Migrating from TLS Auth TLS Crypt v1 to TLS Crypt v2 - TinCanTech/easy-tls GitHub Wiki

OpenVPN allows the server to use both TLS-Auth or TLS-Crypt and TLS-Crypt-v2 together. That means: (TLS-Auth OR TLS-Crypt) AND TLS-Crypt-V2.
This means that, if you continue to use the original TLS-Auth/Crypt key in your server config then the server can support all the original clients and clients which you migrate to TLS-Crypt-V2, on one server instance. This helps you migrate your clients to new keys, if you choose to do so.
In order to migrate your clients to use TLS-Crypt-V2, simply generate the required keys. Use ./easytls build inter-active menu. i. A Server TLS-Crypt-V2 key ii. Multiple client TLS-Crypt-V2 keys.
Next, generate inlinepackages for your server and clients. Use ./easytls inline inter-active menu.
Reference your server inline file in the server config with an option like so: config /etc/opevpn/easyrsa/pki/easytls/server.inline This loads all the required keys and certificates of your server. Restart your server and correct any errors.
With regard to your clients, you must send them their inline packages over a secure method, eg: scp Have the clients reference their inline package in the same way as the server.