Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 6:03 pm
i am sure not:) the length is not random. I don't know. but i will check my setup
OpenVPN Support Forum
Community Support Forum
https://forums.openvpn.net/
OpenVPN 2.4 and pure elliptic curve crypto setup
Page 5 of 6
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 6:21 pm
Your tutorial is really helpful for setting up EC, should be made into a sticky?
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 6:34 pm
can you run
YOUR_PATH/openssl x509 -in ca.crt -text -noout
and post result?
YOUR_PATH/openssl x509 -in ca.crt -text -noout
and post result?
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 6:43 pm
I think that my ca.crt is longer as I include more information in them. The keys itself are the same.
You only use Common Name when I use full org info.
In vars file:
set_var EASYRSA_DN org
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@example.net"
set_var EASYRSA_REQ_OU "My Organizational Unit"
It is not required. It does not change anything but only carries more info when e.g. you have to manage many keys and want to have descriptive info.
When you run
openssl x509 -in ca.crt -text -noout
you will see yourself what is included in your key.
You only use Common Name when I use full org info.
In vars file:
set_var EASYRSA_DN org
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@example.net"
set_var EASYRSA_REQ_OU "My Organizational Unit"
It is not required. It does not change anything but only carries more info when e.g. you have to manage many keys and want to have descriptive info.
When you run
openssl x509 -in ca.crt -text -noout
you will see yourself what is included in your key.
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 6:46 pm
in my example at the beginning of the thread I only included parts of vars file which are mandatory to handle ec correctly. as you can see yourself in vars there are few more things you can configure - but they are optional.
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 6:55 pm
The ca.crt from my example contains the following:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f1:31:45:09:7d:c0:c7:91
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = California, L = San Francisco, O = Copyleft Certificate Co, OU = My Organizational Unit, CN = Easy-RSA CA, emailAddress = me@example.net
Validity
Not Before: Jan 16 09:14:02 2017 GMT
Not After : Jan 14 09:14:02 2027 GMT
Subject: C = US, ST = California, L = San Francisco, O = Copyleft Certificate Co, OU = My Organizational Unit, CN = Easy-RSA CA, emailAddress = me@example.net
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
04:01:61:b0:87:7a:18
4c:e9:55:7e:ea:ca:a3:
b8:03:4c:a0:a3f8:77:87:99:d9:93:c7:39:8a:
31:65:17:41:89:e4:2f:e7:5a:42:63:a8:59:97:fe:
bf:aa:57:14:97:ca:4a:aa:7e:e6:0d:61:fd:c9:22:
08:8a:ac:f4:5f:c4:13:00:ce:97:48:7f:07:6a:df:
ed:85:03:d9:b7:9a:3a:b1:1a:c9:aa:b0:42:b9:7d:
21:f2:56:6c:d1:05:88:46:ce:28:77:4e:38:d8:d4:
08:27:bb:29:bb:93:08:61:70:a8:c9:cb:a8:66:6f:
9b:44:6a:1c:7a:b4:46:e8:c9:ad:d0:6d:cc
ASN1 OID: secp521r1
NIST CURVE: P-521
X509v3 extensions:
X509v3 Subject Key Identifier:
4A:3D:CC:75:4C:38:68:01:91:2C:87:6F:AE:0D:81:27:82:11:16:D2
X509v3 Authority Key Identifier:
keyid:4A:3D:CC:75:4C:38:68:01:91:2C:87:6F:AE:0D:81:27:82:11:16:D2
