Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Code: Select all
tls-crypt ta_key.key
replay-persist replay_persistAnd ..Akleiklopsklobulus wrote:The connection itself works without problems
we assume openvpn 2.4 server and client ..Akleiklopsklobulus wrote:OpenVPN in server-mode:
When I use the following options:Code: Select all
tls-crypt ta_key.key
--tls-crypt supercedes --tls-auth and so --tls-auth related options may be disabled.Akleiklopsklobulus wrote:OpenVPN in server-mode:
When I use the following options:there is no replay_persist-file generatedCode: Select all
tls-crypt ta_key.key replay-persist replay_persist
Absolutely correct - else tls-crypt won't workTinCanTech wrote:we assume openvpn 2.4 server and client ..
This is, why I tested it.--tls-crypt supercedes --tls-auth and so --tls-auth related options may be disabled.
Akleiklopsklobulus wrote:Correct me, if I am wrong.
TinCanTech wrote:--tls-crypt supercedes --tls-auth and so --tls-auth related options may be disabled
Partially .. but TLS vs --tls-auth are not the same thing .. TLS does not require --tls-auth ..Akleiklopsklobulus wrote:the difference between tls-auth and tls-crypt is the encryption of the TLS control channel
Maybe some other reason is the cause .. but you have not posted sufficient details. eg: configs & logs ..Akleiklopsklobulus wrote:there is no replay_persist-file generated
This is what I want to figure outTinCanTech wrote:--tls-crypt supercedes --tls-auth and so --tls-auth related options may be disabled
???TinCanTech wrote:Partially .. but TLS vs --tls-auth are not the same thing ..
Like TLS does not require --tls-cryptTinCanTech wrote:TLS does not require --tls-auth ..
You are damn rightTinCanTech wrote:I am sure you have read the manual for these options.
Ok, especially for testing, I made minimal configs. There is no difference behaviour with other configurations in my tests...TinCanTech wrote:Maybe some other reason is the cause .. but you have not posted sufficient details. eg: configs & logs ..
Code: Select all
dev tap
proto udp
port 1194
server 192.168.123.0 255.255.255.0
pkcs12 server.p12
dh dh4096.pem
tls-crypt ta.key
replay-persist replay_persist
ping-timer-rem
keepalive 10 60
persist-key
persist-tun
push "persist-key"
push "persist-tun"
log test_replay_persist.log
verb 6
mute 3
Code: Select all
Fri Mar 17 20:07:52 2017 us=939463 Current Parameter Settings:
Fri Mar 17 20:07:52 2017 us=939463 config = 'C:\Program Files\OpenVPN\config\server_replay_persisit.ovpn'
Fri Mar 17 20:07:52 2017 us=939463 mode = 1
Fri Mar 17 20:07:52 2017 us=939463 NOTE: --mute triggered...
Fri Mar 17 20:07:52 2017 us=939463 294 variation(s) on previous 3 message(s) suppressed by --mute
Fri Mar 17 20:07:52 2017 us=939463 OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jan 31 2017
Fri Mar 17 20:07:52 2017 us=939463 Windows version 6.1 (Windows 7) 64bit
Fri Mar 17 20:07:52 2017 us=939463 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Fri Mar 17 20:07:53 2017 us=80471 Diffie-Hellman initialized with 4096 bit key
Fri Mar 17 20:07:53 2017 us=84471 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Mar 17 20:07:53 2017 us=84471 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Mar 17 20:07:53 2017 us=84471 NOTE: --mute triggered...
Fri Mar 17 20:07:53 2017 us=84471 2 variation(s) on previous 3 message(s) suppressed by --mute
Fri Mar 17 20:07:53 2017 us=84471 TLS-Auth MTU parms [ L:1653 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Fri Mar 17 20:07:53 2017 us=85471 interactive service msg_channel=0
Fri Mar 17 20:07:53 2017 us=85471 open_tun
Fri Mar 17 20:07:53 2017 us=86471 TAP-WIN32 device [LAN-Verbindung 2] opened: \\.\Global\{***}.tap
Fri Mar 17 20:07:53 2017 us=87471 TAP-Windows Driver Version 9.21
Fri Mar 17 20:07:53 2017 us=87471 TAP-Windows MTU=1500
Fri Mar 17 20:07:53 2017 us=88471 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.123.1/255.255.255.0 on interface {***} [DHCP-serv: 192.168.123.0, lease-time: 31536000]
Fri Mar 17 20:07:53 2017 us=88471 Sleeping for 10 seconds...
Fri Mar 17 20:08:03 2017 us=89043 Successful ARP Flush on interface [18] {***}
Fri Mar 17 20:08:03 2017 us=90043 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Mar 17 20:08:03 2017 us=90043 Data Channel MTU parms [ L:1653 D:1450 EF:121 EB:411 ET:32 EL:3 ]
Fri Mar 17 20:08:03 2017 us=90043 Could not determine IPv4/IPv6 protocol. Using AF_INET6
Fri Mar 17 20:08:03 2017 us=90043 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Mar 17 20:08:03 2017 us=90043 setsockopt(IPV6_V6ONLY=0)
Fri Mar 17 20:08:03 2017 us=90043 UDPv6 link local (bound): [AF_INET6][undef]:1194
Fri Mar 17 20:08:03 2017 us=90043 UDPv6 link remote: [AF_UNSPEC]
Fri Mar 17 20:08:03 2017 us=90043 MULTI: multi_init called, r=256 v=256
Fri Mar 17 20:08:03 2017 us=91043 IFCONFIG POOL: base=192.168.123.2 size=253, ipv6=0
Fri Mar 17 20:08:03 2017 us=91043 Initialization Sequence Completed
Fri Mar 17 20:13:24 2017 us=854447 MULTI: multi_create_instance called
Fri Mar 17 20:13:24 2017 us=854447 192.168.* Re-using SSL/TLS context
Fri Mar 17 20:13:24 2017 us=854447 192.168.* Control Channel MTU parms [ L:1653 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Fri Mar 17 20:13:24 2017 us=854447 192.168.* Data Channel MTU parms [ L:1653 D:1450 EF:121 EB:411 ET:32 EL:3 ]
Fri Mar 17 20:13:24 2017 us=854447 192.168.* Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1573,tun-mtu 1532,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Mar 17 20:13:24 2017 us=854447 192.168.* Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1573,tun-mtu 1532,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Mar 17 20:13:24 2017 us=854447 192.168.* UDPv6 READ [54] from [AF_INET6]::ffff:192.168.*:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=344 DATA len=40
Fri Mar 17 20:13:24 2017 us=854447 192.168.* TLS: Initial packet from [AF_INET6]::ffff:192.168.*:1194, sid=8552c67d 4f01cfbc
Fri Mar 17 20:13:24 2017 us=854447 192.168.* UDPv6 WRITE [66] to [AF_INET6]::ffff:192.168.*:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=344 DATA len=52
Fri Mar 17 20:13:24 2017 us=856447 192.168.* UDPv6 READ [62] from [AF_INET6]::ffff:192.168.*:1194: P_ACK_V1 kid=0 [ ]
Fri Mar 17 20:13:24 2017 us=856447 192.168.* UDPv6 READ [227] from [AF_INET6]::ffff:192.168.*:1194: P_CONTROL_V1 kid=0 [ ] pid=856 DATA len=213
Fri Mar 17 20:13:24 2017 us=879449 192.168.* NOTE: --mute triggered...
Fri Mar 17 20:13:24 2017 us=897450 192.168.* 12 variation(s) on previous 3 message(s) suppressed by --mute
Fri Mar 17 20:13:24 2017 us=897450 192.168.* VERIFY OK: depth=1, C=DE, ST=*, L=*, O=*, OU=openvpn, CN=ca, emailAddress=name@hoster.de
Fri Mar 17 20:13:24 2017 us=897450 192.168.* VERIFY OK: depth=0, C=DE, ST=*, L=*, O=*, OU=openvpn, CN=client1, emailAddress=name@hoster.de
Fri Mar 17 20:13:24 2017 us=898450 192.168.* UDPv6 WRITE [62] to [AF_INET6]::ffff:192.168.*:1194: P_ACK_V1 kid=0 [ ]
Fri Mar 17 20:13:24 2017 us=898450 192.168.* UDPv6 READ [608] from [AF_INET6]::ffff:192.168.*:1194: P_CONTROL_V1 kid=0 [ ] pid=2648 DATA len=594
Fri Mar 17 20:13:24 2017 us=899450 192.168.* UDPv6 WRITE [117] to [AF_INET6]::ffff:192.168.*:1194: P_CONTROL_V1 kid=0 [ ] pid=2392 DATA len=103
Fri Mar 17 20:13:24 2017 us=899450 192.168.* NOTE: --mute triggered...
Fri Mar 17 20:13:24 2017 us=899450 192.168.* 1 variation(s) on previous 3 message(s) suppressed by --mute
Fri Mar 17 20:13:24 2017 us=899450 192.168.* peer info: IV_VER=2.4.0
Fri Mar 17 20:13:24 2017 us=899450 192.168.* peer info: IV_PLAT=win
Fri Mar 17 20:13:24 2017 us=899450 192.168.* peer info: IV_PROTO=2
Fri Mar 17 20:13:24 2017 us=899450 192.168.* peer info: IV_NCP=2
Fri Mar 17 20:13:24 2017 us=899450 192.168.* peer info: IV_LZ4=1
Fri Mar 17 20:13:24 2017 us=899450 192.168.* peer info: IV_LZ4v2=1
Fri Mar 17 20:13:24 2017 us=899450 192.168.* peer info: IV_LZO=1
Fri Mar 17 20:13:24 2017 us=900450 192.168.* peer info: IV_COMP_STUB=1
Fri Mar 17 20:13:24 2017 us=900450 192.168.* peer info: IV_COMP_STUBv2=1
Fri Mar 17 20:13:24 2017 us=900450 192.168.* peer info: IV_TCPNL=1
Fri Mar 17 20:13:24 2017 us=900450 192.168.* peer info: IV_GUI_VER=OpenVPN_GUI_11
Fri Mar 17 20:13:24 2017 us=900450 192.168.* UDPv6 WRITE [287] to [AF_INET6]::ffff:192.168.*:1194: P_CONTROL_V1 kid=0 [ ] pid=2648 DATA len=273
Fri Mar 17 20:13:24 2017 us=900450 192.168.* UDPv6 READ [62] from [AF_INET6]::ffff:192.168.*:1194: P_ACK_V1 kid=0 [ ]
Fri Mar 17 20:13:24 2017 us=900450 192.168.* Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Fri Mar 17 20:13:24 2017 us=900450 192.168.* [client1] Peer Connection Initiated with [AF_INET6]::ffff:192.168.*:1194
Fri Mar 17 20:13:24 2017 us=900450 client1/192.168.* MULTI_sva: pool returned IPv4=192.168.123.2, IPv6=(Not enabled)
Fri Mar 17 20:13:25 2017 us=965511 client1/192.168.* UDPv6 READ [96] from [AF_INET6]::ffff:192.168.*:1194: P_CONTROL_V1 kid=0 [ ] pid=3416 DATA len=82
Fri Mar 17 20:13:25 2017 us=965511 client1/192.168.* PUSH: Received control message: 'PUSH_REQUEST'
Fri Mar 17 20:13:25 2017 us=965511 client1/192.168.* SENT CONTROL [client1]: 'PUSH_REPLY,persist-key,persist-tun,route-gateway 192.168.123.1,ping 10,ping-restart 60,ifconfig 192.168.123.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Fri Mar 17 20:13:25 2017 us=965511 client1/192.168.* Data Channel MTU parms [ L:1581 D:1450 EF:49 EB:411 ET:32 EL:3 ]
Fri Mar 17 20:13:25 2017 us=965511 client1/192.168.* Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Mar 17 20:13:25 2017 us=965511 client1/192.168.* Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Mar 17 20:13:25 2017 us=965511 client1/192.168.* UDPv6 WRITE [62] to [AF_INET6]::ffff:192.168.*:1194: P_ACK_V1 kid=0 [ ]
Fri Mar 17 20:13:25 2017 us=965511 client1/192.168.* UDPv6 WRITE [236] to [AF_INET6]::ffff:192.168.*:1194: P_CONTROL_V1 kid=0 [ ] pid=3160 DATA len=222
Fri Mar 17 20:13:25 2017 us=976511 client1/192.168.* UDPv6 READ [62] from [AF_INET6]::ffff:192.168.*:1194: P_ACK_V1 kid=0 [ ]
Fri Mar 17 20:13:26 2017 us=22514 client1/192.168.* NOTE: --mute triggered...
Fri Mar 17 20:13:26 2017 us=22514 client1/192.168.* 1 variation(s) on previous 3 message(s) suppressed by --mute
Fri Mar 17 20:13:26 2017 us=22514 client1/192.168.* MULTI: Learn: 00:ff:d2:8d:92:5e -> client1/192.168.*
Fri Mar 17 20:13:26 2017 us=22514 client1/192.168.* TUN WRITE [90]
Fri Mar 17 20:13:26 2017 us=23514 client1/192.168.* UDPv6 READ [119] from [AF_INET6]::ffff:192.168.*:1194: P_DATA_V2 kid=0 DATA len=118
Fri Mar 17 20:13:26 2017 us=23514 client1/192.168.* TUN WRITE [95]
Fri Mar 17 20:13:26 2017 us=26514 client1/192.168.* NOTE: --mute triggered...
Fri Mar 17 20:13:53 2017 us=88062 398 variation(s) on previous 3 message(s) suppressed by --mute
Fri Mar 17 20:13:53 2017 us=88062 TCP/UDP: Closing socket
Fri Mar 17 20:13:53 2017 us=88062 Closing TUN/TAP interface
Fri Mar 17 20:13:53 2017 us=89062 SIGTERM[hard,] received, process exiting
Code: Select all
dev tap
client
remote 192.168.44.4 1194 udp
pkcs12 client1.p12
tls-crypt ta.key
replay-persist replay_persist
Code: Select all
Fri Mar 17 20:13:09 2017 OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jan 31 2017
Fri Mar 17 20:13:09 2017 Windows version 6.1 (Windows 7) 64bit
Fri Mar 17 20:13:09 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Enter Management Password:
Fri Mar 17 20:13:10 2017 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Mar 17 20:13:10 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.*:1194
Fri Mar 17 20:13:10 2017 UDP link local (bound): [AF_INET][undef]:1194
Fri Mar 17 20:13:10 2017 UDP link remote: [AF_INET]192.168.*:1194
Fri Mar 17 20:13:10 2017 [server] Peer Connection Initiated with [AF_INET]192.168.*:1194
Fri Mar 17 20:13:11 2017 open_tun
Fri Mar 17 20:13:11 2017 TAP-WIN32 device [LAN-Verbindung] opened: \\.\Global\{***}.tap
Fri Mar 17 20:13:11 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.123.2/255.255.255.0 on interface {***} [DHCP-serv: 192.168.123.0, lease-time: 31536000]
Fri Mar 17 20:13:11 2017 Successful ARP Flush on interface [14] {***}
Fri Mar 17 20:13:11 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Mar 17 20:13:16 2017 Initialization Sequence Completed
Fri Mar 17 20:13:32 2017 SIGTERM[hard,] received, process exitingTinCanTech wrote:I am sure you have read the manual for these options.
Akleiklopsklobulus wrote:You are damn right
Quoth the Raven wrote:This option only makes sense when replay protection is enabled (the default) and you are using either --secret (shared-secret key mode) or TLS mode with --tls-auth
The tip of the iceberg ..TinCanTech wrote:--tls-crypt supercedes --tls-auth and so --tls-auth related options may be disabled
Seems so ..TinCanTech wrote:The tip of the iceberg ..