> On 26/07/15 15:48, [email protected] wrote:>> What is the difference in > using "keys" for >> "tls-auth" >> versus >> "secret"? > > The --secret option is used to setup a peer-to-peer tunnel using a static > shared secret. If you are new to OpenVPN, I'd advice you to first start with > --secret to get a functional tunnel and then upgrade it to a TLS based setup, > with PKI and your own CA. > > The --tls-auth option is used to enable an additional packet authentication on > top of the --client/--server mode, which uses public/private key pairs with > certificates (so called PKI and TLS mode). Using --tls-auth is highly > recommended, as it can reduce the attack vector considerably if new security > issues are found in the SSL libraries (OpenSSL or PolarSSL/mbedTLS). And if > coupled with the UDP protocol, the UDP port will not be detected during > drive-by port scans.
I had a setup operating until a few days ago where OpenVPN Connect clients in tablet and phone would establish a working connection with a server in ASUS RT-66R router running Merlin's ASUS-wrt firmware 376.49. I THOUGHT that was operating with tls-auth AND ca/cert/keys. At least it did connect; how it was truly working, I am now not sure (see below). After being strongly urged to update the FW to 378.55, do the necessary factory reset, then re-enter all router settings, I found that I could no longer get connections...and am stymied on repair (having about 2% of complete vpn understanding). Old techie; NOT vpn literate. More detail and configs are here: https://forums.openvpn.net/topic19333.html I am getting so many feedbacks about this and that being wrong (when same config worked before) that I don't even know where to start. Frustrated to say the least moving from a working conig to an unfixable, not working with almost same config (client ovpn export did change the client ovpn a bit-- maybe there is a new OpenVPN in the new FW?) ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
