tls-crypt VS tls-auth

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
valvolt
DD-WRT Novice


Joined: 29 Sep 2019
Posts: 7

PostPosted: Tue Oct 01, 2019 7:28    Post subject: tls-crypt VS tls-auth Reply with quote
Hi,

I have tried to setup my router to connect via openvpn client to a Streisand box (https://github.com/StreisandEffect/streisand)

I noticed that the default config for Streisand uses an OpenVPN static key configured with the keyword tls-crypt. However when inputting the key in dd-wrt (latest 3X mega build) it is stored on the router as:

tls-auth ta.key 1

This lead to connection resets every 5 seconds. Manually changing the value to:

tls-crypt ta.key 1

in the generated file (/tmp/openvpncl/openvpn.conf) fixed the issue, and now my connection works perfectly.

My question: is there a way to tell the dd-wrt UI to use tls-crypt instead of tls-auth?
If not, this could be an improvement suggestion?

Vlt
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4397
Location: Netherlands

PostPosted: Tue Oct 01, 2019 9:45    Post subject: Reply with quote
It is on the todo list Smile

For now you can set the key in the additional config

From the OpenVPN setup guide (which is recommended reading for everyone and not because I wrote it Wink )

Quote:
Use of --tls-crypt
Instead of working with tls-auth you can work with tls-crypt (starting with OpenVPN 2.4), this encrypts the OpenVPN at the start of the setup process and therefore hides that it is an OpenVPN connection.
It uses the same static key as described in the tls-auth section

If you are using tls-crypt, it must be pasted in Additional .Config of the server between <tls-crypt> and </tls-crypt>. For example:
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
41a2fc4fbd0cb890d40ddf704defac6a
.......
-----END OpenVPN Static key V1-----
</tls-crypt>

For the client OVPN configuration file add:
tls-crypt ta.key
Specifying the keydir with tls-crypt is not necessary, that is handled automatically

When using a DDWRT OpenVPN client, paste the key in the Addtitional Config like described for the server

You cannot use tls-auth and tls-crypt at the same time!



So no need to specify the key direction (the 1 at the end)

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 517
Location: Appalachian mountains, USA

PostPosted: Tue Oct 22, 2019 19:24    Post subject: Reply with quote
Hello @egc!

I'm experimenting with moving from NordVPN to AirVPN so am configuring for the latter by adjusting a long-working vpn setup. One major new bit is that I'm now trying to set up the openvpn client to use tls-crypt. Simply putting the key in Additional Config between <tls-crypt> and </tls-crypt> and leaving the TLS Auth Key window empty does not work, because the openvpn.conf file still ends up with a tls-auth /tmp/openvpncl/ta.key 1 line, with ta.key containing only two blank lines, and this leads to an error message in the log to the effect that tls-auth and tls-crypt cannot be used simultaneously. The openvpn process exits immediately.

I am now experimenting in the CLI with modifying the openvpn.conf file by hand to replacing the offending tls-auth line with tls-crypt ta.key while, in addition, moving the actual key (obtained from AirVPN's configurator specifically for a tls-crypt configuration) to the named file and restarting openvpn with this:

openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --route-pre-down /tmp/openvpncl/route-down.sh --daemon

The log is showing repeated message groups like this, with the restart delay doubling each time:

20191022 14:59:31 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20191022 14:59:31 N TLS Error: TLS handshake failed
20191022 14:59:31 I SIGUSR1[soft tls-error] received process restarting
20191022 14:59:31 Restart pause 160 second(s)

So it's clear I am still doing something horribly wrong. For the record, here is the (edited, per the above), openvpn.conf:

ca /tmp/openvpncl/ca.crt
cert /tmp/openvpncl/client.crt
key /tmp/openvpncl/client.key
management 127.0.0.1 16
management-log-cache 100
verb 3
mute 3
syslog
writepid /var/run/openvpncl.pid
client
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 2
dev tun1
proto udp4
cipher aes-256-cbc
auth sha512
remote US.vpn.airdns.org 443
comp-lzo yes
redirect-private def1
route-noexec
tun-mtu 1500
mtu-disc yes
fast-io
remote-cert-tls server
tls-crypt ta.key
log /tmp/vpn.log

The last three lines come from Additional Config. The rest is from the GUI selections. The questions are then these:

(1) Is there a GUI-only way to specify tls-crypt, given that I am on 40784 on this router and so don't yet have a simple GUI button to select it? I have looked over your guide's p17 material on the dd-wrt openvpn client, but that seems tailored to connecting to a dd-wrt server set up according to the rest of that document. I'm not seeing the solution to this conundrum there.

