OpenVPN 2.4 and pure elliptic curve crypto setup

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Mon Jul 17, 2017 6:03 pm

i am sure not:) the length is not random. I don't know. but i will check my setup
Top
matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Mon Jul 17, 2017 6:21 pm

Your tutorial is really helpful for setting up EC, should be made into a sticky?
Top
dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Mon Jul 17, 2017 6:34 pm

can you run

YOUR_PATH/openssl x509 -in ca.crt -text -noout

and post result?
Top
dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Mon Jul 17, 2017 6:43 pm

I think that my ca.crt is longer as I include more information in them. The keys itself are the same.

You only use Common Name when I use full org info.

In vars file:

set_var EASYRSA_DN org
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@example.net"
set_var EASYRSA_REQ_OU "My Organizational Unit"

It is not required. It does not change anything but only carries more info when e.g. you have to manage many keys and want to have descriptive info.

When you run
openssl x509 -in ca.crt -text -noout
you will see yourself what is included in your key.
Top
dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Mon Jul 17, 2017 6:46 pm

in my example at the beginning of the thread I only included parts of vars file which are mandatory to handle ec correctly. as you can see yourself in vars there are few more things you can configure - but they are optional.
Top
dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Mon Jul 17, 2017 6:55 pm

The ca.crt from my example contains the following:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f1:31:45:09:7d:c0:c7:91
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = California, L = San Francisco, O = Copyleft Certificate Co, OU = My Organizational Unit, CN = Easy-RSA CA, emailAddress = me@example.net
Validity
Not Before: Jan 16 09:14:02 2017 GMT
Not After : Jan 14 09:14:02 2027 GMT
Subject: C = US, ST = California, L = San Francisco, O = Copyleft Certificate Co, OU = My Organizational Unit, CN = Easy-RSA CA, emailAddress = me@example.net
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
04:01:61:b0:87:7a:18:cd:4c:e9:55:7e:ea:ca:a3:
b8:03:4c:a0:a3:cd:f8:77:87:99:d9:93:c7:39:8a:
31:65:17:41:89:e4:2f:e7:5a:42:63:a8:59:97:fe:
bf:aa:57:14:97:ca:4a:aa:7e:e6:0d:61:fd:c9:22:
08:8a:ac:f4:5f:c4:13:00:ce:97:48:7f:07:6a:df:
ed:85:03:d9:b7:9a:3a:b1:1a:c9:aa:b0:42:b9:7d:
21:f2:56:6c:d1:05:88:46:ce:28:77:4e:38:d8:d4:
08:27:bb:29:bb:93:08:61:70:a8:c9:cb:a8:66:6f:
9b:44:6a:1c:7a:b4:46:e8:c9:ad:d0:6d:cc
ASN1 OID: secp521r1
NIST CURVE: P-521
X509v3 extensions:
X509v3 Subject Key Identifier:
4A:3D:CC:75:4C:38:68:01:91:2C:87:6F:AE:0D:81:27:82:11:16:D2
X509v3 Authority Key Identifier:
keyid:4A:3D:CC:75:4C:38:68:01:91:2C:87:6F:AE:0D:81:27:82:11:16:D2
DirName:/C=US/ST=California/L=San Francisco/O=Copyleft Certificate Co/OU=My Organizational Unit/CN=Easy-RSA CA/emailAddress=me@example.net
serial:F1:31:45:09:7D:C0:C7:91

X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: ecdsa-with-SHA256
30:81:88:02:42:00:a5:ae:c4:6a:e9:05:f3:67:2a:94:ce:48:
21:b4:3f:db:de:3b:54:8e:f3:a1:d4:b9:1b:9b:4d:8b:5f:eb:
a4:4d:8c:7f:8a:e0:f5:75:0d:3d:b3:eb:91:70:37:8d:95:bc:
02:bf:33:76:f2:e3:52:a2:1c:60:f1:66:fb:a9:3a:d3:42:02:
42:01:6d:72:64:0d:4e:8d:1c:d7:17:ed:f3:30:0f:44:e9:8d:
38:62:f0:88:a6:d0:f2:80:4e:e4:f7:d8:27:0a:9c:ce:41:c1:
8e:47:b0:d8:67:a2:66:0d:5a:8e:f8:85:9f:68:51:42:62:fa:
ea:64:6a:a4:b3:62:d3:49:25:ba:0f:cd:9d
Top
dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Mon Jul 17, 2017 7:03 pm

and systemd. It is relatively simple and you will find plenty of info on the net.

quick hack as you have already 2.3.4 installed is just edit /lib/systemd/system/openvpn@.service

and make sure that below line points into your 2.4 openvpn file instead of 2.3

ExecStart=/usr/local/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf

also you will have to recompile your openvpn to enable systemd if not done already.

./configure \
--enable-systemd \
--with-crypto-library=mbedtls

Happy tinkering:)
Top
matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Tue Jul 18, 2017 1:21 am

output of YOUR_PATH/openssl x509 -in ca.crt -text -noout

Code: Select all

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ef:a6:69:ed:bf:7a:a6:ab
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = EC-test
        Validity
            Not Before: Jul 17 11:49:37 2017 GMT
            Not After : Jul 15 11:49:37 2027 GMT
        Subject: CN = EC-test
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (521 bit)
                pub:
                    04:01:eb:b0:d8:3f:1b:b9:b9:9e:70:55:5f:c4:f9:
                    91:ce:04:44:6f:7f:a1:1e:13:e1:1e:c2:a8:f5:79:
                    07:e8:d5:46:bc:ab:9e:15:a6:92:41:86:4f:89:a4:
                    56:7c:20:d8:8f:94:ca:cf:80:ad:85:ba:4c:50:10:
                    6d:c0:28:61:c2:09:20:00:ea:18:7a:77:f0:25:c8:
                    50:7b:4d:d3:fd:6e:af:50:c8:5a:af:ff:3c:36:58:
                    f2:1a:04:c4:90:be:3a:7f:c2:29:b9:03:96:de:72:
                    b1:ab:11:29:83:46:05:6b:e6:e8:a5:a1:71:60:a3:
                    87:94:b3:47:92:6d:ec:92:79:bc:65:ff:2d
                ASN1 OID: secp521r1
                NIST CURVE: P-521
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                FA:7D:53:E5:FF:68:64:75:FE:6F:76:56:F6:41:B5:A9:FF:37:DA:C9
            X509v3 Authority Key Identifier: 
                keyid:FA:7D:53:E5:FF:68:64:75:FE:6F:76:56:F6:41:B5:A9:FF:37:DA:C9
                DirName:/CN=EC-test
                serial:EF:A6:69:ED:BF:7A:A6:AB

            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
    Signature Algorithm: ecdsa-with-SHA256
         30:81:87:02:42:01:9b:98:7a:80:15:6c:a6:f2:ba:b8:c3:11:
         eb:8b:f5:10:31:78:65:ef:97:0f:0b:eb:19:5b:64:fb:2e:2c:
         79:a3:da:2d:a3:57:ad:b9:50:28:fa:a6:d5:63:ab:a8:22:63:
         d5:06:bc:fd:46:a5:45:73:66:e7:cc:01:89:f2:cc:03:35:02:
         41:31:89:c1:3f:21:e9:29:74:ce:a8:64:2d:46:21:7d:77:4b:
         d6:b6:13:2f:c2:46:00:34:86:f5:fb:20:9c:ed:d9:4e:be:02:
         56:c1:0d:bc:33:58:46:7f:78:94:57:a5:8b:9d:28:7d:a7:9d:
         e4:42:06:43:8b:cd:1e:d3:80:ea:12:c2
Yep, only have CN here, so putting more info into the vars, will generate a longer output? It's just additional info, but doesn't negatively affect the security right?
Top
matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Tue Jul 18, 2017 1:34 am

ExecStart=/usr/local/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf


That line is a little different for me:

Code: Select all

ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf

Yours is /usr/local/sbin/openvpn and mine is /usr/sbin/openvpn I went to both directories and also found a openvpn there, so to check if they're the same, I did the md5sum on both. Here's an imgur

So they're different binaries, which one to use? :lol:
Top
matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Tue Jul 18, 2017 2:19 am

When recompiling openvpn to use systemd, I get this:

Code: Select all

checking for libsystemd... no
checking for libsystemd... no
configure: error: Package requirements (libsystemd-daemon) were not met:

No package 'libsystemd-daemon' found
I tried apt-get install libsystemd-daemon0, I thought it was a missing package/dependency?

That didn't work..
Top
matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Tue Jul 18, 2017 2:44 am

Okay, quick update:

I seem to have fixed it by simply changing from:

Code: Select all

ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf

TO

Code: Select all

ExecStart=/usr/local/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf
The thing is, before this change, my tun0 interface was not showing up on reboot indicating that my openvpn wasn't starting up properly. After making the change and doing a reboot, the tun0 interface shows up like before !

So I guess the new 2.4.3 binary is at /usr/local/sbin/openvpn and the old one was at /usr/sbin/openvpn

My recompile with systemd failed, and this still works? Does it mean that recompiling with systemd is not required? All that is needed was to make the changes above.. :?
Top
matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Tue Jul 18, 2017 2:59 am

I might as well post my server/client conf and logs:
Server.conf
1
dev tun
2
proto tcp
3
port 666
4
compress lz4
5
tls-server
6
ca /etc/openvpn/ECC/ca.crt
7
cert /etc/openvpn/ECC/EC-test.crt
8
key /etc/openvpn/ECC/EC-test.key
9
tls-crypt /etc/openvpn/ECC/ta.key
10
dh none
11
ecdh-curve secp521r1
12
auth SHA512
13
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
14
cipher AES-256-GCM
15
ncp-ciphers AES-256-GCM
16
tls-version-min 1.2
17
persist-key
18
persist-tun
19
server 10.8.0.0 255.255.255.0
20
push "compress lz4"
21
push "redirect-gateway def1 bypass-dhcp"
22
push "dhcp-option DNS 8.8.8.8"
23
push "dhcp-option DNS 8.8.4.4"
24
keepalive 10 120
25
user nobody
26
group nogroup
27
status /var/log/openvpn-status.log 20
28
log /var/log/openvpn.log
Client
1
client
2
dev tun
3
remote no-ip-domain 666 tcp
4
resolv-retry infinite
5
compress lz4
6
nobind
7
verify-x509-name EC-test name
8
remote-cert-tls server
9
auth SHA512
10
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
11
cipher AES-256-GCM
12
tls-version-min 1.2
13
persist-key
14
persist-tun
15
verb 3
16
auth-nocache
17
<ca>
18
--STRIPPED INLINE CA CERT--
19
</ca>
20
<cert>
21
--STRIPPED INLINE CERT--
22
</cert>
23
<key>
24
--STRIPPED INLINE KEY--
25
</key>
26
<tls-crypt>

Logs:


Server logs
1
Tue Jul 18 10:51:19 2017 TCP connection established with [AF_INET]192.168.1.1:51749
2
Tue Jul 18 10:51:20 2017 192.168.1.1:51749 TLS: Initial packet from [AF_INET]192.168.1.1:51749, sid=d7a8641f 4ed05a82
3
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 VERIFY OK: depth=1, CN=EC-test
4
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 VERIFY OK: depth=0, CN=test1
5
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_VER=2.4.3
6
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_PLAT=win
7
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_PROTO=2
8
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_NCP=2
9
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_LZ4=1
10
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_LZ4v2=1
11
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_LZO=1
12
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_COMP_STUB=1
13
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_COMP_STUBv2=1
14
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_TCPNL=1
15
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_GUI_VER=OpenVPN_GUI_11
16
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 Control Channel: TLSv1.2, cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384, 521 bit key
17
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 [test1] Peer Connection Initiated with [AF_INET]192.168.1.1:51749
18
Tue Jul 18 10:51:21 2017 test1/192.168.1.1:51749 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
19
Tue Jul 18 10:51:21 2017 test1/192.168.1.1:51749 MULTI: Learn: 10.8.0.6 -> test1/192.168.1.1:51749
20
Tue Jul 18 10:51:21 2017 test1/192.168.1.1:51749 MULTI: primary virtual IP for test1/192.168.1.1:51749: 10.8.0.6
21
Tue Jul 18 10:51:22 2017 test1/192.168.1.1:51749 PUSH: Received control message: 'PUSH_REQUEST'
22
Tue Jul 18 10:51:22 2017 test1/192.168.1.1:51749 SENT CONTROL [test1]: 'PUSH_REPLY,compress lz4,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
23
Tue Jul 18 10:51:22 2017 test1/192.168.1.1:51749 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Client Logs
1
Tue Jul 18 02:51:18 2017 OpenVPN 2.4.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jun 20 2017
2
Tue Jul 18 02:51:18 2017 Windows version 6.2 (Windows 8 or greater) 64bit
3
Tue Jul 18 02:51:18 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
4
Enter Management Password:
5
Tue Jul 18 02:51:18 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
6
Tue Jul 18 02:51:18 2017 Need hold release from management interface, waiting...
7
Tue Jul 18 02:51:19 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
8
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'state on'
9
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'log all on'
10
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'echo all on'
11
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'hold off'
12
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'hold release'
13
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'password [...]'
14
Tue Jul 18 02:51:19 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
15
Tue Jul 18 02:51:19 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
16
Tue Jul 18 02:51:19 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
17
Tue Jul 18 02:51:19 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
18
Tue Jul 18 02:51:19 2017 MANAGEMENT: >STATE:1500371479,RESOLVE,,,,,,
19
Tue Jul 18 02:51:19 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]external ip:666
20
Tue Jul 18 02:51:19 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
21
Tue Jul 18 02:51:19 2017 Attempting to establish TCP connection with [AF_INET]external ip:666 [nonblock]
22
Tue Jul 18 02:51:19 2017 MANAGEMENT: >STATE:1500371479,TCP_CONNECT,,,,,,
23
Tue Jul 18 02:51:20 2017 TCP connection established with [AF_INET]external ip:666
24
Tue Jul 18 02:51:20 2017 TCP_CLIENT link local: (not bound)
25
Tue Jul 18 02:51:20 2017 TCP_CLIENT link remote: [AF_INET]external ip:666
26
Tue Jul 18 02:51:20 2017 MANAGEMENT: >STATE:1500371480,WAIT,,,,,,
27
Tue Jul 18 02:51:20 2017 MANAGEMENT: >STATE:1500371480,AUTH,,,,,,
28
Tue Jul 18 02:51:20 2017 TLS: Initial packet from [AF_INET]external ip:666, sid=0d55331e 8a62a69e
29
Tue Jul 18 02:51:20 2017 VERIFY OK: depth=1, CN=EC-test
30
Tue Jul 18 02:51:20 2017 VERIFY KU OK
31
Tue Jul 18 02:51:20 2017 Validating certificate extended key usage
32
Tue Jul 18 02:51:20 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
33
Tue Jul 18 02:51:20 2017 VERIFY EKU OK
34
Tue Jul 18 02:51:20 2017 VERIFY X509NAME OK: CN=EC-test
35
Tue Jul 18 02:51:20 2017 VERIFY OK: depth=0, CN=EC-test
36
Tue Jul 18 02:51:21 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES256-GCM-SHA384
37
Tue Jul 18 02:51:21 2017 [EC-test] Peer Connection Initiated with [AF_INET]external ip:666
38
Tue Jul 18 02:51:22 2017 MANAGEMENT: >STATE:1500371482,GET_CONFIG,,,,,,
39
Tue Jul 18 02:51:22 2017 SENT CONTROL [EC-test]: 'PUSH_REQUEST' (status=1)
40
Tue Jul 18 02:51:22 2017 PUSH: Received control message: 'PUSH_REPLY,compress lz4,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
41
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: timers and/or timeouts modified
42
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: compression parms modified
43
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: --ifconfig/up options modified
44
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: route options modified
45
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
46
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: peer-id set
47
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: adjusting link_mtu to 1627
48
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: data channel crypto options modified
49
Tue Jul 18 02:51:22 2017 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
50
Tue Jul 18 02:51:22 2017 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
51
Tue Jul 18 02:51:22 2017 interactive service msg_channel=0
52
Tue Jul 18 02:51:22 2017 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=6 HWADDR=c4:e9:84:0d:37:1c
53
Tue Jul 18 02:51:22 2017 open_tun
54
Tue Jul 18 02:51:22 2017 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{09D3110F-A374-4FAC-815E-C165F51F7901}.tap
55
Tue Jul 18 02:51:22 2017 TAP-Windows Driver Version 9.21
56
Tue Jul 18 02:51:22 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {09D3110F-A374-4FAC-815E-C165F51F7901} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
57
Tue Jul 18 02:51:22 2017 Successful ARP Flush on interface [10] {09D3110F-A374-4FAC-815E-C165F51F7901}
58
Tue Jul 18 02:51:22 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
59
Tue Jul 18 02:51:22 2017 MANAGEMENT: >STATE:1500371482,ASSIGN_IP,,10.8.0.6,,,,
60
Tue Jul 18 02:51:27 2017 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
61
Tue Jul 18 02:51:27 2017 C:\Windows\system32\route.exe ADD external ip MASK 255.255.255.255 192.168.1.1
62
Tue Jul 18 02:51:27 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
63
Tue Jul 18 02:51:27 2017 Route addition via IPAPI succeeded [adaptive]
64
Tue Jul 18 02:51:27 2017 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
65
Tue Jul 18 02:51:27 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
66
Tue Jul 18 02:51:27 2017 Route addition via IPAPI succeeded [adaptive]
67
Tue Jul 18 02:51:27 2017 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
68
Tue Jul 18 02:51:27 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
69
Tue Jul 18 02:51:27 2017 Route addition via IPAPI succeeded [adaptive]
70
Tue Jul 18 02:51:27 2017 MANAGEMENT: >STATE:1500371487,ADD_ROUTES,,,,,,
71
Tue Jul 18 02:51:27 2017 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
72
Tue Jul 18 02:51:27 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
73
Tue Jul 18 02:51:27 2017 Route addition via IPAPI succeeded [adaptive]
74
Tue Jul 18 02:51:27 2017 Initialization Sequence Completed
Top
dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Tue Jul 18, 2017 9:39 am

Well done!

you should still recompile because some things might not work as expected - what you are missing is

sudo apt-get install libsystemd-daemon-dev
Top
matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Tue Jul 18, 2017 11:41 am

Oh great ! libsystemd-daemon-dev is exactly what I needed, now ./configure --enable-systemd --with-crypto-library=mbedtls works fine !


What's the point of recompiling it so that systemd is enabled?
Top
TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by TinCanTech » Tue Jul 18, 2017 11:47 am

matt3226 wrote:What's the point of recompiling it so that systemd is enabled?
The openvpn -> systemd code ensures that openvpn correctly notifies systemd of success or failure (It is a little more complicated than that because only specific use cases caused any error which is probably why you do not notice any difference).

Example: https://community.openvpn.net/openvpn/ticket/801
Top
matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Tue Jul 18, 2017 11:54 am

Okay... that's complicated stuff !

Oh and, anything else to add to both the server and client configs to make it more secure?
Top
dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Tue Jul 18, 2017 12:04 pm

It really depends what you want achieve. Depending on threat level and potential adversaries it might even better not to use Internet at all:) hahaha

Check below if you want tinker more. In general what you've got in your config is more than enough for casual usage.

https://community.openvpn.net/openvpn/wiki/Hardening

https://gist.github.com/pwnsdx/8fc14ee1e9f561a0a5b8
Top
matt3226
OpenVPN User
Posts: 35
Joined: Wed May 17, 2017 4:24 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by matt3226 » Tue Jul 18, 2017 12:16 pm

Thanks for sharing that github link !

Depending on threat level and potential adversaries huh?

From my understanding, the crypto implemented in these systems (like openVPN). Should be (for all practical purposes) secure from anything. I mean anything at all, NSA or huge powerful adversary or not. The crypto as far as I've read around the internet, is very secure.


And to back it up, it's been heavily audited by trusted cryptographers too, and even they agree it is a sound system. So what gives? Why are people assuming that the NSA (or anyone for that matter) is capable of breaking the crypto?

I'm just saying, just some thoughts...
Top
dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Tue Jul 18, 2017 12:29 pm

I would just follow good IT practices. E.g. I've noticed on your screenshot that you do stuff using root account. This is type of things you should worry more than crypto strength:)

Make sure that your openvpn server and client don't have any other vulnerabilities. Keep it patched.

if you want to be super secure I am afraid it will turn into full time job. Even the best configured system today might be compromised tomorrow. Read security blogs and stay on top of new issues - they emerge almost daily.

It is interesting subject but security is much more than choosing the longest possible key:)

Congratulation in making openvpn with ec work!! This is for sure achievement!
Top
dariusz
OpenVPN Power User
Posts: 94
Joined: Sat Jan 14, 2017 1:42 pm

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Post by dariusz » Tue Jul 18, 2017 12:33 pm

for openvpn just run

man openvpn

and read about available options. There are plenty. But sometimes too much is not good. You can easily weaken security if you don't understand all implications of changing something.

For casual use I would stick to basic configuration.
Top
Post Reply

Return to “Server Administration”