use --tls-auth/--tls-crypt for openvpn
I'd like us to start using --tls-auth
.
From the documentation:
Add an additional layer of HMAC authentication on top of the TLS control channel to mitigate DoS attacks
and attacks on the TLS stack. In a nutshell, --tls-auth enables a kind of "HMAC firewall" on
OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped
immediately without response.
If I'm seeing this correctly, this is a backwards-incompatible change, so besides generating and distributing the tls-auth key, we need to devise a way of gradually implementing that - and stop supporting it at a given platform:client version.
I think the path of less resistance (for this and other backward-incompatible changes) is to 1. group together all the changes for api major changes, 2. add a tag to specific gateways (so that newer client can just select those), 3. issue deprecation warnings for clients (and providers) that are still stuck on old api versions.
I think we can try to coordinate this change for v3
of the api.
Edited by Kali Kaneko