Hi, I've been trying to understand a bit more of how the OpenVPN protocol works and I'm hoping someone can clear up some confusion.
When I run my server on verb 7 I am able to see the 256 bit HMAC key used to sign and verify packets for the control channel (I am using SHA256, with no key direction specified so the same key is used both ways).
According to the community resource on the OpenVPN protocol the HMAC is a:
Code: Select all
signature of entire encapsulation header for integrity
I took a look at the packets sent from my client when I connect to the server to see if I can match the HMAC, but I am unsure as to what the "encapsulation header" is referring to. I understand the idea of encapsulation in packets, but I've tried using headers from the lower layers, as well as all of the headers combined, but have had no luck matching it. I've also tried using just the opcode/key_id, as the same OpenVPN protocol resource says this is used in UDP (I probably should have said I'm using UDP) before the payload, but still no luck. What exact data in the packet is used with my key to produce the HMAC used for static key authentication shown below?
I've tried looking at the OpenVPN source and despite finding where the HMAC is applied in tls-auth I can't locate the exact logic used to calculate it so any help would be greatly appreciated.