pfSense Gold Subscription

Author Topic: Implicit 'tls-auth 1' in OpenVPN Client File  (Read 604 times)

0 Members and 1 Guest are viewing this topic.

Simnol

  • Guest
Implicit 'tls-auth 1' in OpenVPN Client File
« on: January 21, 2017, 05:18:00 am »
Hi,

I noticed when setting up an OpenVPN client, that ticking the option 'Enable authentication of TLS packets.' in the Web interface adds the appropriate line to the config file.

"tls-auth /var/etc/openvpn/client1.tls-auth 1"

However, it doesn't detail anywhere on the web page that '1' is going to be the number selected, and while it's an unofficial standard to use 0 for the server and 1 for the client, this isn't actually a rule (indeed you can omit a number entirely and it will still work.)

I would suggest at least adding a small note on the web interface, to avoid people having to drop into config files for troubleshooting, something along the lines of:

"Enabling this option assumes your server is configured with tls-auth set to '0'"

Alternatively, adding a dropdown to select either 0 or 1 would be good.

Ref:

https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-auth

Offline Pippin

  • Full Member
  • ***
  • Posts: 241
  • Karma: +22/-3
    • View Profile
Re: Implicit 'tls-auth 1' in OpenVPN Client File
« Reply #1 on: January 21, 2017, 06:02:43 am »
To my knowledge, omitting 0 and 1 from the ta.key directive will lead to the same part of the key being used for HMAC on both sides.

So I would stick to the standard, 0 and 1, to have server and client(s) use different parts of the ta.key.

2.3.2-RELEASE (amd64) - GB N3150N-D3V
"There must be someone with intelligence in the party"
"Well, that rules you out Pippin"

Simnol

  • Guest
Re: Implicit 'tls-auth 1' in OpenVPN Client File
« Reply #2 on: January 21, 2017, 02:51:32 pm »
I don't have a particular issue with using 1/0 with the option, but I do still believe that it should be noted which is enabled. I've read the unofficial docs and checked against the OpenVPN man pages I could find, which details the 'direction' under the --secret option, however it doesn't specify (that I can see) that there is an "official" standard.

Indeed, in at least one configuration I've come across in the wild, it was the other way around.

I'm only after helping people to not have to crack open the shell to determine which config parameter is set.

Simnol

  • Guest
Re: Implicit 'tls-auth 1' in OpenVPN Client File
« Reply #3 on: January 21, 2017, 02:54:58 pm »
I should point out that I'm happy to be proven wrong on this, and hopefully this post will show up on a few searches in the future for others that are having a similar issue.  :)