Hi Antonio,
On 04/06/18 04:15, Antonio Quartulli wrote:
Hi all,
On 02/06/18 11:42, Antonio Quartulli wrote:
Different VPN servers may use different tls-auth keys. For this
reason it is convenient to make tls-auth a per-connection-block
option so that the user is allowed to specify one key per remote.
If no tls-auth option is specified in a given connection block,
the global one, if any, is used.
Trac: #720
Cc: Steffan Karger <stef...@karger.me>
Signed-off-by: Antonio Quartulli <a...@unstable.cc>
as reported by Steffan on IRC, this feature breaks when using
"--persist-key".
It happens because, when moving to the next connection block, OpenVPN
won't load the new tls-auth key and therefore will trigger an assertion.
After further discussing this issue, it was agreed that we have two main
options to tackle this issue:
1) pre-load all the tls-auth keyfiles (like if they were embedded in the
config file)
2) make per-connection-block tls-auth keys mutually exclusive with
--persist-key
while point 2) would be the easiest option and would require the least
amount of code, we believe that 1) is still the best from the user
perspective and from the option semantics point of view (as it would not
lead to any behaviour change).
Therefore a v2 patch will be sent implementing approach 1).
this is a very interesting patch ! And I agree, approach 1) is the way
to go, as we've been advising people to use "persist-key" for a looong
time now.
What's the particular use case for putting tls-auth files in connection
blocks? Does it apply only to tls-auth/tls-crypt files or also the
certificate/private keys? I could see a use case for that as well...
JM2CW,
JJK
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
