directive is set only on one side, I get the expected message : TLS Error: cannot locate HMAC in incoming packet from [...] This suggests to me that only a (small?) part of the key is used. I have been able to replace full lines of the key with 'aaa[...]aaa'. Probably it's nothing I should worry about, but I thought I would just ask as it is really surprising. Server config : """ mode server proto udp port 1194 dev tun ca pki/ca.crt cert pki/server.crt key pki/server.key dh pki/dh.pem tls-auth pki/ta.key 0 cipher AES-256-CBC server 10.8.0.0 255.255.255.0 keepalive 10 120 user nobody group nogroup persist-key persist-tun comp-lzo verb 3 mute 20 status openvpn-status.log """ Client config: """ client dev tun proto udp remote mydomain.tld resolv-retry infinite nobind persist-key persist-tun ca pki/ca.crt cert pki/issued/client.crt key pki/private/client.key tls-client tls-auth pki/ta-modified.key 1 cipher AES-256-CBC comp-lzo verb 3 """ Thanks in advance for any explanation, /ju ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