DirName:/C=US/ST=California/L=San Francisco/O=Copyleft Certificate Co/OU=My Organizational Unit/CN=Easy-RSA CA/emailAddress=me@example.net
serial:F1:31:45:09:7D:C0:C7:91
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: ecdsa-with-SHA256
30:81:88:02:42:00:a5:ae:c4:6a:e9:05:f3:67:2a:94:ce:48:
21:b4:3f:db
3b:54:8e:f3:a1:d4:b9:1b:9b:4d:8b:5f:eb:
a4:4d:8c:7f:8a:e0:f5:75:0d:3d:b3:eb:91:70:37:8d:95:bc:
02:bf:33:76:f2:e3:52:a2:1c:60:f1:66:fb:a9:3a:d3:42:02:
42:01:6d:72:64:0d:4e:8d:1c:d7:17:ed:f3:30:0f:44:e9:8d:
38:62:f0:88:a6:d0:f2:80:4e:e4:f7:d8:27:0a:9c:ce:41:c1:
8e:47:b0:d8:67:a2:66:0d:5a:8e:f8:85:9f:68:51:42:62:fa:
ea:64:6a:a4:b3:62:d3:49:25:ba:0f9d
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f1:31:45:09:7d:c0:c7:91
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = California, L = San Francisco, O = Copyleft Certificate Co, OU = My Organizational Unit, CN = Easy-RSA CA, emailAddress = me@example.net
Validity
Not Before: Jan 16 09:14:02 2017 GMT
Not After : Jan 14 09:14:02 2027 GMT
Subject: C = US, ST = California, L = San Francisco, O = Copyleft Certificate Co, OU = My Organizational Unit, CN = Easy-RSA CA, emailAddress = me@example.net
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
04:01:61:b0:87:7a:18
4c:e9:55:7e:ea:ca:a3:b8:03:4c:a0:a3
f8:77:87:99:d9:93:c7:39:8a:31:65:17:41:89:e4:2f:e7:5a:42:63:a8:59:97:fe:
bf:aa:57:14:97:ca:4a:aa:7e:e6:0d:61:fd:c9:22:
08:8a:ac:f4:5f:c4:13:00:ce:97:48:7f:07:6a:df:
ed:85:03:d9:b7:9a:3a:b1:1a:c9:aa:b0:42:b9:7d:
21:f2:56:6c:d1:05:88:46:ce:28:77:4e:38:d8:d4:
08:27:bb:29:bb:93:08:61:70:a8:c9:cb:a8:66:6f:
9b:44:6a:1c:7a:b4:46:e8:c9:ad:d0:6d:cc
ASN1 OID: secp521r1
NIST CURVE: P-521
X509v3 extensions:
X509v3 Subject Key Identifier:
4A:3D:CC:75:4C:38:68:01:91:2C:87:6F:AE:0D:81:27:82:11:16:D2
X509v3 Authority Key Identifier:
keyid:4A:3D:CC:75:4C:38:68:01:91:2C:87:6F:AE:0D:81:27:82:11:16:D2
DirName:/C=US/ST=California/L=San Francisco/O=Copyleft Certificate Co/OU=My Organizational Unit/CN=Easy-RSA CA/emailAddress=me@example.net
serial:F1:31:45:09:7D:C0:C7:91
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: ecdsa-with-SHA256
30:81:88:02:42:00:a5:ae:c4:6a:e9:05:f3:67:2a:94:ce:48:
21:b4:3f:db
3b:54:8e:f3:a1:d4:b9:1b:9b:4d:8b:5f:eb:a4:4d:8c:7f:8a:e0:f5:75:0d:3d:b3:eb:91:70:37:8d:95:bc:
02:bf:33:76:f2:e3:52:a2:1c:60:f1:66:fb:a9:3a:d3:42:02:
42:01:6d:72:64:0d:4e:8d:1c:d7:17:ed:f3:30:0f:44:e9:8d:
38:62:f0:88:a6:d0:f2:80:4e:e4:f7:d8:27:0a:9c:ce:41:c1:
8e:47:b0:d8:67:a2:66:0d:5a:8e:f8:85:9f:68:51:42:62:fa:
ea:64:6a:a4:b3:62:d3:49:25:ba:0f
9dRe: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Mon Jul 17, 2017 7:03 pm
and systemd. It is relatively simple and you will find plenty of info on the net.
quick hack as you have already 2.3.4 installed is just edit /lib/systemd/system/openvpn@.service
and make sure that below line points into your 2.4 openvpn file instead of 2.3
ExecStart=/usr/local/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf
also you will have to recompile your openvpn to enable systemd if not done already.
./configure \
--enable-systemd \
--with-crypto-library=mbedtls
Happy tinkering:)
quick hack as you have already 2.3.4 installed is just edit /lib/systemd/system/openvpn@.service
and make sure that below line points into your 2.4 openvpn file instead of 2.3
ExecStart=/usr/local/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf
also you will have to recompile your openvpn to enable systemd if not done already.
