Open orlitzky opened 4 years ago
andiwand
commented
4 years ago hey @orlitzky ! i don't remember how it is defined by openvpn but it was tricky for sure. i think i looked at their source code since i wasn't able to find documentation about it. as far as i can remember they split the tls-auth key into two pieces and use one for the server and one for the client. the option 0/1 tells the openvpn which part to use on his or their side.
orlitzky
commented
4 years ago To this day, the OpenVPN documentation about this feature is still incomprehensible =)
I guess what surprised me is that in the --help output for the plugin, the number (1) is explicitly mentioned (see my original comment). This suggests to me that it corresponds to passing --key-direction=1 to OpenVPN. But, all of my clients have --key-direction=1 and the plugin works just fine without --tls-auth-inverse. So it seems that passing --tls-auth-inverse to the plugin is the equivalent of setting --key-direction=0?
If that's actually the case, then it seems backwards, but honestly it's hard to tell. The --key-direction parameter is actually ternary, since omitting it does something different than passing either 0 or 1 as an argument. ¯\(ツ)/¯
Hi, while troubleshooting an issue today, I noticed this description for the
--tls-auth-inverseflag:That suggests to me that passing
--tls-auth-inversetocheck_openvpnis analogous to settingtls-auth secret.key 1in my openvpn.conf. However, I never even knew about this option, because things just work out of the box. Which is strange in hindsight, because my server usestls-auth ... 0and all of my clients usetls-auth ... 1!Is the documentation backwards, or is something else happening?