Hardened Security
One of the often-repeated maxims of network communication security is that one should never place so much trust in a single security component that its failure causes a catastrophic security breach. We use several mechanisms to add additional security layers to hedge against such an outcome. The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. It can protect against: DoS attacks or port flooding on the OpenVPN UDP port. Port scanning to determine which server UDP ports are in a listening state. Buffer overflow vulnerabilities in the SSL/TLS implementation. SSL/TLS handshake…