On my OpenVPN server I generate a pfs.key
file (perfect forward secrecy) using the command openvpn --genkey --secret pfs.key
, in my client configuration file it includes this pfs.key
file (and in server configuration file), so my question is, is it 'safe' to give clients the generated pfs.key
file? I.e. Would giving clients the pfs.key
file be of any concern in terms of security?
The client config includes the pfs.key file like so
tls-auth /path/to/pfs.key
Best Answer
You are using the keys in the wrong way if the key you generate with
easyrsa gen-dh
is being used in thetls-auth
line.The file you generate with
easyrsa gen-dh
only needs to be added to the server configuration via thedh dh.pem
configuration line.https://security.stackexchange.com/questions/42415/openvpn-dhparam
The key you use for the tls-auth should have been generated using a command like
openvpn --genkey --secret ta.key
https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-auth
Your key used for the
tls-auth
should be kept as secret as possible. The clients that connect must know it, but you don't want to hand it out to people that shouldn't have access. This is a shared secret. It isn't actually required for OpenVPN to be secure, it just adds an additional layer of authentication.