Hi Julien, On 19/08/15 17:46, Julien Malik wrote: > Hello all, > > I just set up my first openvpn tunnel, and have verified it is working > (I successfully accessed a remote resource via the tunnel). > > I was wondering if all the security layers are correctly configured, and > it seems like I did something wrong with tls-auth. > > I generated a tls-auth key with : > $ openvpn --genkey --secret ta.key > and have configured it on both side of the tunnel. > > > > Now, when modifying manually the ta.key content on the client (changing > existing bits by others) the tunnel can still initialize itself. > When I arbitrarily add bytes to the key file, it fails to connect. > Modifying *all* of the key bytes (putting "aaaa..." everywhere), the > connection fails also. > If the tls-auth directive is set only on one side, I get the expected > message : > TLS Error: cannot locate HMAC in incoming packet from [...] > > > > This suggests to me that only a (small?) part of the key is used. I have > been able to replace full lines of the key with 'aaa[...]aaa'. > Probably it's nothing I should worry about, but I thought I would just > ask as it is really surprising. > you're not the first one to ask this question:
https://community.openvpn.net/openvpn/wiki/327-changed-hex-bytes-in-the-static-key-the-key-still-connects-to-a-remote-peer-using-the-original-key HTH, JJK ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