./configure \
--enable-systemd \
--with-crypto-library=mbedtls
Happy tinkering:)
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Tue Jul 18, 2017 1:21 am
output of YOUR_PATH/openssl x509 -in ca.crt -text -noout
Yep, only have CN here, so putting more info into the vars, will generate a longer output? It's just additional info, but doesn't negatively affect the security right?
Code: Select all
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ef:a6:69:ed:bf:7a:a6:ab
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = EC-test
Validity
Not Before: Jul 17 11:49:37 2017 GMT
Not After : Jul 15 11:49:37 2027 GMT
Subject: CN = EC-test
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
04:01:eb:b0:d8:3f:1b:b9:b9:9e:70:55:5f:c4:f9:
91:ce:04:44:6f:7f:a1:1e:13:e1:1e:c2:a8:f5:79:
07:e8:d5:46:bc:ab:9e:15:a6:92:41:86:4f:89:a4:
56:7c:20:d8:8f:94:ca:cf:80:ad:85:ba:4c:50:10:
6d:c0:28:61:c2:09:20:00:ea:18:7a:77:f0:25:c8:
50:7b:4d:d3:fd:6e:af:50:c8:5a:af:ff:3c:36:58:
f2:1a:04:c4:90:be:3a:7f:c2:29:b9:03:96:de:72:
b1:ab:11:29:83:46:05:6b:e6:e8:a5:a1:71:60:a3:
87:94:b3:47:92:6d:ec:92:79:bc:65:ff:2d
ASN1 OID: secp521r1
NIST CURVE: P-521
X509v3 extensions:
X509v3 Subject Key Identifier:
FA:7D:53:E5:FF:68:64:75:FE:6F:76:56:F6:41:B5:A9:FF:37:DA:C9
X509v3 Authority Key Identifier:
keyid:FA:7D:53:E5:FF:68:64:75:FE:6F:76:56:F6:41:B5:A9:FF:37:DA:C9
DirName:/CN=EC-test
serial:EF:A6:69:ED:BF:7A:A6:AB
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: ecdsa-with-SHA256
30:81:87:02:42:01:9b:98:7a:80:15:6c:a6:f2:ba:b8:c3:11:
eb:8b:f5:10:31:78:65:ef:97:0f:0b:eb:19:5b:64:fb:2e:2c:
79:a3:da:2d:a3:57:ad:b9:50:28:fa:a6:d5:63:ab:a8:22:63:
d5:06:bc:fd:46:a5:45:73:66:e7:cc:01:89:f2:cc:03:35:02:
41:31:89:c1:3f:21:e9:29:74:ce:a8:64:2d:46:21:7d:77:4b:
d6:b6:13:2f:c2:46:00:34:86:f5:fb:20:9c:ed:d9:4e:be:02:
56:c1:0d:bc:33:58:46:7f:78:94:57:a5:8b:9d:28:7d:a7:9d:
e4:42:06:43:8b:cd:1e:d3:80:ea:12:c2Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Tue Jul 18, 2017 1:34 am
ExecStart=/usr/local/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf
That line is a little different for me:
Code: Select all
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.confYours is /usr/local/sbin/openvpn and mine is /usr/sbin/openvpn I went to both directories and also found a openvpn there, so to check if they're the same, I did the md5sum on both. Here's an imgur
So they're different binaries, which one to use?
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Tue Jul 18, 2017 2:19 am
When recompiling openvpn to use systemd, I get this:
I tried apt-get install libsystemd-daemon0, I thought it was a missing package/dependency?
That didn't work..
Code: Select all
checking for libsystemd... no
checking for libsystemd... no
configure: error: Package requirements (libsystemd-daemon) were not met:
No package 'libsystemd-daemon' found
That didn't work..
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Tue Jul 18, 2017 2:44 am
Okay, quick update:
I seem to have fixed it by simply changing from:
TO
The thing is, before this change, my tun0 interface was not showing up on reboot indicating that my openvpn wasn't starting up properly. After making the change and doing a reboot, the tun0 interface shows up like before !
So I guess the new 2.4.3 binary is at /usr/local/sbin/openvpn and the old one was at /usr/sbin/openvpn
My recompile with systemd failed, and this still works? Does it mean that recompiling with systemd is not required? All that is needed was to make the changes above..
I seem to have fixed it by simply changing from:
Code: Select all
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.confTO
Code: Select all
ExecStart=/usr/local/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.confSo I guess the new 2.4.3 binary is at /usr/local/sbin/openvpn and the old one was at /usr/sbin/openvpn
My recompile with systemd failed, and this still works? Does it mean that recompiling with systemd is not required? All that is needed was to make the changes above..
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Tue Jul 18, 2017 2:59 am
I might as well post my server/client conf and logs:
Logs:
Server.conf
dev tun
proto tcp
port 666
compress lz4
tls-server
ca /etc/openvpn/ECC/ca.crt
cert /etc/openvpn/ECC/EC-test.crt
key /etc/openvpn/ECC/EC-test.key
tls-crypt /etc/openvpn/ECC/ta.key
dh none
ecdh-curve secp521r1
auth SHA512
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
ncp-ciphers AES-256-GCM
tls-version-min 1.2
persist-key
persist-tun
server 10.8.0.0 255.255.255.0
push "compress lz4"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
user nobody
group nogroup
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 3
proto tcp
port 666
compress lz4
tls-server
ca /etc/openvpn/ECC/ca.crt
cert /etc/openvpn/ECC/EC-test.crt
key /etc/openvpn/ECC/EC-test.key
tls-crypt /etc/openvpn/ECC/ta.key
dh none
ecdh-curve secp521r1
auth SHA512
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
ncp-ciphers AES-256-GCM
tls-version-min 1.2
persist-key
persist-tun
server 10.8.0.0 255.255.255.0
push "compress lz4"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
user nobody
group nogroup
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 3
Client
client
dev tun
remote no-ip-domain 666 tcp
resolv-retry infinite
compress lz4
nobind
verify-x509-name EC-test name
remote-cert-tls server
auth SHA512
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
tls-version-min 1.2
persist-key
persist-tun
verb 3
auth-nocache
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<tls-crypt>
</tls-crypt>
dev tun
remote no-ip-domain 666 tcp
resolv-retry infinite
compress lz4
nobind
verify-x509-name EC-test name
remote-cert-tls server
auth SHA512
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
tls-version-min 1.2
persist-key
persist-tun
verb 3
auth-nocache
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<tls-crypt>
</tls-crypt>
Logs:
Server logs
Tue Jul 18 10:51:19 2017 TCP connection established with [AF_INET]192.168.1.1:51749
Tue Jul 18 10:51:20 2017 192.168.1.1:51749 TLS: Initial packet from [AF_INET]192.168.1.1:51749, sid=d7a8641f 4ed05a82
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 VERIFY OK: depth=1, CN=EC-test
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 VERIFY OK: depth=0, CN=test1
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_VER=2.4.3
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_PLAT=win
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_PROTO=2
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_NCP=2
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_LZ4=1
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_LZ4v2=1
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_LZO=1
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_COMP_STUB=1
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_COMP_STUBv2=1
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_TCPNL=1
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_GUI_VER=OpenVPN_GUI_11
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 Control Channel: TLSv1.2, cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384, 521 bit key
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 [test1] Peer Connection Initiated with [AF_INET]192.168.1.1:51749
Tue Jul 18 10:51:21 2017 test1/192.168.1.1:51749 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Tue Jul 18 10:51:21 2017 test1/192.168.1.1:51749 MULTI: Learn: 10.8.0.6 -> test1/192.168.1.1:51749
