OpenVPN Support Forum

Hi,

i have two questions about OpenVPN implementation:

1) why do i need the Diffie-Hellman parameters when i have a PKI infrastructure? I mean, it should be easy to exchange a secret just encrypting it with the endpoint's public key
2) Into the Security Overview i've read that the 4 keys into a static key configuration is due to prevent some reply and denial of service attack. Where i can find documentation explaining such kind of attacks? Can anyone explain the idea behind these attacks?

Thank you

@1: this is normal for a TLS setup; webserver also need some sort of Diffie Hellman key for the initial handshake; read up on public/private key encryption for details (or do 'man dhparam')

@2: the 4 static keys in a static key file can be used to encrypt a connection bi-directionally, i.e traffic is encrypted from the client to server in a different manner than vice versa; this makes certain types of attacks much harder to do.

As for details on such attacks: google is your friend.