I think that you are referring to the
tls-auth option, which protects against Denial of Service (DoS) attacks because failures to provide the pre-shared key causes the connection to be dropped before trying more computationally intensive authentication. For a more complete explanation, see:
https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-auth
The problem with using OpenVPN in China is not DoS attacks.
The problem is that the handshake for OpenVPN TLS is different than the handshake for HTTPS TLS. As a result, the Great Firewall of China (GFC) can identify and disconnect OpenVPN connections based on a OpenVPN TLS protocol signature:
The Great Firewall is using a method called DPI (Deep Packet Inspection) to analyze all inbound and outbound traffic in real-time. The technology can be compared to an anti-virus, which relies on signatures and heuristic/behavior and statistic analysis to identify and flag protocols that are not allowed. VPN protocols are using encryption to secure the data transmitted over the Internet, and the DPI system can identify and block most types of VPN tunneling protocols. The most affected VPN protocol in China is OpenVPN in its default configuration. OpenVPN can still bypass the Great Firewall if its handshake is hidden so it can’t be seen and blocked by the GFC.
Other VPN protocols that still work in China quite well are PPTP and L2TP/IPsec.
Source:
https://vpnreviewer.com/internet-vpn-china
I was already using
tls-auth while in China and I was still having trouble making OpenVPN connections. So, I don't think
tls-auth is the answer to my problem.
Looking into your suggestion did give me another idea. Apparently,
OpenVPN can authenticate via either:
- Static Key
- TLS
And I've read several places that the GFC does NOT block OpenVPN connections made with static keys. So, maybe I will look into using static keys.
Thank you for your suggestion. Please let me know if you have additional ideas.