DSVPN’s entire security model rests on a single 32-byte pre-shared key. Any party that possesses this key file can successfully authenticate to the server and tunnel traffic through it. Protecting the key file is equivalent to protecting your VPN itself — treat it with the same care you would give an SSH private key or a root password.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/jedisct1/dsvpn/llms.txt
Use this file to discover all available pages before exploring further.
Generating a Key
Usedd to read exactly 32 bytes of cryptographically secure random data from the kernel’s /dev/urandom device:
count=1 bs=32 combination guarantees the output is exactly 32 bytes — the size DSVPN requires. Do not use a text password, a truncated hash, or any other source; only /dev/urandom (or /dev/random) is appropriate here.
The key file must contain exactly 32 raw bytes. The
dd command above
guarantees this. Do not open or edit the file in a text editor, as most
editors will append a newline or alter the binary content.Exporting and Importing Keys
The key file is binary, so it cannot be pasted into a terminal directly. Convert it to a Base64 string for safe transport over SSH, a secrets manager, or a chat message:Where to Store the Key
Restrict file permissions immediately after generating the key:- Keep it out of version control. Add
vpn.keyto your.gitignore. Never commit raw key material to a repository. - Transfer over an encrypted channel. Use
scp,sftp, orsshpiped through a trusted connection — never plain HTTP, email, or unencrypted chat. - Use a secrets manager in production. Tools such as HashiCorp Vault, AWS Secrets Manager, or 1Password can store the Base64-encoded key and inject it onto the filesystem at deploy time.
- Store outside the application directory. A path like
/etc/dsvpn/vpn.keywithroot:rootownership and600permissions keeps the key away from web roots and application files.
Key Rotation
DSVPN has no built-in automatic rotation. To rotate the key manually:
Clients using the old key will be rejected the moment the server restarts with the new key. There will be a brief disconnection during rotation. Deploy the new key to all clients promptly to minimise downtime.
How the Key Is Used
The 32-byte key is never used directly to encrypt traffic. Instead, when DSVPN starts, it calls:uc state using the raw key as the key material and the fixed string "VPN Key Exchange" as the IV. The resulting state is used exclusively during the handshake phase.
During the handshake the client sends 32 random bytes plus an 8-byte big-endian timestamp and a 32-byte hash derived from the uc_kx_st state. The server verifies the hash and checks that the client’s clock is within 7200 seconds (2 hours) of its own. After both sides validate the exchange, they each call uc_hash(st, k, NULL, 0) to derive a fresh, per-session symmetric key k, then initialise two independent uc_state_init stream states — one for each direction — using that derived key. The raw 32-byte key is zeroed from memory immediately after the initial state is set up.
This design means that even if network traffic is recorded, it cannot be decrypted without the pre-shared key, and each session uses unique stream keys that are never reused across reconnections.