Tue Jul 18 10:51:21 2017 test1/192.168.1.1:51749 MULTI: primary virtual IP for test1/192.168.1.1:51749: 10.8.0.6
Tue Jul 18 10:51:22 2017 test1/192.168.1.1:51749 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jul 18 10:51:22 2017 test1/192.168.1.1:51749 SENT CONTROL [test1]: 'PUSH_REPLY,compress lz4,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Tue Jul 18 10:51:22 2017 test1/192.168.1.1:51749 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 18 10:51:22 2017 test1/192.168.1.1:51749 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 18 10:51:20 2017 192.168.1.1:51749 TLS: Initial packet from [AF_INET]192.168.1.1:51749, sid=d7a8641f 4ed05a82
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 VERIFY OK: depth=1, CN=EC-test
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 VERIFY OK: depth=0, CN=test1
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_VER=2.4.3
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_PLAT=win
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_PROTO=2
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_NCP=2
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_LZ4=1
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_LZ4v2=1
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_LZO=1
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_COMP_STUB=1
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_COMP_STUBv2=1
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_TCPNL=1
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 peer info: IV_GUI_VER=OpenVPN_GUI_11
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 Control Channel: TLSv1.2, cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384, 521 bit key
Tue Jul 18 10:51:21 2017 192.168.1.1:51749 [test1] Peer Connection Initiated with [AF_INET]192.168.1.1:51749
Tue Jul 18 10:51:21 2017 test1/192.168.1.1:51749 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Tue Jul 18 10:51:21 2017 test1/192.168.1.1:51749 MULTI: Learn: 10.8.0.6 -> test1/192.168.1.1:51749
Tue Jul 18 10:51:21 2017 test1/192.168.1.1:51749 MULTI: primary virtual IP for test1/192.168.1.1:51749: 10.8.0.6
Tue Jul 18 10:51:22 2017 test1/192.168.1.1:51749 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jul 18 10:51:22 2017 test1/192.168.1.1:51749 SENT CONTROL [test1]: 'PUSH_REPLY,compress lz4,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Tue Jul 18 10:51:22 2017 test1/192.168.1.1:51749 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 18 10:51:22 2017 test1/192.168.1.1:51749 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Client Logs
Tue Jul 18 02:51:18 2017 OpenVPN 2.4.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jun 20 2017
Tue Jul 18 02:51:18 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Jul 18 02:51:18 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Tue Jul 18 02:51:18 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Jul 18 02:51:18 2017 Need hold release from management interface, waiting...
Tue Jul 18 02:51:19 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'state on'
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'log all on'
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'echo all on'
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'hold off'
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'hold release'
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'password [...]'
Tue Jul 18 02:51:19 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Jul 18 02:51:19 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jul 18 02:51:19 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Jul 18 02:51:19 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jul 18 02:51:19 2017 MANAGEMENT: >STATE:1500371479,RESOLVE,,,,,,
Tue Jul 18 02:51:19 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]external ip:666
Tue Jul 18 02:51:19 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Jul 18 02:51:19 2017 Attempting to establish TCP connection with [AF_INET]external ip:666 [nonblock]
Tue Jul 18 02:51:19 2017 MANAGEMENT: >STATE:1500371479,TCP_CONNECT,,,,,,
Tue Jul 18 02:51:20 2017 TCP connection established with [AF_INET]external ip:666
Tue Jul 18 02:51:20 2017 TCP_CLIENT link local: (not bound)
Tue Jul 18 02:51:20 2017 TCP_CLIENT link remote: [AF_INET]external ip:666
Tue Jul 18 02:51:20 2017 MANAGEMENT: >STATE:1500371480,WAIT,,,,,,
Tue Jul 18 02:51:20 2017 MANAGEMENT: >STATE:1500371480,AUTH,,,,,,
Tue Jul 18 02:51:20 2017 TLS: Initial packet from [AF_INET]external ip:666, sid=0d55331e 8a62a69e
Tue Jul 18 02:51:20 2017 VERIFY OK: depth=1, CN=EC-test
Tue Jul 18 02:51:20 2017 VERIFY KU OK
Tue Jul 18 02:51:20 2017 Validating certificate extended key usage
Tue Jul 18 02:51:20 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Jul 18 02:51:20 2017 VERIFY EKU OK
Tue Jul 18 02:51:20 2017 VERIFY X509NAME OK: CN=EC-test
Tue Jul 18 02:51:20 2017 VERIFY OK: depth=0, CN=EC-test
Tue Jul 18 02:51:21 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES256-GCM-SHA384
Tue Jul 18 02:51:21 2017 [EC-test] Peer Connection Initiated with [AF_INET]external ip:666
Tue Jul 18 02:51:22 2017 MANAGEMENT: >STATE:1500371482,GET_CONFIG,,,,,,
Tue Jul 18 02:51:22 2017 SENT CONTROL [EC-test]: 'PUSH_REQUEST' (status=1)
Tue Jul 18 02:51:22 2017 PUSH: Received control message: 'PUSH_REPLY,compress lz4,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: compression parms modified
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: route options modified
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: peer-id set
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: adjusting link_mtu to 1627
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: data channel crypto options modified
Tue Jul 18 02:51:22 2017 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 18 02:51:22 2017 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 18 02:51:22 2017 interactive service msg_channel=0
Tue Jul 18 02:51:22 2017 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=6 HWADDR=c4:e9:84:0d:37:1c
Tue Jul 18 02:51:22 2017 open_tun
Tue Jul 18 02:51:22 2017 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{09D3110F-A374-4FAC-815E-C165F51F7901}.tap
Tue Jul 18 02:51:22 2017 TAP-Windows Driver Version 9.21
Tue Jul 18 02:51:22 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {09D3110F-A374-4FAC-815E-C165F51F7901} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Tue Jul 18 02:51:22 2017 Successful ARP Flush on interface [10] {09D3110F-A374-4FAC-815E-C165F51F7901}
Tue Jul 18 02:51:22 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Jul 18 02:51:22 2017 MANAGEMENT: >STATE:1500371482,ASSIGN_IP,,10.8.0.6,,,,
Tue Jul 18 02:51:27 2017 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Tue Jul 18 02:51:27 2017 C:\Windows\system32\route.exe ADD external ip MASK 255.255.255.255 192.168.1.1
Tue Jul 18 02:51:27 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Tue Jul 18 02:51:27 2017 Route addition via IPAPI succeeded [adaptive]
Tue Jul 18 02:51:27 2017 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue Jul 18 02:51:27 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Tue Jul 18 02:51:27 2017 Route addition via IPAPI succeeded [adaptive]
Tue Jul 18 02:51:27 2017 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue Jul 18 02:51:27 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Tue Jul 18 02:51:27 2017 Route addition via IPAPI succeeded [adaptive]
Tue Jul 18 02:51:27 2017 MANAGEMENT: >STATE:1500371487,ADD_ROUTES,,,,,,
Tue Jul 18 02:51:27 2017 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Tue Jul 18 02:51:27 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Tue Jul 18 02:51:27 2017 Route addition via IPAPI succeeded [adaptive]
Tue Jul 18 02:51:27 2017 Initialization Sequence Completed
Tue Jul 18 02:51:27 2017 MANAGEMENT: >STATE:1500371487,CONNECTED,SUCCESS,10.8.0.6,external ip,666,192.168.1.112,51749
Tue Jul 18 02:51:18 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Jul 18 02:51:18 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Tue Jul 18 02:51:18 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Jul 18 02:51:18 2017 Need hold release from management interface, waiting...
Tue Jul 18 02:51:19 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'state on'
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'log all on'
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'echo all on'
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'hold off'
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'hold release'
Tue Jul 18 02:51:19 2017 MANAGEMENT: CMD 'password [...]'
Tue Jul 18 02:51:19 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Jul 18 02:51:19 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jul 18 02:51:19 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Jul 18 02:51:19 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Jul 18 02:51:19 2017 MANAGEMENT: >STATE:1500371479,RESOLVE,,,,,,
Tue Jul 18 02:51:19 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]external ip:666
Tue Jul 18 02:51:19 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Jul 18 02:51:19 2017 Attempting to establish TCP connection with [AF_INET]external ip:666 [nonblock]
Tue Jul 18 02:51:19 2017 MANAGEMENT: >STATE:1500371479,TCP_CONNECT,,,,,,
Tue Jul 18 02:51:20 2017 TCP connection established with [AF_INET]external ip:666
Tue Jul 18 02:51:20 2017 TCP_CLIENT link local: (not bound)
Tue Jul 18 02:51:20 2017 TCP_CLIENT link remote: [AF_INET]external ip:666
Tue Jul 18 02:51:20 2017 MANAGEMENT: >STATE:1500371480,WAIT,,,,,,
Tue Jul 18 02:51:20 2017 MANAGEMENT: >STATE:1500371480,AUTH,,,,,,
Tue Jul 18 02:51:20 2017 TLS: Initial packet from [AF_INET]external ip:666, sid=0d55331e 8a62a69e
Tue Jul 18 02:51:20 2017 VERIFY OK: depth=1, CN=EC-test
Tue Jul 18 02:51:20 2017 VERIFY KU OK
Tue Jul 18 02:51:20 2017 Validating certificate extended key usage
Tue Jul 18 02:51:20 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Jul 18 02:51:20 2017 VERIFY EKU OK
Tue Jul 18 02:51:20 2017 VERIFY X509NAME OK: CN=EC-test
Tue Jul 18 02:51:20 2017 VERIFY OK: depth=0, CN=EC-test
Tue Jul 18 02:51:21 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES256-GCM-SHA384
Tue Jul 18 02:51:21 2017 [EC-test] Peer Connection Initiated with [AF_INET]external ip:666
Tue Jul 18 02:51:22 2017 MANAGEMENT: >STATE:1500371482,GET_CONFIG,,,,,,
Tue Jul 18 02:51:22 2017 SENT CONTROL [EC-test]: 'PUSH_REQUEST' (status=1)
Tue Jul 18 02:51:22 2017 PUSH: Received control message: 'PUSH_REPLY,compress lz4,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: compression parms modified
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: route options modified
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: peer-id set
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: adjusting link_mtu to 1627
Tue Jul 18 02:51:22 2017 OPTIONS IMPORT: data channel crypto options modified
Tue Jul 18 02:51:22 2017 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 18 02:51:22 2017 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 18 02:51:22 2017 interactive service msg_channel=0
Tue Jul 18 02:51:22 2017 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=6 HWADDR=c4:e9:84:0d:37:1c
Tue Jul 18 02:51:22 2017 open_tun
Tue Jul 18 02:51:22 2017 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{09D3110F-A374-4FAC-815E-C165F51F7901}.tap
Tue Jul 18 02:51:22 2017 TAP-Windows Driver Version 9.21
Tue Jul 18 02:51:22 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {09D3110F-A374-4FAC-815E-C165F51F7901} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Tue Jul 18 02:51:22 2017 Successful ARP Flush on interface [10] {09D3110F-A374-4FAC-815E-C165F51F7901}
Tue Jul 18 02:51:22 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Jul 18 02:51:22 2017 MANAGEMENT: >STATE:1500371482,ASSIGN_IP,,10.8.0.6,,,,
Tue Jul 18 02:51:27 2017 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Tue Jul 18 02:51:27 2017 C:\Windows\system32\route.exe ADD external ip MASK 255.255.255.255 192.168.1.1
Tue Jul 18 02:51:27 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Tue Jul 18 02:51:27 2017 Route addition via IPAPI succeeded [adaptive]
Tue Jul 18 02:51:27 2017 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue Jul 18 02:51:27 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Tue Jul 18 02:51:27 2017 Route addition via IPAPI succeeded [adaptive]
Tue Jul 18 02:51:27 2017 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue Jul 18 02:51:27 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Tue Jul 18 02:51:27 2017 Route addition via IPAPI succeeded [adaptive]
Tue Jul 18 02:51:27 2017 MANAGEMENT: >STATE:1500371487,ADD_ROUTES,,,,,,
Tue Jul 18 02:51:27 2017 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Tue Jul 18 02:51:27 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Tue Jul 18 02:51:27 2017 Route addition via IPAPI succeeded [adaptive]
Tue Jul 18 02:51:27 2017 Initialization Sequence Completed
Tue Jul 18 02:51:27 2017 MANAGEMENT: >STATE:1500371487,CONNECTED,SUCCESS,10.8.0.6,external ip,666,192.168.1.112,51749
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Tue Jul 18, 2017 9:39 am
Well done!
you should still recompile because some things might not work as expected - what you are missing is
sudo apt-get install libsystemd-daemon-dev
you should still recompile because some things might not work as expected - what you are missing is
sudo apt-get install libsystemd-daemon-dev
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Tue Jul 18, 2017 11:41 am
Oh great ! libsystemd-daemon-dev is exactly what I needed, now ./configure --enable-systemd --with-crypto-library=mbedtls works fine !
What's the point of recompiling it so that systemd is enabled?
What's the point of recompiling it so that systemd is enabled?
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Tue Jul 18, 2017 11:47 am
The openvpn -> systemd code ensures that openvpn correctly notifies systemd of success or failure (It is a little more complicated than that because only specific use cases caused any error which is probably why you do not notice any difference).matt3226 wrote:What's the point of recompiling it so that systemd is enabled?
Example: https://community.openvpn.net/openvpn/ticket/801
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Tue Jul 18, 2017 11:54 am
Okay... that's complicated stuff !
Oh and, anything else to add to both the server and client configs to make it more secure?
Oh and, anything else to add to both the server and client configs to make it more secure?
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Tue Jul 18, 2017 12:04 pm
It really depends what you want achieve. Depending on threat level and potential adversaries it might even better not to use Internet at all:) hahaha
Check below if you want tinker more. In general what you've got in your config is more than enough for casual usage.
https://community.openvpn.net/openvpn/wiki/Hardening
https://gist.github.com/pwnsdx/8fc14ee1e9f561a0a5b8
Check below if you want tinker more. In general what you've got in your config is more than enough for casual usage.
https://community.openvpn.net/openvpn/wiki/Hardening
https://gist.github.com/pwnsdx/8fc14ee1e9f561a0a5b8
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Tue Jul 18, 2017 12:16 pm
Thanks for sharing that github link !
Depending on threat level and potential adversaries huh?
From my understanding, the crypto implemented in these systems (like openVPN). Should be (for all practical purposes) secure from anything. I mean anything at all, NSA or huge powerful adversary or not. The crypto as far as I've read around the internet, is very secure.
And to back it up, it's been heavily audited by trusted cryptographers too, and even they agree it is a sound system. So what gives? Why are people assuming that the NSA (or anyone for that matter) is capable of breaking the crypto?
I'm just saying, just some thoughts...
Depending on threat level and potential adversaries huh?
From my understanding, the crypto implemented in these systems (like openVPN). Should be (for all practical purposes) secure from anything. I mean anything at all, NSA or huge powerful adversary or not. The crypto as far as I've read around the internet, is very secure.
And to back it up, it's been heavily audited by trusted cryptographers too, and even they agree it is a sound system. So what gives? Why are people assuming that the NSA (or anyone for that matter) is capable of breaking the crypto?
I'm just saying, just some thoughts...
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Tue Jul 18, 2017 12:29 pm
I would just follow good IT practices. E.g. I've noticed on your screenshot that you do stuff using root account. This is type of things you should worry more than crypto strength:)
Make sure that your openvpn server and client don't have any other vulnerabilities. Keep it patched.
if you want to be super secure I am afraid it will turn into full time job. Even the best configured system today might be compromised tomorrow. Read security blogs and stay on top of new issues - they emerge almost daily.
It is interesting subject but security is much more than choosing the longest possible key:)
Congratulation in making openvpn with ec work!! This is for sure achievement!
Make sure that your openvpn server and client don't have any other vulnerabilities. Keep it patched.
if you want to be super secure I am afraid it will turn into full time job. Even the best configured system today might be compromised tomorrow. Read security blogs and stay on top of new issues - they emerge almost daily.
It is interesting subject but security is much more than choosing the longest possible key:)
Congratulation in making openvpn with ec work!! This is for sure achievement!
Re: OpenVPN 2.4 and pure elliptic curve crypto setup
Posted: Tue Jul 18, 2017 12:33 pm
for openvpn just run
man openvpn
and read about available options. There are plenty. But sometimes too much is not good. You can easily weaken security if you don't understand all implications of changing something.
For casual use I would stick to basic configuration.
man openvpn
and read about available options. There are plenty. But sometimes too much is not good. You can easily weaken security if you don't understand all implications of changing something.
For casual use I would stick to basic configuration.