tlscrypt

Tlscrypt is a method implemented in OpenVPN to protect the TLS control channel by encrypting the TLS handshake with a pre-shared key. It aims to reduce TLS fingerprinting and make VPN traffic harder to analyze by observers.

Mechanism: A single static secret key file is shared between the server and all clients. During the

Relation to tls-auth: tls-crypt is complementary to tls-auth. While tls-auth adds a static HMAC to the TLS

Configuration: The key is generated once and distributed to all server and client endpoints. In OpenVPN, the

Security considerations: Relying on a single static key provides no forward secrecy and creates a single point