OpenVPN Support Forum

Posted: **Wed Jan 19, 2022 4:07 pm**

good morning if this option tls-crypt-v2-verify is provided only for linux ?
i use Windows Server with tls-crypt2 and i want to my server use tls-crypt-v2-verify so I add to my server config:

tls-crypt-v2-verify script
script-security 2

but when client connect in server logs i have:

Code: Select all

2022-01-19 16:50:16 us=921000 xxx TLS: Initial packet from [AF_INET]xxx, sid=5dc4852c 54679b43
2022-01-19 16:50:16 us=921000 xxx Control Channel: using tls-crypt-v2 key
2022-01-19 16:50:16 us=921000 xxx Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-01-19 16:50:16 us=921000 xxx Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-19 16:50:16 us=921000 xxx Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-01-19 16:50:16 us=921000 xxx Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-19 16:50:16 us=937000 xxx env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
2022-01-19 16:50:16 us=937000 xxx openvpn_execve: CreateProcess script failed: No such file or directory (errno=2)
2022-01-19 16:50:16 us=937000 xxx WARNING: Failed running command (--tls-crypt-v2-verify): external program did not execute -- returned error code -1
2022-01-19 16:50:16 us=937000 xxx TLS CRYPT V2 VERIFY SCRIPT ERROR
Failed running command (--tls-crypt-v2-verify): external program did not execute -- returned error code -1

Posted: **Wed Jan 19, 2022 5:31 pm**

You need to read what the manual says..

Posted: **Wed Jan 19, 2022 6:31 pm**

if I hadn't read the manual, I wouldn't have generated the keys correctly for tls-crypt2
thanks as always for no help

Posted: **Wed Jan 19, 2022 7:29 pm**

joks wrote: ↑
Wed Jan 19, 2022 4:07 pm
good morning if this option tls-crypt-v2-verify is provided only for linux ?

No. It works in any OS if it is called correctly.

joks wrote: ↑
Wed Jan 19, 2022 4:07 pm
i use Windows Server with tls-crypt2 and i want to my server use tls-crypt-v2-verify so I add to my server config:

tls-crypt-v2-verify script
script-security 2

"script" must be a path to a script/batch that Windows can run and can do the verification.

joks wrote: ↑

Wed Jan 19, 2022 4:07 pm

but when client connect in server logs i have:

Code: Select all

(snip)
2022-01-19 16:50:16 us=937000 xxx openvpn_execve: CreateProcess script failed: No such file or directory (errno=2)
2022-01-19 16:50:16 us=937000 xxx WARNING: Failed running command (--tls-crypt-v2-verify): external program did not execute -- returned error code -1
2022-01-19 16:50:16 us=937000 xxx TLS CRYPT V2 VERIFY SCRIPT ERROR
Failed running command (--tls-crypt-v2-verify): external program did not execute -- returned error code -1

Windows could not find "script" to run it. "No such file or directory." Search for "--tls-crypt-v2-verify" in the manual.

regards, rob0

Posted: **Wed Jan 19, 2022 8:59 pm**

thank you very much for your help. is it possible to find ready-made scripts that will verify tls-crypt-v2 connection ?
i also try add to my server --tls-crypt-v2-verify cmd like in manual but after that i have similar error

Code: Select all

2022-01-19 21:55:33 us=609000 xx.xx.xx.x:64771 TLS CRYPT V2 VERIFY SCRIPT ERROR
2022-01-19 21:55:33 us=609000 xx.xx.xx.x:64771 TLS Error: can not extract tls-crypt-v2 client key from [AF_INET]xx.xx.xx.x:64771
2022-01-19 21:55:37 us=156000 xx.xx.xx.x:64771 TLS: Initial packet from [AF_INET]xx.xx.xx.x:64771, sid=3138e390 d54d9151
2022-01-19 21:55:37 us=156000 xx.xx.xx.x:64771 Control Channel: using tls-crypt-v2 key
2022-01-19 21:55:37 us=156000 xx.xx.xx.x:64771 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-01-19 21:55:37 us=156000 xx.xx.xx.x:64771 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-19 21:55:37 us=156000 xx.xx.xx.x:64771 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-01-19 21:55:37 us=156000 xx.xx.xx.x:64771 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-19 21:55:37 us=156000 xx.xx.xx.x:64771 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
2022-01-19 21:55:37 us=156000 xx.xx.xx.x:64771 openvpn_execve: CreateProcess cmd failed: No such file or directory (errno=2)
2022-01-19 21:55:37 us=156000 xx.xx.xx.x:64771 WARNING: Failed running command (--tls-crypt-v2-verify): external program did not execute -- returned error code -1

Posted: **Thu Jan 20, 2022 8:12 am**

This might help:
https://github.com/TinCanTech/easy-tls

Posted: **Thu Jan 20, 2022 11:36 pm**

on my windows I have this block in my openvpn server config and it work .

<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 client key-----
snip
-----END OpenVPN tls-crypt-v2 client key-----
</tls-crypt-v2>

Posted: **Fri Jan 21, 2022 3:08 pm**

300000 wrote: ↑
Thu Jan 20, 2022 11:36 pm
on my windows I have this block in my openvpn server config and it work .

<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 client key-----
snip
-----END OpenVPN tls-crypt-v2 client key-----
</tls-crypt-v2>

Hi 3,

You posted a private key to the forum. Please don't do that. I edited the post so it is gone, but some might have seen it. You should change that key.

regards, rob0

Posted: **Sat Jan 22, 2022 5:11 am**

Pippin wrote: ↑
Thu Jan 20, 2022 8:12 am
This might help:
https://github.com/TinCanTech/easy-tls

That's just gonna make it a whale lot worse!

However,

Dear reader, please take a look at TLS-Crypt-V2 as above.

I hope that you find Easy-TLS to be a useful tool.

OpenVPN Support Forum

tls-crypt-v2-verify for Windows

tls-crypt-v2-verify for Windows

Re: tls-crypt-v2-verify for Windows

Re: tls-crypt-v2-verify for Windows

Re: tls-crypt-v2-verify for Windows

Re: tls-crypt-v2-verify for Windows

Re: tls-crypt-v2-verify for Windows

Re: tls-crypt-v2-verify for Windows

Re: tls-crypt-v2-verify for Windows

Re: tls-crypt-v2-verify for Windows