Server Config
tls-server
proto udp4
dev tun1
port 444
ifconfig 172.16.25.1 172.16.25.2
pkcs12 piserver.p12
dh dh4096-2.pem
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
#auth sha256
cipher AES-256-GCM
verb 3
tls-crypt static-2.key
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
tls-version-min 1.2
auth-nocache
log-append /etc/openvpn/openvpn-2.log
proto udp4
dev tun1
port 444
ifconfig 172.16.25.1 172.16.25.2
pkcs12 piserver.p12
dh dh4096-2.pem
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
#auth sha256
cipher AES-256-GCM
verb 3
tls-crypt static-2.key
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
tls-version-min 1.2
auth-nocache
log-append /etc/openvpn/openvpn-2.log
And here is the client config:
Client config
port 10999
proto udp4
tls-client
remote hostname.domainname 444
dev tun0
ifconfig 172.16.25.2 172.16.25.1
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
cipher AES-256-GCM
auth SHA256
pkcs12 piclient.p12
tls-crypt static.key
remote-cert-tls server
auth-nocache
verb 3
log-append /etc/openvpn/openvpn.log
proto udp4
tls-client
remote hostname.domainname 444
dev tun0
ifconfig 172.16.25.2 172.16.25.1
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
cipher AES-256-GCM
auth SHA256
pkcs12 piclient.p12
tls-crypt static.key
remote-cert-tls server
auth-nocache
verb 3
log-append /etc/openvpn/openvpn.log
Server is running OpenVPN 2.4.4 on debian stretch, and client is a raspberry pi running stretch lite running OpenVPN 2.4.0. Here are the weird TLS messages in the log file on the server:
Sat Dec 16 22:43:43 2017 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
Sat Dec 16 22:43:43 2017 TLS: tls_multi_process: untrusted session promoted to semi-trusted
I have a similar setup running on a windows machine and it does not show these messages, and I'm unsure of what they mean but I didn't figure the "untrusted" and "semi-trusted" was necessarily a good thing. I'm still a bit rusty with openvpn, and I am not clear what the trusted/untrusted means, and think it may be linked to my use of tls-crypt? Can anyone help me figure out what those messages mean and if they need action?