puppet-openvpn icon indicating copy to clipboard operation
puppet-openvpn copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

key direction should be specified in client config

Open merlijn-sebrechts opened this issue 8 years ago • 2 comments

When I specify tls_auth in the client config, the key-direction isn't put in the client config.

openvpn::client { 'myclient':
 server        => 'myserver',
 remote_host   => '192.168.0.1',
 port          => '443',
 proto         => 'tcp',
 tls_auth      => 'true',
}

The resulting client config contains the PSK (tls-auth), but not the key-direction. Connecting a client with that config to the server results in an HMAC error. Putting key-direction 0 in the client config fixes this issue.

The following is a workaround:

openvpn::client { 'myclient':
 server        => 'myserver',
 remote_host   => '192.168.0.1',
 port          => '443',
 proto         => 'tcp',
 tls_auth      => 'true',
 custom_options => {
   "key-direction" => "1",
 },
}

merlijn-sebrechts avatar Feb 03 '17 17:02 merlijn-sebrechts

Support for tls-crypt, which does not require key-direction, could be added too. tls-crypt is mutually exclusive with tls-auth and enciphers TLS packets with a shared key, making it impossible to intercept certificate exchange without this shared key. tls-crypt was added in OpenVPN 2.4.

ghost avatar Feb 12 '17 09:02 ghost

+1

caiohasouza avatar Aug 29 '17 15:08 caiohasouza