Document toolboxDocument toolbox

(12.5-en) TLS-Options

Transport Layer Security (TLS) is the successor to Secure Sockets Layer (SSL). It is a standard consisting of several protocols that can transmit encrypted data between authenticated communication partners over potentially insecure IP networks such as the Internet. This article shows how to configure TLS options for the OpenVPN protocol in IGEL OS.


Menu path: Network > VPN > OpenVPN > [OpenVPN Connection] > TLS-Options

Subject match

The Subject Match accept/reject the server connection based on a custom test of the server certificate's embedded X509 subject details. The formatting of these fields changed into a more standardized format: C=US, L=Somewhere, CN=JohnDoe, emailAddress=john@example.com.

For more information, see the Reference manual for OpenVPN 2.6.

 

Remote peer certificate TLS type

Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules.

This is a useful security option for clients, to ensure that the host they connect to is a designated server. Or the other way around; for a server to verify that only hosts with a client certificate can connect.

  • Do not verify: No remote certificate check. (Default)

  • Check for server certificate: The --remote-cert-tls server option is equivalent to --remote-cert-ku --remote-cert-eku "TLS Web Server Authentication".

  • Check for client certificate: The --remote-cert-tls client option is equivalent to --remote-cert-ku --remote-cert-eku "TLS Web Client Authentication".

This is an important security precaution to protect against a man-in-the-middle attack, where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one of --remote-cert-tls, --verify-x509-name, or --tls-verify.

 

Key file for additional TLS authentication

As the path enter relative to /wfs/OpenVPN or select using the file selection. This adds an additional HMAC legitimization level above the TLS control channel in order to prevent DDOS attacks.

 

tls-auth (Key Direction) / tls-crypt

  • None: No key direction. (Default)

  • tls-auth 0: If the default option is not used, one side of the connection should use Direction 0 and the other Direction 1.

  • tls-auth 1: If the default option is not used, one side of the connection should use Direction 0 and the other Direction 1.

  • tls-crypt: In contrast to tls-auth, setting a key direction is not required. Use this option if the version of the OpenVPN server is 2.4 or higher. For more information on tls-crypt, see Reference manual for OpenVPN 2.6.