Security Differences Between tls-crypt and tls-auth in OpenVPN 2.4

openvpnSecurityssl

I was reading and tls-crypt and was curious would that increase security and reduce the chance of keys being compromised during handshakes and that it offers better security over tls-auth?

Maybe someone could better explain tls-auth and tls-crypt and how they improve security?

my current client file:

client
tls-client
dev tun
proto udp
remote 1.2.3.4 9999
<ca>
</ca>
<cert>
</cert>
<key>
</key>
pull
auth-nocache 
cipher AES-256-CBC
keysize 256
compress lz4-v2
reneg-sec 36000
keepalive 30 120

Best Answer

TLS Handshake can be more or less broken down into following steps:

Clients sends "client hello" to server, along with client's random value and supported cipher suite.
Server responds "server hello" to client, along with server's random value and chosen ciper suite.
Server sends its certificate to client for authentication.
Client verifies server identity.
Client creates a random pre-master secret and encrypts it with the public key from the server's certificate.
Client sends the encrypted pre-master secret to server.
Server MAY request certificate from client if required.
Both server and client generate the session key based on the pre-master secret.
The server and client can now exchange encrypted messages using the session key.

The difference between tls-auth and tls-crypt is that starting from step 1, tls-crypt will encrypt all messages with a pre-shared key.

This provides several benefits:

It hides the initialization of a TLS handshake with a OpenVPN server. This is helpful in some situations when OpenVPN protocol signature is detected and blocked.
It prevents TLS denial of service attacks. With tls-auth the attacker can open thousands of TLS connections simultaneously but not provide a valid certificate, jamming the available ports. With tls-crypt the server would reject the connection up-front at step 1.
Data is encrypted twice, once by tls-crypt and once by the TLS session.

Related Solutions

Openvpn – Problems setting up a VPN: can connect but can’t ping anyone

There seems to be two error is your config:

The Route Push config statement in the Server config should not contain the gateway address:

push "route 192.168.0.0 255.255.255.0"
The route command on the client side is not needed if you push the routes out to the client via the push config statement.

OpenVPN connection from within 2nd subnet in office

As it said, add a float option to the client config and try again.

--float

Allow remote peer to change its IP address and/or port number, such as due to DHCP (this is the default if --remote is not used). --float when specified with --remote allows an OpenVPN session to initially connect to a peer at a known address, however if packets arrive from a new address and pass all authentication tests, the new address will take control of the session. This is useful when you are connecting to a peer which holds a dynamic address such as a dial-in user or DHCP client.

Essentially, --float tells OpenVPN to accept authenticated packets from any address, not only the address which was specified in the --remote option.

Best Answer

Related Solutions

Openvpn – Problems setting up a VPN: can connect but can’t ping anyone

OpenVPN connection from within 2nd subnet in office

Related Topic