Posted: Tue Oct 01, 2019 7:28 Post subject: tls-crypt VS tls-auth
Hi,
I have tried to setup my router to connect via openvpn client to a Streisand box (https://github.com/StreisandEffect/streisand)
I noticed that the default config for Streisand uses an OpenVPN static key configured with the keyword tls-crypt. However when inputting the key in dd-wrt (latest 3X mega build) it is stored on the router as:
tls-auth ta.key 1
This lead to connection resets every 5 seconds. Manually changing the value to:
tls-crypt ta.key 1
in the generated file (/tmp/openvpncl/openvpn.conf) fixed the issue, and now my connection works perfectly.
My question: is there a way to tell the dd-wrt UI to use tls-crypt instead of tls-auth?
If not, this could be an improvement suggestion?
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Tue Oct 01, 2019 9:45 Post subject:
It is on the todo list
For now you can set the key in the additional config
From the OpenVPN setup guide (which is recommended reading for everyone and not because I wrote it )
Quote:
Use of --tls-crypt
Instead of working with tls-auth you can work with tls-crypt (starting with OpenVPN 2.4), this encrypts the OpenVPN at the start of the setup process and therefore hides that it is an OpenVPN connection.
It uses the same static key as described in the tls-auth section
If you are using tls-crypt, it must be pasted in Additional .Config of the server between <tls-crypt> and </tls-crypt>. For example:
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
41a2fc4fbd0cb890d40ddf704defac6a
.......
-----END OpenVPN Static key V1-----
</tls-crypt>
For the client OVPN configuration file add:
tls-crypt ta.key
Specifying the keydir with tls-crypt is not necessary, that is handled automatically
When using a DDWRT OpenVPN client, paste the key in the Addtitional Config like described for the server
You cannot use tls-auth and tls-crypt at the same time!
Joined: 04 Aug 2018 Posts: 1445 Location: Appalachian mountains, USA
Posted: Tue Oct 22, 2019 19:24 Post subject:
Hello @egc!
I'm experimenting with moving from NordVPN to AirVPN so am configuring for the latter by adjusting a long-working vpn setup. One major new bit is that I'm now trying to set up the openvpn client to use tls-crypt. Simply putting the key in Additional Config between <tls-crypt> and </tls-crypt> and leaving the TLS Auth Key window empty does not work, because the openvpn.conf file still ends up with a tls-auth /tmp/openvpncl/ta.key 1 line, with ta.key containing only two blank lines, and this leads to an error message in the log to the effect that tls-auth and tls-crypt cannot be used simultaneously. The openvpn process exits immediately.
I am now experimenting in the CLI with modifying the openvpn.conf file by hand to replacing the offending tls-auth line with tls-crypt ta.key while, in addition, moving the actual key (obtained from AirVPN's configurator specifically for a tls-crypt configuration) to the named file and restarting openvpn with this:
The log is showing repeated message groups like this, with the restart delay doubling each time:
20191022 14:59:31 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20191022 14:59:31 N TLS Error: TLS handshake failed
20191022 14:59:31 I SIGUSR1[soft tls-error] received process restarting
20191022 14:59:31 Restart pause 160 second(s)
So it's clear I am still doing something horribly wrong. For the record, here is the (edited, per the above), openvpn.conf:
The last three lines come from Additional Config. The rest is from the GUI selections. The questions are then these:
(1) Is there a GUI-only way to specify tls-crypt, given that I am on 40784 on this router and so don't yet have a simple GUI button to select it? I have looked over your guide's p17 material on the dd-wrt openvpn client, but that seems tailored to connecting to a dd-wrt server set up according to the rest of that document. I'm not seeing the solution to this conundrum there.
(2) Assuming that for now I simply automate the editing and openvpn restart into Startup Commands (I've been known to do much worse ), is there anything obviously wrong with the openvpn.conf above? (Once we clear away the obvious at the dd-wrt level, I'll contact AirVPN support to continue sorting things out, on the assumption that I'm doing something here that doesn't work for their system.)
Many thanks in advance for having a look.
Edit: I'm backing off temporarily from tls-crypt and trying to get the connection working with tls-auth. Looks like it's going to take a consult with AirVPN, as that isn't playing either. So perhaps it's appropriate to avoid exerting much energy on the second question until I hear back from them and sort things out at that level. Here's hoping their support is all that it's cracked up to be! _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 04 Aug 2018 Posts: 1445 Location: Appalachian mountains, USA
Posted: Tue Oct 22, 2019 20:22 Post subject:
Many thanks... That was indeed the tls-crypt issue. Once I cleaned the window to remove whitespace, the ta.key file disappears and the log stops whining about the conflict.
I still have something very basic hosed up though, and I've posted a detailed query with AirVPN, so we'll see...
Enjoy the sun... _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Joined: 04 Aug 2018 Posts: 1445 Location: Appalachian mountains, USA
Posted: Wed Oct 23, 2019 0:19 Post subject:
Update: my dd-wrt router is online with AirVPN. Yes, they can take port 443 with UDP. They have a list of ports you can choose from. They're pretty flexible.
Getting past my problems with this setup required two key inputs: one from egc above about scrubbing (the GUI was enough, it turned out) the whitespace from the TLS Auth Key. The other was from AirVPN support, which pointed out that different entry IPs to their servers must be used with tls-crypt. Turns out their configurator tool provides both tls-auth and tls-crypt configuration files. I hadn't caught that and was looking at the wrong one.
The overall config process for AirVPN was not bad at all, once I got past those two details. (And yes, they can handle the multiple-server thing with remote-random, though I haven't tried that yet.) _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.