Convert tls-crypt into tls-auth

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
executable77
OpenVpn Newbie
Posts: 8
Joined: Wed Jan 09, 2019 11:30 am

Convert tls-crypt into tls-auth

Post by executable77 » Thu Jan 10, 2019 8:36 am

I would like to ask if it's possible to convert the tls-crypt into tls-aut ?

Here is my server.conf

Code: Select all

port 1194
proto udp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.0.0.1"
push "dhcp-option DNS 1.1.1.1"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-auth tls-auth.key 0
crl-verify crl.pem
ca ca.crt
cert server_iNtDmSHNN6zCYuvb.crt
key server_iNtDmSHNN6zCYuvb.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
status /var/log/openvpn/status.log
verb 3

I generated the ta.key using this command

Code: Select all

openvpn --genkey --secret ta.key

In my server.conf I tried the following :

Code: Select all

tls-auth ta.key 0

But I still have the same result


my client.ovpn file :

Code: Select all

client
proto udp
remote 145.239.6.51 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_3sO2TzCVUQf73j0R name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIBwTCCAWegAwIBAgIJANvX197X20H1MAoGCCqGSM49BAMCMB4xHDAaBgNVBAMM
E2NuX1IxYkpqZTFRWHkwajVVYUwwHhcNMTkwMTA5MTMwMDE3WhcNMjkwMTA2MTMw
MDE3WjAeMRwwGgYDVQQDDBNjbl9SMWJKamUxUVh5MGo1VWFMMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAEfc4MQvB9L8DSvqgt/XGlX0AIrn/oFbBfbLPrj4iBKc6U
yJAryXcGglAsZ9SA5rWFlSTBs8XYexXPlF5kNBo2n6OBjTCBijAdBgNVHQ4EFgQU
f1mW7szJSNfLU5t44R1IwQtleccwTgYDVR0jBEcwRYAUf1mW7szJSNfLU5t44R1I
wQtlecehIqQgMB4xHDAaBgNVBAfME2NuX1IxYkpqZTFRWHkwajVVYUyCCQDb19fe
19tB9TAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDAgNIADBF
AiEAl+ddWCPxHhsHelQt523U0TdpfQoxfgPUltokJld84+QCIE9K10Vnjq5REag0
3jwfYPzCDGJ1rGKBUw3ESbRIb1Gn
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIByzCCAXGgAwIBAgIQMD34fzz18F+1G8qTfBLZAjAKBggqhkjOPQQDAjAeMRww
GgYDVQQDDBNjbl9SMWJKamUxUVh5MGo1VWFMMB4XDTE5MDExMDA4NTQzMVoXDTIx
MTIyNTA4NTQzMVowDzENMAsGA1UEAwwEbWF0MjBZMBMGByqGSM49AgEGCCqGSM49
AwEHA0IABLVcY2RPjTp6x0nUfxDZ+LUWNTjnydXHY0m+KIWKXNPpwKuZqp1gssja
0t+zLjD53MXKGKYLLOK2FkGbBzcibcyjgZ8wgZwwCQYDVR0TBAIwADAdBgNVHQ4E
FgQUVMpfkmGvW3Rs0tjJl0pebmzgPeUwTgYDVR0jBEcwRYAUf1mW7szJSNfLU5t4
4R1IwQtlecehIqQgMB4xHDAaBgNVBAMME2NuX1IxYkpqZTFRWHkwajVVYUyCCQDb
19fe19tB9TATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwCgYIKoZI
zj0EAwIDSAAwRQIgUNA6IcTQVvZbfbvAZ26QZnDTCal0XfiJyGIHXcWrt+8CIQD4
H5Dvd2xseP+Hp7jWLwmeb6GHhso7YV8iU+guRijmzQ==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgqbHD/f9pHBByaNz7
WPSUr3Y2kV/dpIKbCFgly1qqifOhRANCAAS1XGNkT406esdJ1B8Q2fi1FjU458nV
x2NJviiFilzT6cCrmsqdYLLI2tLfsy4w+dzFyhimCyzithZBmwc3Im3M
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
af3cf005f394173b40cafd465cb97ca6
a98fd0b82cb25fd7cac9fd6035141a11
86dbca890712614932ff910098bfb4e3
09248e88b1600726207aedae70412ecd
e066a4e77ed1f38381af8cc76a95dd1a
78da1c40b7f0d4d29ad515e21af33bc0
9222d10c0d18bdd032f23c0d8ab728ef
69d0ca12e77764313d28f296e795db57
d60d546d7bb3dc6dad8c4553c6475fe3
4cb4ff25eea844196e487dac8da56711
21dd76a249d6b84f66a2dcb48b70a7d3
de3937ee1a17449679674980b4d193a9
746698994d2ccf18820ddb202267f995
0ea51f969c1f077bbf96fb3f6078afeb
392b846d29ff35920c3aa4f466ee3ea7
cb51d439c93ae4da032c605bd14015fb
-----END OpenVPN Static key V1-----
</tls-auth>
I have the fallowing error :
Thu Jan 10 10:04:33 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jan 10 10:04:33 2019 TLS Error: TLS handshake failed

executable77
OpenVpn Newbie
Posts: 8
Joined: Wed Jan 09, 2019 11:30 am

Re: Convert tls-crypt into tls-auth

Post by executable77 » Thu Jan 10, 2019 10:53 am

The key direction seems fine : 0 for the server and 1 for the client. If I use the tls-crypt everything is working fine.

Post Reply