1. tls-crypt is used to encrypt and authenticate control channel package, does it is also used to encrypt and authenticate data channel package? if so, it is used to encrypt and authenticate all package in the whole VPN connection?
2. certification can used to do encryption & verity identity, DH can use to do encryption only, since certification can do encryption, why OPENVPN still need DH? if DH is used to do encryption in OPENVPN as it provides forward security, then certification is used to sign & verity package only? it is for control channel only? this link explains a little, but still not enough -- https://security.stackexchange.com/ques ... tes-and-dh.
3. if DH is used to generate secret key, then OPENVPN use that secret key to derive cipher key & HMAC key for data channel?
try to understand the combine of tls-crypt & certification & DH in OPENVPN
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 14
- Joined: Fri Nov 12, 2021 11:05 am
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: try to understand the combine of tls-crypt & certification & DH in OPENVPN
All certificates and keys are only use to establish the initial connection. After that all fresh keys are generated from control and data channels. If you set you log to --verb 7 then the log will show those keys.