Open orlitzky opened 4 years ago
hey @orlitzky ! i don't remember how it is defined by openvpn but it was tricky for sure. i think i looked at their source code since i wasn't able to find documentation about it. as far as i can remember they split the tls-auth key into two pieces and use one for the server and one for the client. the option 0/1 tells the openvpn which part to use on his or their side.
To this day, the OpenVPN documentation about this feature is still incomprehensible =)
I guess what surprised me is that in the --help
output for the plugin, the number (1)
is explicitly mentioned (see my original comment). This suggests to me that it corresponds to passing --key-direction=1
to OpenVPN. But, all of my clients have --key-direction=1
and the plugin works just fine without --tls-auth-inverse
. So it seems that passing --tls-auth-inverse
to the plugin is the equivalent of setting --key-direction=0
?
If that's actually the case, then it seems backwards, but honestly it's hard to tell. The --key-direction
parameter is actually ternary, since omitting it does something different than passing either 0
or 1
as an argument. ¯\(ツ)/¯
Hi, while troubleshooting an issue today, I noticed this description for the
--tls-auth-inverse
flag:That suggests to me that passing
--tls-auth-inverse
tocheck_openvpn
is analogous to settingtls-auth secret.key 1
in my openvpn.conf. However, I never even knew about this option, because things just work out of the box. Which is strange in hindsight, because my server usestls-auth ... 0
and all of my clients usetls-auth ... 1
!Is the documentation backwards, or is something else happening?