Implicit 'tls-auth 1' in OpenVPN Client File
-
Hi,
I noticed when setting up an OpenVPN client, that ticking the option 'Enable authentication of TLS packets.' in the Web interface adds the appropriate line to the config file.
"tls-auth /var/etc/openvpn/client1.tls-auth 1"
However, it doesn't detail anywhere on the web page that '1' is going to be the number selected, and while it's an unofficial standard to use 0 for the server and 1 for the client, this isn't actually a rule (indeed you can omit a number entirely and it will still work.)
I would suggest at least adding a small note on the web interface, to avoid people having to drop into config files for troubleshooting, something along the lines of:
"Enabling this option assumes your server is configured with tls-auth set to '0'"
Alternatively, adding a dropdown to select either 0 or 1 would be good.
Ref:
https://community.openvpn.net/openvpn/wiki/Hardening#Useof–tls-auth
-
To my knowledge, omitting 0 and 1 from the ta.key directive will lead to the same part of the key being used for HMAC on both sides.
So I would stick to the standard, 0 and 1, to have server and client(s) use different parts of the ta.key.
-
I don't have a particular issue with using 1/0 with the option, but I do still believe that it should be noted which is enabled. I've read the unofficial docs and checked against the OpenVPN man pages I could find, which details the 'direction' under the –secret option, however it doesn't specify (that I can see) that there is an "official" standard.
Indeed, in at least one configuration I've come across in the wild, it was the other way around.
I'm only after helping people to not have to crack open the shell to determine which config parameter is set.
-
I should point out that I'm happy to be proven wrong on this, and hopefully this post will show up on a few searches in the future for others that are having a similar issue. :)