OpenVPN Support Forum

Been running openvpn for years with many clients in the field. Now want to tighten security and one item is to enable tls-auth. As far as I can tell, one must enable tls-auth at both ends simultaneously. This is a problem for me as users don't have access to client.conf. I would need as admin to remote access the clients and update client.conf manually. It is logistically impossible to do this for all clients at once. If I enable tls-auth on the server, then all clients that do not have tls-auth enabled stop working. If I enable tls-auth on the client without doing so on the server this doesn't work either.

Is there a way or unseen config option that ALLOWS tls-auth to be be present without REQUIRING it?

Thanks,

Perazim

Hello,

Unfortunately not. I was in the process of suggesting the use of client-specific configurations, but after reviewing the man page, tls-auth isn't one of the supported options. It makes sense as adding tls-auth is kind of an edge case, but still:

What I would suggest is this: a second openvpn instance. You can bind it to port 1195 or some such--the only configuration difference would be the presence of the tls-auth directive. With this, you'd just need to adjust the port on the remote directive for your new configuration.

Once you've got all your clients adjusted, take down the non-tls-auth instance and voila. You're where you want to be.

Regards,
Stephen