tls-crypt-v2-verify for Windows

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
joks
OpenVpn Newbie
Posts: 11
Joined: Wed Oct 06, 2021 6:45 am

tls-crypt-v2-verify for Windows

Post by joks » Wed Jan 19, 2022 4:07 pm

good morning if this option tls-crypt-v2-verify is provided only for linux ?
i use Windows Server with tls-crypt2 and i want to my server use tls-crypt-v2-verify so I add to my server config:

tls-crypt-v2-verify script
script-security 2

but when client connect in server logs i have:

Code: Select all

2022-01-19 16:50:16 us=921000 xxx TLS: Initial packet from [AF_INET]xxx, sid=5dc4852c 54679b43
2022-01-19 16:50:16 us=921000 xxx Control Channel: using tls-crypt-v2 key
2022-01-19 16:50:16 us=921000 xxx Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-01-19 16:50:16 us=921000 xxx Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-19 16:50:16 us=921000 xxx Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-01-19 16:50:16 us=921000 xxx Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-19 16:50:16 us=937000 xxx env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
2022-01-19 16:50:16 us=937000 xxx openvpn_execve: CreateProcess script failed: No such file or directory (errno=2)
2022-01-19 16:50:16 us=937000 xxx WARNING: Failed running command (--tls-crypt-v2-verify): external program did not execute -- returned error code -1
2022-01-19 16:50:16 us=937000 xxx TLS CRYPT V2 VERIFY SCRIPT ERROR
Failed running command (--tls-crypt-v2-verify): external program did not execute -- returned error code -1

User avatar
TinCanTech
Forum Team
Posts: 10714
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt-v2-verify for Windows

Post by TinCanTech » Wed Jan 19, 2022 5:31 pm

You need to read what the manual says..

joks
OpenVpn Newbie
Posts: 11
Joined: Wed Oct 06, 2021 6:45 am

Re: tls-crypt-v2-verify for Windows

Post by joks » Wed Jan 19, 2022 6:31 pm

if I hadn't read the manual, I wouldn't have generated the keys correctly for tls-crypt2
thanks as always for no help

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 660
Joined: Tue Feb 16, 2021 10:41 am

Re: tls-crypt-v2-verify for Windows

Post by openvpn_inc » Wed Jan 19, 2022 7:29 pm

joks wrote:
Wed Jan 19, 2022 4:07 pm
good morning if this option tls-crypt-v2-verify is provided only for linux ?
No. It works in any OS if it is called correctly.
joks wrote:
Wed Jan 19, 2022 4:07 pm
i use Windows Server with tls-crypt2 and i want to my server use tls-crypt-v2-verify so I add to my server config:

tls-crypt-v2-verify script
script-security 2
"script" must be a path to a script/batch that Windows can run and can do the verification.
joks wrote:
Wed Jan 19, 2022 4:07 pm
but when client connect in server logs i have:

Code: Select all

(snip)
2022-01-19 16:50:16 us=937000 xxx openvpn_execve: CreateProcess script failed: No such file or directory (errno=2)
2022-01-19 16:50:16 us=937000 xxx WARNING: Failed running command (--tls-crypt-v2-verify): external program did not execute -- returned error code -1
2022-01-19 16:50:16 us=937000 xxx TLS CRYPT V2 VERIFY SCRIPT ERROR
Failed running command (--tls-crypt-v2-verify): external program did not execute -- returned error code -1
Windows could not find "script" to run it. "No such file or directory." Search for "--tls-crypt-v2-verify" in the manual.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

joks
OpenVpn Newbie
Posts: 11
Joined: Wed Oct 06, 2021 6:45 am

Re: tls-crypt-v2-verify for Windows

Post by joks » Wed Jan 19, 2022 8:59 pm

thank you very much for your help. is it possible to find ready-made scripts that will verify tls-crypt-v2 connection ?
i also try add to my server --tls-crypt-v2-verify cmd like in manual but after that i have similar error

Code: Select all

2022-01-19 21:55:33 us=609000 xx.xx.xx.x:64771 TLS CRYPT V2 VERIFY SCRIPT ERROR
2022-01-19 21:55:33 us=609000 xx.xx.xx.x:64771 TLS Error: can not extract tls-crypt-v2 client key from [AF_INET]xx.xx.xx.x:64771
2022-01-19 21:55:37 us=156000 xx.xx.xx.x:64771 TLS: Initial packet from [AF_INET]xx.xx.xx.x:64771, sid=3138e390 d54d9151
2022-01-19 21:55:37 us=156000 xx.xx.xx.x:64771 Control Channel: using tls-crypt-v2 key
2022-01-19 21:55:37 us=156000 xx.xx.xx.x:64771 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-01-19 21:55:37 us=156000 xx.xx.xx.x:64771 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-19 21:55:37 us=156000 xx.xx.xx.x:64771 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-01-19 21:55:37 us=156000 xx.xx.xx.x:64771 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-19 21:55:37 us=156000 xx.xx.xx.x:64771 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
2022-01-19 21:55:37 us=156000 xx.xx.xx.x:64771 openvpn_execve: CreateProcess cmd failed: No such file or directory (errno=2)
2022-01-19 21:55:37 us=156000 xx.xx.xx.x:64771 WARNING: Failed running command (--tls-crypt-v2-verify): external program did not execute -- returned error code -1

User avatar
Pippin
Forum Team
Posts: 1050
Joined: Wed Jul 01, 2015 8:03 am

Re: tls-crypt-v2-verify for Windows

Post by Pippin » Thu Jan 20, 2022 8:12 am


300000
OpenVPN Expert
Posts: 656
Joined: Tue May 01, 2012 9:30 pm

Re: tls-crypt-v2-verify for Windows

Post by 300000 » Thu Jan 20, 2022 11:36 pm

on my windows I have this block in my openvpn server config and it work .


<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 client key-----
snip
-----END OpenVPN tls-crypt-v2 client key-----
</tls-crypt-v2>

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 660
Joined: Tue Feb 16, 2021 10:41 am

Re: tls-crypt-v2-verify for Windows

Post by openvpn_inc » Fri Jan 21, 2022 3:08 pm

300000 wrote:
Thu Jan 20, 2022 11:36 pm
on my windows I have this block in my openvpn server config and it work .


<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 client key-----
snip
-----END OpenVPN tls-crypt-v2 client key-----
</tls-crypt-v2>
Hi 3,

You posted a private key to the forum. Please don't do that. I edited the post so it is gone, but some might have seen it. You should change that key.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

User avatar
TinCanTech
Forum Team
Posts: 10714
Joined: Fri Jun 03, 2016 1:17 pm

Re: tls-crypt-v2-verify for Windows

Post by TinCanTech » Sat Jan 22, 2022 5:11 am

Pippin wrote:
Thu Jan 20, 2022 8:12 am
This might help:
https://github.com/TinCanTech/easy-tls
That's just gonna make it a whale lot worse!

However,

Dear reader, please take a look at TLS-Crypt-V2 as above.

I hope that you find Easy-TLS to be a useful tool.

Post Reply