try to understand the combine of tls-crypt & certification & DH in OPENVPN

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
alex.tls
OpenVpn Newbie
Posts: 14
Joined: Fri Nov 12, 2021 11:05 am

try to understand the combine of tls-crypt & certification & DH in OPENVPN

Post by alex.tls » Sat Nov 27, 2021 6:02 am

1. tls-crypt is used to encrypt and authenticate control channel package, does it is also used to encrypt and authenticate data channel package? if so, it is used to encrypt and authenticate all package in the whole VPN connection?

2. certification can used to do encryption & verity identity, DH can use to do encryption only, since certification can do encryption, why OPENVPN still need DH? if DH is used to do encryption in OPENVPN as it provides forward security, then certification is used to sign & verity package only? it is for control channel only? this link explains a little, but still not enough -- https://security.stackexchange.com/ques ... tes-and-dh.

3. if DH is used to generate secret key, then OPENVPN use that secret key to derive cipher key & HMAC key for data channel?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: try to understand the combine of tls-crypt & certification & DH in OPENVPN

Post by TinCanTech » Sat Nov 27, 2021 2:35 pm

All certificates and keys are only use to establish the initial connection. After that all fresh keys are generated from control and data channels. If you set you log to --verb 7 then the log will show those keys.

Post Reply