Hello,
there is a bug in generating tls-auth option for openvpn configuration file.
Here is a part of vyos configuration
vyos@zip70# show pki openvpn | strip-private
shared-secret inet.secret {
key xxxxxx 2048 bit OpenVPN static key#-----BEGIN OpenVPN Static key xxxxxx OpenVPN Static key xxxxxx
version 1
}
vyos@zip70# show interfaces openvpn vtun233 | strip-private
description “ufanet”
device-type tun
encryption {
cipher aes256
}
hash sha256
ip {
adjust-mss clamp-mss-to-pmtu
}
keep-alive {
failure-count 30
interval 3
}
local-address xxx.xxx.82.26 {
subnet-mask xxx.xxx.255.252
}
local-port 50233
mode site-to-site
persistent-tunnel
protocol udp
remote-address xxx.xxx.82.27
tls {
auth-key inet.secret
ca-certificate ca2019
certificate zip50.2019
dh-params dh2048
peer-fingerprint xx:xx:xx:xx:xx:ED:xx:xx:xx:xx:xx:99:xx:xx:xx:xx:xx:A5:xx:xx:xx:xx:xx:FE:xx:xx:xx:xx:xx:C7:60:8A
role passive
}
[edit]
as you can see auth-key option is present , but it correspondent option tls-auth is absent in /run/openvpn/vtun233.conf file
vyos@zip70# cat /run/openvpn/vtun233.conf | strip-private
verb 3
dev-type tun
dev vtun233
persist-key
proto udp
lport 50233
persist-tun
disable-dco
ping 3
ping-restart 30
ifconfig xxx.xxx.82.26 xxx.xxx.82.27
ca /run/openvpn/vtun233_ca.pem
cert /run/openvpn/vtun233_cert.pem
key /run/openvpn/vtun233_cert.key
dh /run/openvpn/vtun233_dh.pem
tls-server
cipher AES-256-CBC
auth sha256