Been running openvpn for years with many clients in the field. Now want to tighten security and one item is to enable tls-auth. As far as I can tell, one must enable tls-auth at both ends simultaneously. This is a problem for me as users don't have access to client.conf. I would need as admin to remote access the clients and update client.conf manually. It is logistically impossible to do this for all clients at once. If I enable tls-auth on the server, then all clients that do not have tls-auth enabled stop working. If I enable tls-auth on the client without doing so on the server this doesn't work either.
Is there a way or unseen config option that ALLOWS tls-auth to be be present without REQUIRING it?
Thanks,
Perazim
tls-auth question
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
gladiatr72
- Forum Team
- Posts: 194
- Joined: Mon Dec 13, 2010 3:51 pm
- Location: Lawrence, KS
Re: tls-auth question
Hello,
Unfortunately not. I was in the process of suggesting the use of client-specific configurations, but after reviewing the man page, tls-auth isn't one of the supported options.
It makes sense as adding tls-auth is kind of an edge case, but still:
What I would suggest is this: a second openvpn instance. You can bind it to port 1195 or some such--the only configuration difference would be the presence of the tls-auth directive. With this, you'd just need to adjust the port on the remote directive for your new configuration.
Once you've got all your clients adjusted, take down the non-tls-auth instance and voila. You're where you want to be.
Regards,
Stephen
Unfortunately not. I was in the process of suggesting the use of client-specific configurations, but after reviewing the man page, tls-auth isn't one of the supported options.
It makes sense as adding tls-auth is kind of an edge case, but still: What I would suggest is this: a second openvpn instance. You can bind it to port 1195 or some such--the only configuration difference would be the presence of the tls-auth directive. With this, you'd just need to adjust the port on the remote directive for your new configuration.
Once you've got all your clients adjusted, take down the non-tls-auth instance and voila. You're where you want to be.
Regards,
Stephen
[..]I used to think it was awful that life was so unfair. [...]Wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? -Marcus Cole