tls-auth works with broken key

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
gunner47300
OpenVpn Newbie
Posts: 2
Joined: Mon Sep 27, 2021 11:29 am

tls-auth works with broken key

Post by gunner47300 » Mon Sep 27, 2021 1:39 pm

Hi, I have created openvpn serwer with following config:

Code: Select all

mode server

askpass /etc/openvpn/dane

cipher AES-256-GCM
sndbuf 512000
rcvbuf 512000
txqueuelen 2000
push "sndbuf 512000"
push "rcvbuf 512000"

port 111
proto udp4
dev tun1
client-config-dir 	/etc/openvpn/server/clients_openvpn
ca			/etc/openvpn/server/ca.crt
cert			/etc/openvpn/server/server.crt
key			/etc/openvpn/server/server.key
dh			/etc/openvpn/server/dh.pem


tls-server
tls-auth /etc/openvpn/server/myvpn.tlsauth
key-direction 0

topology subnet
push "topology subnet"
ifconfig 192.168.98.1 255.255.255.0
push "route 192.168.99.0 255.255.255.0"
push "route-gateway 192.168.98.1"
ifconfig-pool 192.168.98.130 192.168.98.199

keepalive 10 120

user nobody
group nogroup

persist-key
persist-tun

status /tmp/openvpn-status.log

verb 3

log-append /tmp/openvpn.log
client config:

Code: Select all

client
remote xxx 111
proto udp4
dev tun
verb 3
keepalive 10 120
key-direction 1
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<tls-auth>
</tls-auth>
It works fine, the problem is that if I change content of <tls-auth> on the client side, for example change last letter connection still works. Even if I change all line I can connect to VPN and SSH via this connection. Do I miss something? I thought that those keys must match, and even small change should broke connection.
Last edited by gunner47300 on Mon Sep 27, 2021 5:55 pm, edited 1 time in total.

TinCanTech
OpenVPN Protagonist
Posts: 11138
Joined: Fri Jun 03, 2016 1:17 pm

Re: tsl-auth works with broken key

Post by TinCanTech » Mon Sep 27, 2021 2:27 pm

gunner47300 wrote:
Mon Sep 27, 2021 1:39 pm
the problem is that if I change content of <tls-auth> on the client side, for example change last letter connection still works
Not all the characters in the file are used, so this is expected.

gunner47300
OpenVpn Newbie
Posts: 2
Joined: Mon Sep 27, 2021 11:29 am

Re: tsl-auth works with broken key

Post by gunner47300 » Mon Sep 27, 2021 5:06 pm

Is random part used or there is there some pattern?

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: tls-auth works with broken key

Post by Pippin » Mon Sep 27, 2021 6:55 pm

I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

Post Reply