OpenVPN Support Forum

Posted: **Mon May 22, 2017 7:09 pm**

@bird333
See manual 2.4 --ncp.....

Posted: **Mon May 22, 2017 7:13 pm**

Crypto parameters negotiation is automatic unless explicitly disabled as per 2.4 manual

Posted: **Mon May 22, 2017 11:36 pm**

The control channel encryption still shows AES-256-CTR and SHA256 with 'ncp-disable' added to the server and client configs. The client log does show that AES-256-CBC and SHA512 for the 'data channel' which it didn't before I added 'ncp-disable'. See below.

Client log

Code: Select all

Mon May 22 18:07:35 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon May 22 18:07:35 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon May 22 18:07:35 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon May 22 18:07:35 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication




Mon May 22 18:07:35 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES256-GCM-SHA384
Mon May 22 18:07:35 2017 [server] Peer Connection Initiated with [AF_INET]*.*.*.*:1194
Mon May 22 18:07:35 2017 Key [AF_INET]*.*.*.*:1194 [0] not initialized (yet), dropping packet.
Mon May 22 18:07:35 2017 Key [AF_INET]*.*.*.*:1194 [0] not initialized (yet), dropping packet.
Mon May 22 18:07:36 2017 Key [AF_INET]*.*.*.*:1194 [0] not initialized (yet), dropping packet.
Mon May 22 18:07:36 2017 MANAGEMENT: >STATE:1495494456,GET_CONFIG,,,,,,
Mon May 22 18:07:36 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon May 22 18:07:36 2017 PUSH: Received control message: 'PUSH_REPLY,ping 15,ping-restart 60,peer-id 1'
Mon May 22 18:07:36 2017 OPTIONS IMPORT: timers and/or timeouts modified
Mon May 22 18:07:36 2017 OPTIONS IMPORT: peer-id set
Mon May 22 18:07:36 2017 OPTIONS IMPORT: adjusting link_mtu to 1657
Mon May 22 18:07:36 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon May 22 18:07:36 2017 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon May 22 18:07:36 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon May 22 18:07:36 2017 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication

Posted: **Tue May 23, 2017 1:57 pm**

Mon Jan 16 11:14:44 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Jan 16 11:14:44 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Jan 16 11:14:44 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Jan 16 11:14:44 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

Above lines in server log indicate that you have tls-crypt enabled and it initiated control channel packets encryption. tls-crypt is not mandatory but adds extra layer of security. It is used in addition to control channel cipher which is either negotiated or explicitly specified by your configuration e.g. in your case ECDHE-ECDSA-AES256-GCM-SHA384 with HMAC - SHA512

Posted: **Tue May 23, 2017 8:30 pm**

I guess my question was why does it not match what's in the config? I suspect that 'tls-crypt' defaults to AES-256-CTR and SHA256 and there is no way to change it.

Posted: **Wed May 24, 2017 8:18 am**

@bird333

For me it looks the same. It is not configurable.

Posted: **Wed May 24, 2017 2:44 pm**

I found this in a google search. https://sourceforge.net/p/openvpn/mailm ... /35761755/ Indeed it looks like this is hardcoded and can't be changed.

Posted: **Wed May 24, 2017 4:08 pm**

Cool. Thx for sharing.

Posted: **Wed Jun 21, 2017 4:56 pm**

Nice write up. I was able to get it working on my router. One question though. I did the step using Openssl 1.1.0f:

Code: Select all

c:/OpenSSL-Win32/bin/openssl ec -in ECClient1.key -des3 -out ECClient1.3des.key

My generated key ECClient1.3des.key was created fine. But I am not seeing the initial syntax that you have in your key.

Code: Select all

-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,6778BFA39150BF9E

It just shows the key without the above:

Code: Select all

-----BEGIN EC PRIVATE KEY-----

My key.....

-----END EC PRIVATE KEY-----

Does that matter?

Posted: **Wed Jun 21, 2017 5:00 pm**

Are you checking the ECClient1.3des.key file?

Posted: **Wed Jun 21, 2017 5:06 pm**

Yep. I checked both and they are different. So I guess it worked?

Posted: **Wed Jun 21, 2017 5:10 pm**

3des file should indicate that key as encrypted like in my example.

3des or aes key encryption is only important when transferring keys to your client over insecure channel. It protects your private key from being compromised when in transit.

Posted: **Wed Jun 21, 2017 5:20 pm**

Oh ok. Not sure why I am not getting the same output. Whatever it did, the new key still worked.

EDIT:

I must have typed something wrong initially because I went back and tried it and it worked. Oops.

Posted: **Mon Jul 17, 2017 9:31 am**

Then I have built the latest OpenVPN 2.4
wget https://swupdate.openvpn.org/community/ ... 4.0.tar.gz
tar xvf openvpn-2.4.0.tar.gz
cd openvpn-2.4.0
./configure --with-crypto-library=mbedtls
make
sudo make install

I got errors while doing ./configure --with-crypto-library=mbedtls and fixed it following this thread on stackoverflow

I just drop it here to help out anyone following this tutorial..

Posted: **Mon Jul 17, 2017 10:21 am**

I'm stuck at the command

Code: Select all

./easyrsa init-pki

There seems to be something wrong with my openssl command, can't attach files here so here's an imgur

I'm using mbedtls-2.5.1, openssl-1.1.0f , and openvpn-2.4.3

Posted: **Mon Jul 17, 2017 10:26 am**

there is no openssl in /usr/local/bin/openssl

you have to edit the following line in the vars file

set_var EASYRSA_OPENSSL "/usr/local/opt/openssl/bin/openssl"

and set this to wherever your openssl is

Posted: **Mon Jul 17, 2017 10:36 am**

Newbie question, how do I find where my openssl is located?

Is there a command I could run to find out?

Posted: **Mon Jul 17, 2017 10:42 am**

which openssl

But then check if this the right one in case your have multiple versions installed

WhateverPath/openssl version

Posted: **Mon Jul 17, 2017 10:44 am**

which openssl outputs /usr/local/bin/openssl

EDIT: running openssl will output

Code: Select all

openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory

Posted: **Mon Jul 17, 2017 10:45 am**

And

/usr/local/bin/openssl version

?

OpenVPN Support Forum

OpenVPN 2.4 and pure elliptic curve crypto setup

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Re: OpenVPN 2.4 and pure elliptic curve crypto setup

Re: OpenVPN 2.4 and pure elliptic curve crypto setup