OpenVPN 2.4 security differences between tls-crypt and tls-auth

I was reading and tls-crypt and was curious would that increase security and reduce the chance of keys being compromised during handshakes and that it offers better security over tls-auth?

Maybe someone could better explain tls-auth and tls-crypt and how they improve security?

my current client file:

client
tls-client
dev tun
proto udp
remote 1.2.3.4 9999
<ca>
</ca>
<cert>
</cert>
<key>
</key>
pull
auth-nocache 
cipher AES-256-CBC
keysize 256
compress lz4-v2
reneg-sec 36000
keepalive 30 120

Solution 1:

TLS Handshake can be more or less broken down into following steps:

  1. Clients sends "client hello" to server, along with client's random value and supported cipher suite.
  2. Server responds "server hello" to client, along with server's random value and chosen ciper suite.
  3. Server sends its certificate to client for authentication.
  4. Client verifies server identity.
  5. Client creates a random pre-master secret and encrypts it with the public key from the server's certificate.
  6. Client sends the encrypted pre-master secret to server.
  7. Server MAY request certificate from client if required.
  8. Both server and client generate the session key based on the pre-master secret.
  9. The server and client can now exchange encrypted messages using the session key.

The difference between tls-auth and tls-crypt is that starting from step 1, tls-crypt will encrypt all messages with a pre-shared key.

This provides several benefits:

  1. It hides the initialization of a TLS handshake with a OpenVPN server. This is helpful in some situations when OpenVPN protocol signature is detected and blocked.
  2. It prevents TLS denial of service attacks. With tls-auth the attacker can open thousands of TLS connections simultaneously but not provide a valid certificate, jamming the available ports. With tls-crypt the server would reject the connection up-front at step 1.
  3. Data is encrypted twice, once by tls-crypt and once by the TLS session.