From 93d33b06b59a514485467ced5a48dc997a235c6c Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Thu, 27 Feb 2020 18:44:12 +0100
Subject: openvpn: T2075: add support for OpenVPN tls-crypt file option

Encrypt and authenticate all control channel packets with the key from keyfile.

Encrypting (and authenticating) control channel packets:
* provides more privacy by hiding the certificate used for the TLS connection
* makes it harder to identify OpenVPN traffic as such
* provides "poor-man's" post-quantum security, against attackers who will
  never know the pre-shared key (i.e. no forward secrecy)
---
 interface-definitions/interfaces-openvpn.xml.in | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'interface-definitions')

diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in
index bc1a159a9..cac0ee417 100644
--- a/interface-definitions/interfaces-openvpn.xml.in
+++ b/interface-definitions/interfaces-openvpn.xml.in
@@ -611,6 +611,18 @@
                   </constraint>
                 </properties>
               </leafNode>
+              <leafNode name="crypt-file">
+                <properties>
+                  <help>File containing encryption key to authenticate control channel</help>
+                  <valueHelp>
+                    <format>file</format>
+                    <description>File in /config/auth directory</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="file-exists" argument="--directory /config/auth"/>
+                  </constraint>
+                </properties>
+              </leafNode>
               <leafNode name="tls-version-min">
                 <properties>
                   <help>Specify the minimum required TLS version</help>
-- 
cgit v1.2.3