-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does not support connecting to server that does not use tls-auth #36
Comments
this is correct. if you're looking for static pre-shared keys mode, please take a look at #11 (which I'm working on, re-started my efforts yesterday evening). |
or is there some other authentication mode you'd like to have support for? if it is static pre-shared keys ( |
no, i am talking about the optional HMAC signature. When a server does not have that enabled, and it is enabled on the client, the client cannot connect. https://openvpn.net/community-resources/hardening-openvpn-security/ packet format here: https://build.openvpn.net/doxygen/network_protocol.html |
ok, and do you actively use such a configuration? |
I don't actively use such a configuration but its quite common to have openvpn configured that way: Here is 1 example, checking some other ones to see how they are configured: |
another example: https://0xacab.org/leap/bitmask-vpn/-/blob/master/helpers/bitmask-root#L133 How bitmask works is, you connect to some http api server, which will then give you a client-certificate that allows you to connect to openvpn. |
I also think there's value in skipping the computational + bandwidth overhead for an essentially useless HMAC with a global key shared amongst all users. This used to be useful for two things:
With no |
Its not possible to connect to a server that does not use tls-auth
The text was updated successfully, but these errors were encountered: