OpenVPN 2.4 and pure elliptic curve crypto setup

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by Pippin » Mon May 22, 2017 7:09 pm

@bird333
See manual 2.4 --ncp.....

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Mon May 22, 2017 7:13 pm

Crypto parameters negotiation is automatic unless explicitly disabled as per 2.4 manual

bird333
OpenVPN User
Posts: 25
Joined: Wed Nov 05, 2014 2:58 am

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by bird333 » Mon May 22, 2017 11:36 pm

The control channel encryption still shows AES-256-CTR and SHA256 with 'ncp-disable' added to the server and client configs. The client log does show that AES-256-CBC and SHA512 for the 'data channel' which it didn't before I added 'ncp-disable'. See below.

Client log

Code: Select all

Mon May 22 18:07:35 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon May 22 18:07:35 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon May 22 18:07:35 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon May 22 18:07:35 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication




Mon May 22 18:07:35 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES256-GCM-SHA384
Mon May 22 18:07:35 2017 [server] Peer Connection Initiated with [AF_INET]*.*.*.*:1194
Mon May 22 18:07:35 2017 Key [AF_INET]*.*.*.*:1194 [0] not initialized (yet), dropping packet.
Mon May 22 18:07:35 2017 Key [AF_INET]*.*.*.*:1194 [0] not initialized (yet), dropping packet.
Mon May 22 18:07:36 2017 Key [AF_INET]*.*.*.*:1194 [0] not initialized (yet), dropping packet.
Mon May 22 18:07:36 2017 MANAGEMENT: >STATE:1495494456,GET_CONFIG,,,,,,
Mon May 22 18:07:36 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon May 22 18:07:36 2017 PUSH: Received control message: 'PUSH_REPLY,ping 15,ping-restart 60,peer-id 1'
Mon May 22 18:07:36 2017 OPTIONS IMPORT: timers and/or timeouts modified
Mon May 22 18:07:36 2017 OPTIONS IMPORT: peer-id set
Mon May 22 18:07:36 2017 OPTIONS IMPORT: adjusting link_mtu to 1657
Mon May 22 18:07:36 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon May 22 18:07:36 2017 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon May 22 18:07:36 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon May 22 18:07:36 2017 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Tue May 23, 2017 1:57 pm

Mon Jan 16 11:14:44 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Jan 16 11:14:44 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Jan 16 11:14:44 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Jan 16 11:14:44 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Above lines in server log indicate that you have tls-crypt enabled and it initiated control channel packets encryption. tls-crypt is not mandatory but adds extra layer of security. It is used in addition to control channel cipher which is either negotiated or explicitly specified by your configuration e.g. in your case ECDHE-ECDSA-AES256-GCM-SHA384 with HMAC - SHA512

bird333
OpenVPN User
Posts: 25
Joined: Wed Nov 05, 2014 2:58 am

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by bird333 » Tue May 23, 2017 8:30 pm

I guess my question was why does it not match what's in the config? I suspect that 'tls-crypt' defaults to AES-256-CTR and SHA256 and there is no way to change it.

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Wed May 24, 2017 8:18 am

@bird333

For me it looks the same. It is not configurable.

bird333
OpenVPN User
Posts: 25
Joined: Wed Nov 05, 2014 2:58 am

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by bird333 » Wed May 24, 2017 2:44 pm

I found this in a google search. https://sourceforge.net/p/openvpn/mailm ... /35761755/ Indeed it looks like this is hardcoded and can't be changed.

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Wed May 24, 2017 4:08 pm

Cool. Thx for sharing.

umdmc
OpenVpn Newbie
Posts: 3
Joined: Wed Jun 21, 2017 4:36 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by umdmc » Wed Jun 21, 2017 4:56 pm

Nice write up. I was able to get it working on my router. One question though. I did the step using Openssl 1.1.0f:

Code: Select all

c:/OpenSSL-Win32/bin/openssl ec -in ECClient1.key -des3 -out ECClient1.3des.key
My generated key ECClient1.3des.key was created fine. But I am not seeing the initial syntax that you have in your key.

Code: Select all

-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,6778BFA39150BF9E
It just shows the key without the above:

Code: Select all

-----BEGIN EC PRIVATE KEY-----

My key.....

-----END EC PRIVATE KEY-----
Does that matter?

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Wed Jun 21, 2017 5:00 pm

Are you checking the ECClient1.3des.key file?

umdmc
OpenVpn Newbie
Posts: 3
Joined: Wed Jun 21, 2017 4:36 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by umdmc » Wed Jun 21, 2017 5:06 pm

Yep. I checked both and they are different. So I guess it worked?

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Wed Jun 21, 2017 5:10 pm

3des file should indicate that key as encrypted like in my example.

3des or aes key encryption is only important when transferring keys to your client over insecure channel. It protects your private key from being compromised when in transit.

umdmc
OpenVpn Newbie
Posts: 3
Joined: Wed Jun 21, 2017 4:36 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by umdmc » Wed Jun 21, 2017 5:20 pm

Oh ok. Not sure why I am not getting the same output. Whatever it did, the new key still worked.

EDIT:

I must have typed something wrong initially because I went back and tried it and it worked. Oops. ;-)

matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Mon Jul 17, 2017 9:31 am

Then I have built the latest OpenVPN 2.4
wget https://swupdate.openvpn.org/community/ ... 4.0.tar.gz
tar xvf openvpn-2.4.0.tar.gz
cd openvpn-2.4.0
./configure --with-crypto-library=mbedtls
make
sudo make install
I got errors while doing ./configure --with-crypto-library=mbedtls and fixed it following this thread on stackoverflow

I just drop it here to help out anyone following this tutorial..

matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Mon Jul 17, 2017 10:21 am

I'm stuck at the command

Code: Select all

./easyrsa init-pki
There seems to be something wrong with my openssl command, can't attach files here so here's an imgur

I'm using mbedtls-2.5.1, openssl-1.1.0f , and openvpn-2.4.3

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Mon Jul 17, 2017 10:26 am

there is no openssl in /usr/local/bin/openssl

you have to edit the following line in the vars file

set_var EASYRSA_OPENSSL "/usr/local/opt/openssl/bin/openssl"

and set this to wherever your openssl is

matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Mon Jul 17, 2017 10:36 am

Newbie question, how do I find where my openssl is located?

Is there a command I could run to find out?

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Mon Jul 17, 2017 10:42 am

which openssl

But then check if this the right one in case your have multiple versions installed

WhateverPath/openssl version

matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Mon Jul 17, 2017 10:44 am

which openssl outputs /usr/local/bin/openssl


EDIT: running openssl will output

Code: Select all

openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
Last edited by matt3226 on Mon Jul 17, 2017 10:45 am, edited 1 time in total.

dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Mon Jul 17, 2017 10:45 am

And

/usr/local/bin/openssl version

?

Post Reply