Hi all, On 02/06/18 11:42, Antonio Quartulli wrote: > Different VPN servers may use different tls-auth keys. For this > reason it is convenient to make tls-auth a per-connection-block > option so that the user is allowed to specify one key per remote. > > If no tls-auth option is specified in a given connection block, > the global one, if any, is used. > > Trac: #720 > Cc: Steffan Karger <stef...@karger.me> > Signed-off-by: Antonio Quartulli <a...@unstable.cc>
as reported by Steffan on IRC, this feature breaks when using "--persist-key". It happens because, when moving to the next connection block, OpenVPN won't load the new tls-auth key and therefore will trigger an assertion. After further discussing this issue, it was agreed that we have two main options to tackle this issue: 1) pre-load all the tls-auth keyfiles (like if they were embedded in the config file) 2) make per-connection-block tls-auth keys mutually exclusive with --persist-key while point 2) would be the easiest option and would require the least amount of code, we believe that 1) is still the best from the user perspective and from the option semantics point of view (as it would not lead to any behaviour change). Therefore a v2 patch will be sent implementing approach 1). Cheers, -- Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
