openvpn icon indicating copy to clipboard operation
openvpn copied to clipboard
verified publisher icon OpenVPN

Samples could use `tls-crypt` over `tls-auth`?

Open Matthew1471 opened this issue 7 months ago • 0 comments

A suggestion (and no is a valid answer) but:

TLS Crypt

TLS Crypt improves upon TLS Auth by adding symmetric encryption to the control channel. This extra layer of encryption applies even to the key exchange before the TLS session starts. Like TLS Auth, it also provides protection against TLS-level attacks with post-quantum resistance if the pre-shared keys are kept secret.

Source: https://openvpn.net/as-docs/tls-control-channel.html#tls-auth

But the current samples still suggest optionally enabling tls-auth (which has the added annoyance/complication of needing to explain and set a direction).. perhaps tls-crypt would be better to include in the samples?

https://github.com/OpenVPN/openvpn/blob/c2776ee0ff03832bb2213ebd19e9a14d37445bed/sample/sample-config-files/server.conf#L247-L258 https://github.com/OpenVPN/openvpn/blob/c2776ee0ff03832bb2213ebd19e9a14d37445bed/sample/sample-config-files/client.conf#L111-L113

Matthew1471 avatar Jun 01 '25 16:06 Matthew1471