diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-02-27 18:44:12 +0100 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-02-27 18:44:12 +0100 |
commit | 93d33b06b59a514485467ced5a48dc997a235c6c (patch) | |
tree | 13a6226c14463ecbefaec6d96f92f87e4c9a926d /interface-definitions | |
parent | e054dee8b8ab81f7f85bb93bd25110affa38fcd0 (diff) | |
download | vyos-1x-93d33b06b59a514485467ced5a48dc997a235c6c.tar.gz vyos-1x-93d33b06b59a514485467ced5a48dc997a235c6c.zip |
openvpn: T2075: add support for OpenVPN tls-crypt file option
Encrypt and authenticate all control channel packets with the key from keyfile.
Encrypting (and authenticating) control channel packets:
* provides more privacy by hiding the certificate used for the TLS connection
* makes it harder to identify OpenVPN traffic as such
* provides "poor-man's" post-quantum security, against attackers who will
never know the pre-shared key (i.e. no forward secrecy)
Diffstat (limited to 'interface-definitions')
-rw-r--r-- | interface-definitions/interfaces-openvpn.xml.in | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index bc1a159a9..cac0ee417 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -611,6 +611,18 @@ </constraint> </properties> </leafNode> + <leafNode name="crypt-file"> + <properties> + <help>File containing encryption key to authenticate control channel</help> + <valueHelp> + <format>file</format> + <description>File in /config/auth directory</description> + </valueHelp> + <constraint> + <validator name="file-exists" argument="--directory /config/auth"/> + </constraint> + </properties> + </leafNode> <leafNode name="tls-version-min"> <properties> <help>Specify the minimum required TLS version</help> |