OVPN HMAC authentication switching from SHA1 to SHA256

[maxbraketorque]

I've had a site-to-site OVPN setup enabled since ~2020. At the time, I used SHA1 for HMAC authentication, and I have custom certificates made up with that configuration. I had assumed that if I wanted to switch to SHA256, then I would have to make up new certs, but I tried this morning using SHA256, and the link went up fine.

So I guess that the VPN server certificate values are not dependent on HMAC authentication encoding selection?

Also, I've always assumed that "auth digest" on the client side is the same thing as "HMAC authentication" on the server side. But since the names are different, maybe they are different things?

 

[eibgrad]

Options as described in the GUI typically use more descriptive naming than the underlying option as defined in the config file, for obvious reasons. And nothing says each side of the connection (client and server) necessarily will describe them the same.

In this case, each side is using the auth option for HMAC authentication, where the value specifies an algorithm to be used in authenticating the data channel packets. It has nothing to do w/ your certs or keys. It's primarily intended to prevent (D)DoS attacks by killing off bogus connection attempts as soon as possible, rather than having the client go through the entire TLS handshake (which consumes significant resources) and only then finding the client isn't legit. For that reason, it's NOT even a required setting, but just a recommendation. And it's the server side that decides if and when it will be required.