OpenVPN Support Forum

can you help me? Commenting out the "tlscrypt-v2" line on the server, the client works normally with this .ovpn profile file. My server is debian OpenVPN 2.6_git

Thanks a lot for the help

My log:

[Jul 25, 2022, 19:34:11] OpenVPN core 3.git::d3f8b18b win x86_64 64-bit built on Mar 17 2022 11:42:02
⏎[Jul 25, 2022, 19:34:11] Frame=512/2048/512 mssfix-ctrl=1250
⏎[Jul 25, 2022, 19:34:11] UNUSED OPTIONS
0 [tls-client]
2 [verify-client-cert] [require]
9 [resolv-retry] [infinite]
10 [nobind]
11 [persist-key]
12 [persist-tun]
13 [mute-replay-warnings]
18 [tlscrypt-v2] [-----BEGIN OpenVPN tls-crypt-v2 client key----- JV/lVob7sdGcPOIB...]
20 [auth-nocache]
22 [verb] [3]
23 [mute] [10]
⏎[Jul 25, 2022, 19:34:11] EVENT: RESOLVE ⏎[Jul 25, 2022, 19:34:11] Contacting xxx.xxx.xxx.xxx:1194 via UDP
⏎[Jul 25, 2022, 19:34:11] EVENT: WAIT ⏎[Jul 25, 2022, 19:34:11] WinCommandAgent: transmitting bypass route to xxx.xxx.xxx.xxx
{
"host" : "xxx.xxx.xxx.xxx",
"ipv6" : false
}

⏎[Jul 25, 2022, 19:34:11] Connecting to [lalalalala.com]:1194 (xxx.xxx.xxx.xxx) via UDPv4
⏎[Jul 25, 2022, 19:34:11] EVENT: CONNECTING ⏎[Jul 25, 2022, 19:34:12] Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client
⏎[Jul 25, 2022, 19:34:12] Creds: UsernameEmpty/PasswordEmpty
⏎[Jul 25, 2022, 19:34:12] Peer Info:
IV_VER=3.git::d3f8b18b
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
IV_AUTO_SESS=1
IV_GUI_VER=OCWindows_3.3.6-2752
IV_SSO=webauth,openurl,crtext

⏎[Jul 25, 2022, 19:34:12] SSL Handshake: peer certificate: CN=Server, 384 bit EC, curve:secp384r1, cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD

Hello,

The OpenVPN Connect client v3.3 supports tls-crypt-v2 fully. We use it on our OpenVPN Access Server product as well. However you seem to have spelled it as tlscrypt-v2 which I am sure is not correct.

Kind regards,
Johan

hi john, thanks for the help.
I wrote following the instruction in the documentation, at the end of this page

https://openvpn.net/vpn-server-resource ... ss-server/

In the .ovpn file it is the same as it is on the page

<tlscrypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 client key-----
XXXXXXXXXXXXXXXXXX
-----END OpenVPN tls-crypt-v2 client key-----
</tlscrypt-v2>

Key works in version 2.6 externally referenced

Server:
tls-crypt-v2 /etc/openvpn/keys/ta-server.key
Client:
tls-crypt-v2 /etc/openvpn/keys/ta-client.key

I changed it to tls-crypt-v2 and it worked. Thanks a lot for the help.

I can confirm that the correct spelling of the tag is <tls-crypt-v2>

However, for convenience an alias could include <tlscrypt-v2> and others. eg <tlscryptv2>

Hi there,

Thanks, we're going to be correcting that example on our site. That wasn't meant to be a guide on how to build a connection profile, but it's still wrong so we'll fix it.

Kind regards,
Johan