| 69 | |
| 70 | == Use of --tls-auth == |
| 71 | |
| 72 | The `--tls-auth` option uses a static pre-shared key (PSK) that must be generated in advance and shared among all peers. This features adds "extra protection" to the TLS channel by requiring that incoming packets have a valid signature generated using the PSK key. If this key is ever changed, it must be changed on all peers at the same time (there is no support for rollover.) |
| 73 | |
| 74 | The primary benefit is that an unauthenticated client cannot cause the same CPU/crypto load against a server as the junk traffic can be dropped much sooner. This can aid in mitigating denial-of-service attempts. |
| 75 | |
| 76 | This feature by itself does not improve the TLS auth in any way, although it offers a 2nd line of defense if a future flaw is discovered in a particular TLS cipher-suite. However, it offers no protection at all in the event of a complete cryptographic break that can allow decryption of a cipher-suite's traffic. |
| 77 | |
| 78 | Generate a PSK with: |
| 79 | {{{ |
| 80 | openvpn --genkey --secret ta.key |
| 81 | }}} |
| 82 | |
| 83 | And reference it in the configs as such. The 0/1 value is arbitrary and must be the ''opposite'' between peers (or omitted entirely.) |
| 84 | |
| 85 | {{{ |
| 86 | # server-example |
| 87 | --tls-auth ta.key 0 |
| 88 | }}} |
| 89 | {{{ |
| 90 | # client-example |
| 91 | --tls-auth ta.key 1 |
| 92 | }}} |