OpenVPN 2.4 tls-crypt and Tomato

Discussion in 'Tomato Firmware' started by boardlord, Dec 8, 2017.

  1. boardlord

    boardlord Network Guru Member

    OpenVPN 2.4 brought us the "tls-crypt" option to encrypt the control channel.

    Is this exposed in the GUI of the Tomato builds that include OpenVPN 2.4, or at least accessible through the custom config textbox? If the latter, could someone help me with it (how to point to the static key). Many thanks!
     
  2. schnappi

    schnappi Networkin' Nut Member

    Under OpenVPN - Advanced one will find a box for custom OpenVPN configuration options. Let us know if you find it okay.
     
    Last edited: Dec 8, 2017
  3. boardlord

    boardlord Network Guru Member

    That's what I was referring to by custom config

    Sent from my Xperia Z3C using Tapatalk
     
  4. schnappi

    schnappi Networkin' Nut Member

    If "tls-crypt" works the same way as "tls-auth" (and think it does: https://github.com/OpenVPN/openvpn/commit/c6e24fa3e16c32f9b427e360fd07102f613aa5c6) then one can put "tls-crypt" in the custom configuration box same as any of the below that can go in the custom configuration box:

    ca /tmp/mnt/USB-or-JFFS-or-CIFS/OpenVPN/keys/ca.crt
    cert //tmp/mnt/USB-or-JFFS-or-CIFS/OpenVPN/keys/server.crt
    key /tmp/mnt/USB-or-JFFS-or-CIFS/OpenVPN/keys/server.key
    dh /tmp/mnt/USB-or-JFFS-or-CIFS/OpenVPN/keys/dh4096.pem
    tls-auth /tmp/mnt/USB-or-JFFS-or-CIFS/OpenVPN/keys/ta.key
     
    boardlord likes this.
  5. boardlord

    boardlord Network Guru Member

    Sorry for reacting just now, busy days... Would it be possible to use the static key in the GUI's "Keys" in OpenVPN config? The "static key" text field is only available if I check the "tls-auth" checkbox.

    So: could I check that option so that I can input the static in the GUI, but somehow "override" in custom config and let "tls-crypt" use that key? Or is it better to just say "f" it and use a small flash drive for the key? Thanks and sorry for being a bit thick :D

    Edit: Man, I wish I could code and just add the additional checkbox for "tls-crypt" :)
     
  6. schnappi

    schnappi Networkin' Nut Member

    One should be able to use the GUI's "Keys" boxes and only add "tls-crypt" to the custom configuration.

    Recommended not using the GUI "Keys" because using the "GUI keys" sometimes takes up too much NVRAM on some routers where NVRAM is rather sparse as opposed to just pointing to the files with one line of text each. Certainly don't have to do this though. Does this make sense?
     
    boardlord likes this.
  7. boardlord

    boardlord Network Guru Member

    Thanks for bearing with me! One problem I see with that, the static key textbox is only exposed when tls-auth is checked... And according to the OpenVpn docs tls-auth and tls-crypt are mutually exclusive...

    So I guess I do indeed will need a thumb drive to store the tls-crypt static key until someone finds the time to implement this in gui...
    Maybe @pedro311 or @kille72 if they find the time :) Please don't take this as a nag guys, I know things this minor are nr. 999 at most on your todo lists :D
     
  8. schnappi

    schnappi Networkin' Nut Member

    Yep the static key box is only for tls-auth as far as know. You can store the tls-crypt key on a USB connected drive, in JFFS storage (this works pretty well), or CIFS storage.
     
  9. feedzapper

    feedzapper Reformed Router Member

    I found a good soloution for using tls-crypt without any need of using a key file on any drive.
    You can put all Keyfiles "inline" in the openvpn.conf.
    Make sure the checkbox for tls-auth in the Tomato WebIf is disabled !
    -> ( Extra HMAC authorization (tls-auth) )
    But - if you have disabled tls-auth in the WebIF. The static.key file will not be temporary generated in the /tmp/etc/openvpn/serverX directory (reading all the keys from nvram and put it as files in this directory if you start the vpnserver/client)
    You are unable to using the static.key file directly for tls-crypt.
    Add the following lines in the custom configuration area for OpenVPN in the Tomato WebIF

    Code:
    tls-crypt ta.key
    <tls-crypt>
    #
    # 2048 bit OpenVPN static key #
    -----BEGIN OpenVPN Static key V1-----
    your keys.....
    -----END OpenVPN Static key V1-----
    </tls-crypt>
    also you do not need to set any direction for tls-crypt anymore (0/1) !!
     
    Last edited: Feb 8, 2019
  10. feedzapper

    feedzapper Reformed Router Member

    Just a hint for the "tls-cipher"
    I suggest you to set it also in custom OpenVPN area to :
    Code:
    tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
    
    for strongest security....
    Note : all clients must match the same tls-cipher and all clients must have OpenVPN >= 2.4 installed for using
    tls-crypt !
     
    Last edited: Feb 8, 2019
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice