Hi, On 26/07/15 19:21, [email protected] wrote: >> On 26/07/15 15:48, [email protected] wrote:>> What is the difference in >> using "keys" for >>> "tls-auth" >>> versus >>> "secret"? >> The --secret option is used to setup a peer-to-peer tunnel using a static >> shared secret. If you are new to OpenVPN, I'd advice you to first start with >> --secret to get a functional tunnel and then upgrade it to a TLS based setup, >> with PKI and your own CA. >> >> The --tls-auth option is used to enable an additional packet authentication >> on >> top of the --client/--server mode, which uses public/private key pairs with >> certificates (so called PKI and TLS mode). Using --tls-auth is highly >> recommended, as it can reduce the attack vector considerably if new security >> issues are found in the SSL libraries (OpenSSL or PolarSSL/mbedTLS). And if >> coupled with the UDP protocol, the UDP port will not be detected during >> drive-by port scans. > I had a setup operating until a few days ago where OpenVPN Connect clients in > tablet and phone would establish a working connection with a server in ASUS > RT-66R router running Merlin's ASUS-wrt firmware 376.49. I THOUGHT that was > operating with tls-auth AND ca/cert/keys. At least it did connect; how it > was truly working, I am now not sure (see below). > > After being strongly urged to update the FW to 378.55, do the necessary > factory reset, then re-enter all router settings, I found that I could no > longer get connections...and am stymied on repair (having about 2% of > complete vpn understanding). Old techie; NOT vpn literate. > > More detail and configs are here: > https://forums.openvpn.net/topic19333.html > > I am getting so many feedbacks about this and that being wrong (when same > config worked before) that I don't even know where to start. > > Frustrated to say the least moving from a working conig to an unfixable, not > working with almost same config > (client ovpn export did change the client ovpn a bit-- > maybe there is a new OpenVPN in the new FW?) > > > openwrt/dd-wrt versions of openvpn are always tricky, mostly due to WRT, not openvpn. As for your setup, your GUI screenshot on the forum clearly states: Authorization mode: static key
that is the reason that openvpn decides to use --secret . It might very well that the firmware update+reset set the authorization mode to 'static key'. I'm not even going to start about the fact that static keys have nothing to do with authorization ... JJK ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
