Re: [Openvpn-devel] two tls-auth questions
Mr Dash Four wrote: Is there a way to generate a symmetric ta.key without using "openvpn --genkey --secret ta.key"? yep, just use any freeform key that has enough entropy. For example, this ta.key file is good enough ]# cat mykey garble warble we need lots of entropy So, in theory, I could use, for example, openssl to generate any key, encode it in pem format and use that as raw material (i.e. a sequence of printable characters), is that correct? It is NOT possible to use the direction parameter for this You mean the digit which goes after tls-auth - i.e. 0 or 1? yep Is it possible to embed the contents of the above file in my openvpn config file in a similar fashion as it is done with the tag for example? If so, what tag should I use for this? in theory you co do this using tls-auth [inline] but this seems to work only for --genkey keys ; so it's either a freeform key or an inline , not both. I think you actually may have found a (minor) bug. What is the meaning of "inline"? If I use how do I specify the digit (0 or 1)? the first statement tls-auth [inline] tells openvpn to look for an inline version of the tls-auth file; this inline version is contained in the blob. you can use tls-auth [inline] 0|1 to specify a direction , but as I said, that works only for 'openvpn --genkey' generated keys. HTH, JJK
Re: [Openvpn-devel] two tls-auth questions
Is there a way to generate a symmetric ta.key without using "openvpn --genkey --secret ta.key"? yep, just use any freeform key that has enough entropy. For example, this ta.key file is good enough ]# cat mykey garble warble we need lots of entropy So, in theory, I could use, for example, openssl to generate any key, encode it in pem format and use that as raw material (i.e. a sequence of printable characters), is that correct? It is NOT possible to use the direction parameter for this You mean the digit which goes after tls-auth - i.e. 0 or 1? Is it possible to embed the contents of the above file in my openvpn config file in a similar fashion as it is done with the tag for example? If so, what tag should I use for this? in theory you co do this using tls-auth [inline] but this seems to work only for --genkey keys ; so it's either a freeform key or an inline , not both. I think you actually may have found a (minor) bug. What is the meaning of "inline"? If I use how do I specify the digit (0 or 1)? Thanks.
Re: [Openvpn-devel] two tls-auth questions
Mr Dash Four wrote: Is there a way to generate a symmetric ta.key without using "openvpn --genkey --secret ta.key"? yep, just use any freeform key that has enough entropy. For example, this ta.key file is good enough ]# cat mykey garble warble we need lots of entropy when openvpn starts you'll see something Control Channel Authentication: using '/etc/openvpn/cookbook/mykey' as a free-form passphrase file It is NOT possible to use the direction parameter for this Is it possible to embed the contents of the above file in my openvpn config file in a similar fashion as it is done with the tag for example? If so, what tag should I use for this? in theory you co do this using tls-auth [inline] but this seems to work only for --genkey keys ; so it's either a freeform key or an inline , not both. I think you actually may have found a (minor) bug. cheers, JJK
[Openvpn-devel] two tls-auth questions
Is there a way to generate a symmetric ta.key without using "openvpn --genkey --secret ta.key"? Is it possible to embed the contents of the above file in my openvpn config file in a similar fashion as it is done with the tag for example? If so, what tag should I use for this?