Hi, On 15 December 2016 at 21:35, Dreetjeh D <dreet...@hotmail.com> wrote: > So in (2), parts of the one ta.key are used..... > > I had a hunch when looking at the log`s stating: > > >TLS: Initial packet from [AF_INET]............:1194, sid=XXXXXXXX > XXXXXXXX< > > Where the X`s represent the subkey`s?
No, that's just a random session identifier. > Thinking loud, the opposite side uses two different subkey`s, then four > subkey`s are derived. > > If so, then one cannot use two different ta.key`s in same way one can > use client-CA and server-CA. The tls-auth key is symmetic key, shared amongst all servers and client that need to be able to connect to each other. It is 2048 bit long, and divided into 4 512-bit subkeys. 2 for server-to-client crypt/auth and two for client-to-server crypt/auth. Tls-auth uses just the auth parts of these keys, and as David already described, either the same subkey is used for both directions (if no key-direction is specified), or different subkeys are used (if key-direction is specified). The reason why you won't see much VPN providers use the tls-auth key is that it doesn't work that well with their model: they can't really trust their clients, but have to give all clients the same tls-auth key. This model works much better for company or private VPNs, where the clients can be trusted to some extend. (I'm working on adding support for client-specific tls-auth/tls-crypt keys to fix this, you can expect a proposal on the openvpn-devel list early next year.) -Steffan ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
