Hej David, thakn you for your statement!
Please excuse my delay.... Am 18.11.19 um 14:19 schrieb David Sommerseth: [snip]
This just gave me a little itch. Such old routers can often have quite poor random entropy - which can result in more predictable keys. This is especially more important for keys which have longer life time (like key files stored to disk). So I rather suggest using a real computer to generate the keying material and then copy that file to the server/router and clients.
I had a thread about that topic on the LEAF Bering uClibc. Erich gave me the same recommendation - for different reason. So I do (with xca).
Now, tls-auth with a potentially weaker key will still give some protection and most likely shed off most of troubles you have. But, theoretically at least, it can be easier to "figure out" the tls-auth key if a dedicated attacker figures out what kind of device you have and what kind of firmware it is running.
We decided to get rid of the risc by stopping the openvpnd until we did the upgrade. Glad we can afford to live without the tunnel some days....
Other than that, Gert is absolutely right. But you should generally put some efforts upgrading asap. The last OpenVPN 2.0 release was somewhere around 2006-ish (over 13 years ago).
Yes. The server box (original from 2004) will be ready in some hours. After that I'll care about the client.
Thanks again and regards, Boris _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
