HMAC authentification

Use this forum to share your VPN or network disasters. Show diagrams, traffic graphs, or whatever else you need (a video of you letting the 'smoke' out of our network gear).
Post Reply
OpenVpn Newbie
Posts: 1
Joined: Sun May 13, 2018 9:59 pm

HMAC authentification

Post by M_Kalash » Sun May 13, 2018 10:20 pm


I'm new to cryptography, and i'm using OpenVPN in pfsense. I've read a lot on the internet about HMAC, and found out that it is used as a signature sent along with data to provide authenticity. What i also read, is that HMAC uses 2 keys derived from the master key, which was generated during the key exchanges under SSL/TLS handshake.
So here is my question, what does tls authentication option do then? This is the description provided:
A TLS key enhances security of an OpenVPN connection by requiring both parties to have a common key before a peer can perform a TLS handshake. This layer of HMAC authentication allows control channel packets without the proper key to be dropped, protecting the peers from attack or unauthorized connections.The TLS Key does not have any effect on tunnel data.
This key is used to sign control channel packets with an HMAC signature for authentication when establishing the tunnel.
This confuses me. do we generate 2 HMAC signatures? one before the handshake and one during the handshake? or do we use 1 method and drops the other?

User avatar
Forum Team
Posts: 799
Joined: Wed Jul 01, 2015 8:03 am

Re: HMAC authentification

Post by Pippin » Mon May 14, 2018 12:49 pm

Please see --tls-auth file [direction] in manual 2.4 for a bit more explanation: ... n24ManPage

Post Reply