(2) Assuming that for now I simply automate the editing and openvpn restart into Startup Commands (I've been known to do much worse Shocked ), is there anything obviously wrong with the openvpn.conf above? (Once we clear away the obvious at the dd-wrt level, I'll contact AirVPN support to continue sorting things out, on the assumption that I'm doing something here that doesn't work for their system.)

Many thanks in advance for having a look.

Edit: I'm backing off temporarily from tls-crypt and trying to get the connection working with tls-auth. Looks like it's going to take a consult with AirVPN, as that isn't playing either. So perhaps it's appropriate to avoid exerting much energy on the second question until I hear back from them and sort things out at that level. Here's hoping their support is all that it's cracked up to be!

_________________
Six Linksys WRT1900ACSv2 (38159, r39144, 40009, 40784):
VLANs, multiple VAPs, NAS, QoS, client-mode travel router, OpenVPN client/PBR (old=NordVPN, new=AirVPN), two DNSCrypt servers (incl Quad9) routed through vpn.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4397
Location: Netherlands

PostPosted: Tue Oct 22, 2019 19:59    Post subject: Reply with quote
Always glad to try to help a valued forum member Smile

To start, I added the button to choose between tls-auth and tls-crypt in the latest build so you can consider upgrading (builds after 41304)

That said you should be able to do it manually the way described in the guide with the build you are on.

If the tls auth key box is empty there should not be a line with tls-auth (indeed tls-auth and tls-crypt do not go together)

So logic dictate that your tls-auth key box is not empty.
Check and dlelete everything in the box and there should not be a tls-auth line.

The nvram variable of the tls-auth key is:
openvpncl_tlsauth

So to show what is in (probably blank lines)
Telnet/Putty to your router and do:
Code:
nvram get openvpncl_tlsauth

To clear the variable , telnet to your router and do:
Code:
nvram unset openvpncl_tlsauth
nvram commit


That should clear the key box and there should not be a tls-auth line and you can insert the tls-crypt manually.

Take care that if the key is still in the GUI it might get saved again. So while doing the unset do not keepp the GUI opened.

Tomorrow I am travelling to our summer residence in France to catch the last autumn sun, so hope this solves it as I will be off line for a day or two Cool

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 517
Location: Appalachian mountains, USA

PostPosted: Tue Oct 22, 2019 20:22    Post subject: Reply with quote
Many thanks... That was indeed the tls-crypt issue. Once I cleaned the window to remove whitespace, the ta.key file disappears and the log stops whining about the conflict.

I still have something very basic hosed up though, and I've posted a detailed query with AirVPN, so we'll see...

Enjoy the sun...

_________________
Six Linksys WRT1900ACSv2 (38159, r39144, 40009, 40784):
VLANs, multiple VAPs, NAS, QoS, client-mode travel router, OpenVPN client/PBR (old=NordVPN, new=AirVPN), two DNSCrypt servers (incl Quad9) routed through vpn.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4397
Location: Netherlands

PostPosted: Tue Oct 22, 2019 20:54    Post subject: Reply with quote
Thanks,
Just one last hunch, port 443 is often used with TCP.
Check whether it also understands UDP.

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 517
Location: Appalachian mountains, USA

PostPosted: Wed Oct 23, 2019 0:19    Post subject: Reply with quote
Update: my dd-wrt router is online with AirVPN. Yes, they can take port 443 with UDP. They have a list of ports you can choose from. They're pretty flexible.

Getting past my problems with this setup required two key inputs: one from egc above about scrubbing (the GUI was enough, it turned out) the whitespace from the TLS Auth Key. The other was from AirVPN support, which pointed out that different entry IPs to their servers must be used with tls-crypt. Turns out their configurator tool provides both tls-auth and tls-crypt configuration files. I hadn't caught that and was looking at the wrong one.

The overall config process for AirVPN was not bad at all, once I got past those two details. (And yes, they can handle the multiple-server thing with remote-random, though I haven't tried that yet.)

_________________
Six Linksys WRT1900ACSv2 (38159, r39144, 40009, 40784):
VLANs, multiple VAPs, NAS, QoS, client-mode travel router, OpenVPN client/PBR (old=NordVPN, new=AirVPN), two DNSCrypt servers (incl Quad9) routed through vpn.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum