Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2025-12-15 16:37:03 +01:00
Code Issues Projects Releases Wiki Activity

feat: add tls-crypt-v2 support with per-client keys (#1377)

Browse Source 
## Summary

- Add support for OpenVPN's `tls-crypt-v2` feature (per-client TLS keys)
- Set `tls-crypt-v2` as the new recommended default
- Add CI tests for all 3 TLS key types

Closes #983
Closes #758
Closes https://github.com/angristan/openvpn-install/pull/1257

## What is tls-crypt-v2?

Unlike `tls-crypt` (shared key), `tls-crypt-v2` generates unique keys
per client:

- **Better security**: Compromised client keys don't affect other
clients
- **Easier management**: Individual client key revocation without
regenerating server key
- **Scalability**: Better suited for large deployments

Requires OpenVPN 2.5+ (released 2020).

## Menu options

```
1) tls-crypt-v2 (recommended): Encrypts control channel, unique key per client
2) tls-crypt: Encrypts control channel, shared key for all clients
3) tls-auth: Authenticates control channel, no encryption
```
This commit is contained in:
Stanislas
2025-12-13 14:32:38 +01:00
committed by GitHub
parent 2c53bc0f83
commit 3561d13389
4 changed files with 107 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
README.md
View File

@@ -359,7 +359,7 @@ The script provides the following choices:
It defaults to `SHA256`.
### `tls-auth` and `tls-crypt`
### `tls-auth`, `tls-crypt`, and `tls-crypt-v2`
From the OpenVPN wiki, about `tls-auth`:
@@ -381,7 +381,17 @@ So both provide an additional layer of security and mitigate DoS attacks. They a
`tls-crypt` is an OpenVPN 2.4 feature that provides encryption in addition to authentication (unlike `tls-auth`). It is more privacy-friendly.
The script supports both and uses `tls-crypt` by default.
`tls-crypt-v2` is an OpenVPN 2.5 feature that builds on `tls-crypt` by using **per-client keys** instead of a shared key. Each client receives a unique key derived from a server key. This provides:
- **Better security**: If a client key is compromised, other clients are not affected
- **Easier key management**: Client keys can be revoked individually without regenerating the server key
- **Scalability**: Better suited for large deployments with many clients
The script supports all three options:
- `tls-crypt-v2` (default): Per-client keys for better security
- `tls-crypt`: Shared key for all clients, compatible with OpenVPN 2.4+
- `tls-auth`: HMAC authentication only (no encryption), compatible with older clients
### Certificate type verification (`remote-cert-tls`)