1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Understanding some settings of OpenVPN

Discussion in 'Tomato Firmware' started by spookyneo, Aug 25, 2010.

  1. spookyneo

    spookyneo Networkin' Nut Member

    Hey guys,

    I'm currently setuping my OpenVPN Server to work as TLS and not static key. However, there are few options with TLS that I don't understand. I looked at this post ( http://www.linksysinfo.org/forums/showpost.php?p=334426 ) but can't find my answers. Maybe someone can help me ?

    Here are the settings I'm having a hard time to understand:

    Extra HMAC authorization : I know it is used for a static key and I want to use it. However, I don't understand the bi-directionnal, incoming and outgoing. Which one should I choose ?

    Push LAN to clients : Is it to let VPN clients to access the subnet of your lan ? Since the subnet of the VPN has to be different from the lan.

    Direct clients to redirect Internet traffic : So VPN Clients would use the Internet from my router instead of the one at their location ?

    Thanks :)
  2. karog

    karog Networkin' Nut Member

    It is not used FOR a static key but rather it uses A static key. That is, it uses its own static key separate from what is used to authorize the VPN connection whether that is static or TLS.

    Choose incoming (0) for the server and outgoing (1) for the client. To do the latter, add 1 after the key in the tls-auth line in the client config. You can swap which is which but they cannot be the same ie not both 0 or both 1.
    Yes, it sends the LAN subnet to the client so that it can establish a proper route to it.
  3. spookyneo

    spookyneo Networkin' Nut Member

    My understanding of HMAC, in a TLS context, was that before OpenVPN verify the SSL certificates (which takes some cpu time), a static key was passed on. If the static key is incorrect, then the connection is refused. However, if it is correct, then it moves on to validates the SSL certificates. The static key was present to "filter" a bit more incoming connections. That is my understanding from what I've read.

    I'm sorry but I just don't understand the difference between Incoming and Outgoing. Does Incoming mean that the verification of the static key will be done only when there is incoming traffic and outgoing when it is send to the VPN Client ? Sorry for being newbie on this one.
  4. karog

    karog Networkin' Nut Member

    That's pretty much it.
    HMAC is only done on connection as you describe above and that is always the client connecting to the server. It has nothing to do with the traffic once the connection is established.

    The directionality is just how that one time test is done. You don't really need to worry about it as long as you don't make them the same. The EFFECTIVE behavior is the same whether the server is 0 and the client is 1 or the server is 1 and the client is 0. Standard usage seems to be to make the server 0 and the client 1. So that is why I recommended that.
  5. spookyneo

    spookyneo Networkin' Nut Member

    I can't thank you enough karog ! I've setup everything. My router is 0, client is 1. My static key is working like a charm and I'm using TAP instead of TUN. I noticed that TAP is taking about 1-2 seconds slower to connect instead of TUN. It's not an issue at all, but I'm wondering why ? Does TAP carries more data and "junk" than TUN?
  6. karog

    karog Networkin' Nut Member

    Connection time should not be noticeably different. I can't explain that. Maybe it is the HMAC that perhaps you did not have with TUN?

    TAP works at a lower level of the network stack than TUN. TAP is like a virtual machine for wired ethernet. It simulates the physical ethernet protocol. That is why it can let you do all of the things you could do as if you were directly attached to the LAN.

    TUN works at a higher level and routes IP packets. That is why I stated early on that TUN is more efficient. But I have not found the lesser efficiency in TAP to be a problem and I love that I get easy access to my SlingBox and bonjour notifications for my OS X machines.

Share This Page