OpenVPN 2.4 and pure elliptic curve crypto setup
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVPN User
- Posts: 35
- Joined: Wed May 17, 2017 4:24 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
I removed it, still showing same problem..rebooted too !
Now it's verify-x509-name vpn-server name
Should work, it worked before..?
EDIT: Okay, I overlooked the most simplest thing, I forgot to import the updated config in the vpn gui !
Fun fact, the ovpn file sizes are smaller too on ECC ! Here's an imgur
Left is old right is new.
Now it's verify-x509-name vpn-server name
Should work, it worked before..?
EDIT: Okay, I overlooked the most simplest thing, I forgot to import the updated config in the vpn gui !
Fun fact, the ovpn file sizes are smaller too on ECC ! Here's an imgur
Left is old right is new.
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
If it worked before it means you changed something - isn't it obvious? Happy debugging:)
Removing it all together is fastest way to fix it. Unless you need it for specific reasons.
Removing it all together is fastest way to fix it. Unless you need it for specific reasons.
-
- OpenVPN User
- Posts: 35
- Joined: Wed May 17, 2017 4:24 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
How to make the latest OpenVPN version backwards compatible with older versions?
tls-crypt is not supported on both android and ios at the moment (if using the openvpn connect app)
tls-crypt is not supported on both android and ios at the moment (if using the openvpn connect app)
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
the latest OpenVPN is backwards compatible.
If you want use the mix environment with different clients you have to go for the lowest common denominator. Simply only use parameters supported by all versions you have to use.
If you want use the mix environment with different clients you have to go for the lowest common denominator. Simply only use parameters supported by all versions you have to use.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Sun Aug 10, 2014 7:29 am
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Hi, I have tried this configuration and connect to server via Mac client. However, when I try to do the same on iOS client. I get mismatched TLS error from server side log. Any luck?
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
iOS client does not support elliptic crypto nor any new openvpn features introduced in 2.4
-
- OpenVPN User
- Posts: 41
- Joined: Fri Oct 13, 2017 10:22 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Unfortunately I haven't gotten off to a great start on this forum as a moderator moved my post from this thread as they deemed it a thread hijack anyway, seeing as my thanks was moved along with it, just wanted to thank you for this thread and all the helpful posts. I got into openvpn because of my interest in EC crypto, and seeing as there wasn't much documentation for 2.4 or ec crypto back when I started in the summer, this was one of the first things that popped up in google, and it's been an excellent reference guide to setting it up on a pi
Since I guess I have to keep it to ec only, I will ask the second part of my post: do you think ChaCha20-Poly1305 will be easier for the pi to handle? It seems from some reading that it benefits openvpn clients on older phones that don't have hardware AES, but does it make a difference to the server pi?
Since I guess I have to keep it to ec only, I will ask the second part of my post: do you think ChaCha20-Poly1305 will be easier for the pi to handle? It seems from some reading that it benefits openvpn clients on older phones that don't have hardware AES, but does it make a difference to the server pi?
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Yes. RPi platform is perfect example where cha cha makes a lot of sense due to lack of hardware support for AES encryption. Cha cha performance is superior to AES when implemented in software.
On the other hand because there is no support for ec in openvpn client on iOS devices I run two instances of openvpn. One with classic RSA keys on port 443/TCP - perfect to connect even on most restrictive WiFi networks and working on my phone as well. And one using standard openvpn port/UDP and pure ec setup for more demanding tasks when working on my laptop.
On the other hand because there is no support for ec in openvpn client on iOS devices I run two instances of openvpn. One with classic RSA keys on port 443/TCP - perfect to connect even on most restrictive WiFi networks and working on my phone as well. And one using standard openvpn port/UDP and pure ec setup for more demanding tasks when working on my laptop.
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Also below my openvpn_ec.conf part with crypto parameters definition:
Code: Select all
ecdh-curve brainpoolP512r1
# Data channel
ncp-ciphers AES-256-GCM
cipher AES-256-GCM
auth SHA512
# Control channel (TLS)
tls-cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
tls-version-min 1.2
tls-crypt /etc/openvpn/ECCkeys/tc.key
-
- OpenVpn Newbie
- Posts: 12
- Joined: Tue May 12, 2015 10:00 am
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
I've just been looking at this - i.e. amending systemd config to use my self-built version of OpenVPN rather than the system default version.dariusz wrote: ↑Mon Jul 17, 2017 7:03 pmand systemd. It is relatively simple and you will find plenty of info on the net.
quick hack as you have already 2.3.4 installed is just edit /lib/systemd/system/openvpn@.service
and make sure that below line points into your 2.4 openvpn file instead of 2.3
ExecStart=/usr/local/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf
also you will have to recompile your openvpn to enable systemd if not done already.
./configure \
--enable-systemd \
--with-crypto-library=mbedtls
Happy tinkering:)
I'm not an expert on systemd by any stretch, but I worked out a 'better' way to override the vendor-supplied systemd file with local customisations, without touching the original service template (which is considered bad practice). I thought I'd share it here in case it helps anyone else.
You need to create an 'override.conf' file for the relevant service. In this case, it's a service template, because you can have multiple instances of openvpn-client and/or openvpn-server on the same box (running on different ports, of course).
The template I wanted to override was:
Code: Select all
/lib/systemd/system/openvpn-server@.service
Code: Select all
/etc/systemd/system/openvpn-server@.service.d/override.conf
Code: Select all
sudo systemctl edit openvpn-server@
In this case, we want to amend the ExecStart item within the [Service] section:
Code: Select all
[Service]
ExecStart=
ExecStart=/usr/local/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
Save and exit, then you'll find the override file has been created in the correct location for you.
To apply the new override, you just need to:
Code: Select all
sudo systemctl daemon-reload
Code: Select all
sudo systemctl stop openvpn-server@myudpserver
sudo systemctl start openvpn-server@myudpserver
sudo systemctl enable openvpn-server@myudpserver
sudo systemctl status openvpn-server@myudpserver
-
- OpenVPN User
- Posts: 39
- Joined: Thu Apr 26, 2018 2:45 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
dariusz, thank you for publishing your reasearch into this topic. I have taken the liberty of turning it into a tutorial, featuring the new Ubuntu 18.04, which launches today: OpenVPN with Elliptic Curve Cryptography on Ubuntu 18.04
-
- OpenVPN Power User
- Posts: 94
- Joined: Sat Jan 14, 2017 1:42 pm
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
@bbuckm Thanks for mentioning this thread:)
-
- OpenVpn Newbie
- Posts: 5
- Joined: Fri Mar 20, 2020 11:09 am
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
One question, I am using elliptic curve and did NOT setup `tls-auth` or `tls-crypt` files. Yet in logs I see:
So the control channel is encrypted, what extra security does using `tls-crypt` add to this? and does it make difference if one is using UDP or TCP?
Code: Select all
Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 521 bit EC, curve: secp521r1