OpenVPN 2.4 and pure elliptic curve crypto setup
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
- Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
@bird333
See manual 2.4 --ncp.....
See manual 2.4 --ncp.....
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Crypto parameters negotiation is automatic unless explicitly disabled as per 2.4 manual
-
- OpenVPN User
- Posts: 25
- Joined: Wed Nov 05, 2014 2:58 am
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
The control channel encryption still shows AES-256-CTR and SHA256 with 'ncp-disable' added to the server and client configs. The client log does show that AES-256-CBC and SHA512 for the 'data channel' which it didn't before I added 'ncp-disable'. See below.
Client log
Client log
Code: Select all
Mon May 22 18:07:35 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon May 22 18:07:35 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon May 22 18:07:35 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon May 22 18:07:35 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon May 22 18:07:35 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES256-GCM-SHA384
Mon May 22 18:07:35 2017 [server] Peer Connection Initiated with [AF_INET]*.*.*.*:1194
Mon May 22 18:07:35 2017 Key [AF_INET]*.*.*.*:1194 [0] not initialized (yet), dropping packet.
Mon May 22 18:07:35 2017 Key [AF_INET]*.*.*.*:1194 [0] not initialized (yet), dropping packet.
Mon May 22 18:07:36 2017 Key [AF_INET]*.*.*.*:1194 [0] not initialized (yet), dropping packet.
Mon May 22 18:07:36 2017 MANAGEMENT: >STATE:1495494456,GET_CONFIG,,,,,,
Mon May 22 18:07:36 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon May 22 18:07:36 2017 PUSH: Received control message: 'PUSH_REPLY,ping 15,ping-restart 60,peer-id 1'
Mon May 22 18:07:36 2017 OPTIONS IMPORT: timers and/or timeouts modified
Mon May 22 18:07:36 2017 OPTIONS IMPORT: peer-id set
Mon May 22 18:07:36 2017 OPTIONS IMPORT: adjusting link_mtu to 1657
Mon May 22 18:07:36 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon May 22 18:07:36 2017 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon May 22 18:07:36 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon May 22 18:07:36 2017 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Above lines in server log indicate that you have tls-crypt enabled and it initiated control channel packets encryption. tls-crypt is not mandatory but adds extra layer of security. It is used in addition to control channel cipher which is either negotiated or explicitly specified by your configuration e.g. in your case ECDHE-ECDSA-AES256-GCM-SHA384 with HMAC - SHA512Mon Jan 16 11:14:44 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Jan 16 11:14:44 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Jan 16 11:14:44 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Jan 16 11:14:44 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
-
- OpenVPN User
- Posts: 25
- Joined: Wed Nov 05, 2014 2:58 am
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
I guess my question was why does it not match what's in the config? I suspect that 'tls-crypt' defaults to AES-256-CTR and SHA256 and there is no way to change it.
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
@bird333
For me it looks the same. It is not configurable.
For me it looks the same. It is not configurable.
-
- OpenVPN User
- Posts: 25
- Joined: Wed Nov 05, 2014 2:58 am
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
I found this in a google search. https://sourceforge.net/p/openvpn/mailm ... /35761755/ Indeed it looks like this is hardcoded and can't be changed.
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Cool. Thx for sharing.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Wed Jun 21, 2017 4:36 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Nice write up. I was able to get it working on my router. One question though. I did the step using Openssl 1.1.0f:
My generated key ECClient1.3des.key was created fine. But I am not seeing the initial syntax that you have in your key.
It just shows the key without the above:
Does that matter?
Code: Select all
c:/OpenSSL-Win32/bin/openssl ec -in ECClient1.key -des3 -out ECClient1.3des.key
Code: Select all
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,6778BFA39150BF9E
Code: Select all
-----BEGIN EC PRIVATE KEY-----
My key.....
-----END EC PRIVATE KEY-----
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Are you checking the ECClient1.3des.key file?
-
- OpenVpn Newbie
- Posts: 3
- Joined: Wed Jun 21, 2017 4:36 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Yep. I checked both and they are different. So I guess it worked?
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
3des file should indicate that key as encrypted like in my example.
3des or aes key encryption is only important when transferring keys to your client over insecure channel. It protects your private key from being compromised when in transit.
3des or aes key encryption is only important when transferring keys to your client over insecure channel. It protects your private key from being compromised when in transit.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Wed Jun 21, 2017 4:36 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Oh ok. Not sure why I am not getting the same output. Whatever it did, the new key still worked.
EDIT:
I must have typed something wrong initially because I went back and tried it and it worked. Oops.
EDIT:
I must have typed something wrong initially because I went back and tried it and it worked. Oops.
-
- OpenVPN User
- Posts: 35
- Joined: Wed May 17, 2017 4:24 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
I got errors while doing ./configure --with-crypto-library=mbedtls and fixed it following this thread on stackoverflowThen I have built the latest OpenVPN 2.4
wget https://swupdate.openvpn.org/community/ ... 4.0.tar.gz
tar xvf openvpn-2.4.0.tar.gz
cd openvpn-2.4.0
./configure --with-crypto-library=mbedtls
make
sudo make install
I just drop it here to help out anyone following this tutorial..
-
- OpenVPN User
- Posts: 35
- Joined: Wed May 17, 2017 4:24 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
I'm stuck at the command
There seems to be something wrong with my openssl command, can't attach files here so here's an imgur
I'm using mbedtls-2.5.1, openssl-1.1.0f , and openvpn-2.4.3
Code: Select all
./easyrsa init-pki
I'm using mbedtls-2.5.1, openssl-1.1.0f , and openvpn-2.4.3
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
there is no openssl in /usr/local/bin/openssl
you have to edit the following line in the vars file
set_var EASYRSA_OPENSSL "/usr/local/opt/openssl/bin/openssl"
and set this to wherever your openssl is
you have to edit the following line in the vars file
set_var EASYRSA_OPENSSL "/usr/local/opt/openssl/bin/openssl"
and set this to wherever your openssl is
-
- OpenVPN User
- Posts: 35
- Joined: Wed May 17, 2017 4:24 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Newbie question, how do I find where my openssl is located?
Is there a command I could run to find out?
Is there a command I could run to find out?
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
which openssl
But then check if this the right one in case your have multiple versions installed
WhateverPath/openssl version
But then check if this the right one in case your have multiple versions installed
WhateverPath/openssl version
-
- OpenVPN User
- Posts: 35
- Joined: Wed May 17, 2017 4:24 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
which openssl outputs /usr/local/bin/openssl
EDIT: running openssl will output
EDIT: running openssl will output
Code: Select all
openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
Last edited by matt3226 on Mon Jul 17, 2017 10:45 am, edited 1 time in total.
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
And
/usr/local/bin/openssl version
?
/usr/local/bin/openssl version
?