Answered: TLS-CRYPT

[Erenys]

Maybe I'm wrong but it seems that with OpenVPN, PP uses TLS-AUTH instead off TLS-CRYPT (and it's TLS-CRYPT v2 nowaday). Why staying stuck on TLS-AUTH, while TLS-CRYPT has many security advantages, see for example:

OpenVPN 2.4 security differences between tls-crypt and tls-auth

I was reading and tls-crypt and was curious would that increase security and reduce the chance of keys being compromised during handshakes and that it offers better security over tls-auth? Maybe s...

serverfault.com

OpenVPN's new tls-crypt option

I've been reading about the new tls-crypt options for OpenVPN 2.4, but I'm not sure if I correctly understand it. I've read the manual pages and the security overview for OpenVPN (which seems to be

security.stackexchange.com

 

[TurboDev]

You can generate your own ovpn files with TLS-crypt. https://www.perfect-privacy.com/de/customer/download/openvpn?system=windows10 (you have to be logged in)

 

[Erenys]

Ok TurboDev, thanks.
But tls-crypt shoud be default. Or at least to be selectable in the VPN Manager.
.

 

[PP Daniel]

Correct, the VPN Manager still uses tls-auth, we have no ETA yet regarding tls-crypt use. But this will surely happen.

 

[Erenys]

Correct, the VPN Manager still uses tls-auth, we have no ETA yet regarding tls-crypt use. But this will surely happen.

Ok, so will there be any bad side effects if I manually replace tls-auth with tls-crypt in any .ovpn file? Won't the VPN manager automatically revert these files to their tls-auth version every time I launch it?

 

[PP Daniel]

They would be overwritten when an update happens, apart from that it should work. The configuration files can also be downloaded from within the customer area of our website.

 

[Erenys]

They would be overwritten when an update happens, apart from that it should work. The configuration files can also be downloaded from within the customer area of our website.

I use single server config, so I should download almost 100 .ovpn files, reitering this operation every time an update occurs, reverting all the files in the tls-auth version, so it's no manageable for me.*

I just tested the manual replacement of <tls-auth> by <tls-crypt> (and </tls-auth> by </tls-crypt> below) in one udp config file. But then the VPN manager has not been able to connect. It is stuck on a "WAIT".
As soon as I close the Vpn manager, and revert the two tls-crypt by the tls-auth, all works like a charm.

I will open a ticket in order to give you more details.