OpenVPN provides a mechanism using a set of pre-shared keys to cryptographically sign every packet between the server and client. The mechanism for this is the same secret key used for a static-key OpenVPN setup, as was the original release.
The advantage to this signature is two-fold. First, it helps prevent any sort of denial of service attack using cryptographic routines within TLS to overload an OpenVPN server. The OpenVPN process will quite simply drop any packet without a valid signature before the CPU-intensive handshake and key exchange operations take place.
As a second advantage, --tls-auth
aids in preventing keying material disclosure. This is specifically helpful for vulnerabilities such as Heartbleed or DROWN. If a cipher is completely broken, it is possible to still snoop the traffic from OpenVPN because --tls-auth
doesn't provide any additional cryptographic layers.