openvpn tls-crypt?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
lesteringber
DD-WRT Novice


Joined: 24 Apr 2017
Posts: 18

PostPosted: Mon May 29, 2017 17:21    Post subject: openvpn tls-crypt? Reply with quote
Since ovpn-2.4 it is possible to use tls-crypt instead of tls-auth. My ovpn server can use this, but it seems that the dd-wrt gui ovpn setup cannot, e.g., not in v3.0-r31980M kongac. I tried adding this as in the VPN -> Additional Config window, but it failed to start.

tls-crypt or tlscrypt does not show up under any searches in this forum. Does anyone know of any plans to implement this?
Sponsor
Pibell
DD-WRT Novice


Joined: 02 Sep 2015
Posts: 23

PostPosted: Sun Jun 24, 2018 17:58    Post subject: Reply with quote
Hi @lesteringber.

So, were you able to use tls-crypt even if it wasn't via UI?

Greetings.
zip
DD-WRT User


Joined: 29 Sep 2006
Posts: 93

PostPosted: Sun Aug 26, 2018 19:42    Post subject: Reply with quote
Netgear R7000
dd-wrt 36154

Linux 4.4.137 #3284 SMP Sat Jun 16 12:11:20 CEST 2018 armv7l

I know this thread is old, but I had been researching this and got it to work today.

Using another thread about openvpn dealing with another aspect, I got an idea which I tried.

Since the gui for dd-wrt openvpn does not have an area to paste tls-crypt and only has the old tls-auth area, I took the static key info out of tls-auth.

I put it in the additional configuration area in between <tls-crypt> and </tls-crypt>. I did NOT put a file name. I pasted the actual key info in between.

After saving and applying, I tried to connect after modifying my openvpn client (Windows 10) and changing tls-auth to tls-crypt.

I connected successfully and the client log showed that the control channel was being encrypted with AES-256-CTR. Note the encryption for the connection once established is still AES-256-GCM as I had specified.

I then tried it with my OpenVPN ios app (ios 11.4.1) which uses an inline file. In that file I changed tls-auth to tls-crypt.

That works also. However, I saw no indication in the log regarding the encrypted control channel.

To double check, I used the old client configs for both the pc and the iphone which were using tls-auth.

They did not work as was expected so I know that it is working for both (regardless of lack of logging in ios).

Long story short, I removed the info from tls-auth in dd-wrt placing it in additional config and then modified the client configs to use tls-crypt instead of tls-auth and it works.

I also went ahead and regenerated a new static key file in openvpn on the pc for both it and ios to use since the tls-auth file has more exposure.

_________________
-----------------------------------
Netgear R7000
NBA Jam
DD-WRT Novice


Joined: 25 Nov 2018
Posts: 39

PostPosted: Sat Mar 30, 2019 2:14    Post subject: Reply with quote
zip wrote:

I put it in the additional configuration area in between <tls-crypt> and </tls-crypt>. I did NOT put a file name. I pasted the actual key info in between.


Thank you! This solved my problem. I had my ta.key file pasted in "TLS Auth." This is not the correct place to put it. If you are using tls-crypt, it must be pasted in Additional Config between <tls-crypt> and </tls-crypt>. For example:

Code:
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
41a2fc4fbd0cb890d40ddf704defac6a
.......
-----END OpenVPN Static key V1-----
</tls-crypt>
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum