| | 69 | |
| | 70 | == Use of --tls-auth == |
| | 71 | |
| | 72 | The `--tls-auth` option uses a static pre-shared key (PSK) that must be generated in advance and shared among all peers. This features adds "extra protection" to the TLS channel by requiring that incoming packets have a valid signature generated using the PSK key. If this key is ever changed, it must be changed on all peers at the same time (there is no support for rollover.) |
| | 73 | |
| | 74 | The primary benefit is that an unauthenticated client cannot cause the same CPU/crypto load against a server as the junk traffic can be dropped much sooner. This can aid in mitigating denial-of-service attempts. |
| | 75 | |
| | 76 | This feature by itself does not improve the TLS auth in any way, although it offers a 2nd line of defense if a future flaw is discovered in a particular TLS cipher-suite. However, it offers no protection at all in the event of a complete cryptographic break that can allow decryption of a cipher-suite's traffic. |
| | 77 | |
| | 78 | Generate a PSK with: |
| | 79 | {{{ |
| | 80 | openvpn --genkey --secret ta.key |
| | 81 | }}} |
| | 82 | |
| | 83 | And reference it in the configs as such. The 0/1 value is arbitrary and must be the ''opposite'' between peers (or omitted entirely.) |
| | 84 | |
| | 85 | {{{ |
| | 86 | # server-example |
| | 87 | --tls-auth ta.key 0 |
| | 88 | }}} |
| | 89 | {{{ |
| | 90 | # client-example |
| | 91 | --tls-auth ta.key 1 |
| | 92 | }}} |
