Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls-crypt-v2 #983

Open
joksik opened this issue Mar 15, 2022 · 5 comments
Open

tls-crypt-v2 #983

joksik opened this issue Mar 15, 2022 · 5 comments
Labels
enhancement help wanted

Comments

@joksik
Copy link

joksik commented Mar 15, 2022
edited
Loading

Hello, i use your script and i love that by default its use more secure tls-crypt instead tls-auth but what about use tls-crypt-v2?
can you also add this feature to script ?
for example add new choice number 3) tls-crypt-v2
i read that tls-crypt-v2 is more secure than old tls-crypt so i think it will be good step to add this features
i dont know how correct your script to add new options but form command line this work:

generate tls-crypt-v2 for server key
openvpn --genkey tls-crypt-v2-server tls-crypt-v2.key
generate tls-crypt-v2 for client key
openvpn --tls-crypt-v2 tls-crypt-v2.key --genkey tls-crypt-v2-client client-v2.key
@Angu0083
Copy link

Angu0083 commented Jun 8, 2022

Hello @joksik,

      I'm also looking for it, if your script got works. Please share the script with us.

@joksik
Copy link
Author

joksik commented Sep 22, 2022
edited
Loading

Ok, sorry for late response but finally i figure it out.
So after install this script with tls-crypt function (its default chooice) you must

  1. Generate server key for tls-crypt-v2 in my example for this i will use file name tls-crypt-v2.key and create new directory where i will have all generated client v2 keys.
    cd /etc/openvpn
    openvpn --genkey tls-crypt-v2-server tls-crypt-v2.key
    mkdir keys-v2

  2. change in script few lines. First you must find this function

case $TLS_SIG in
1)```

		echo "<tls-crypt>"
		cat /etc/openvpn/tls-crypt.key
		echo "</tls-crypt>"
		;;


and change this function to:

case $TLS_SIG in
		1)```

			openvpn --tls-crypt-v2 /etc/openvpn/tls-crypt-v2.key --genkey tls-crypt-v2-client /etc/openvpn/keys-v2/$CLIENT.key
                        echo "<tls-crypt-v2>"
			cat /etc/openvpn/keys-v2/$CLIENT.key
			echo "</tls-crypt-v2>"
			;;

after that when you run script and chooice add new user in directory /etc/openvpn/keys-v2 it will be create private tls-crypt-v2 key with user name and this key will be added to .ovpn certyficate in /home directory.

Remember to change in /etc/openvpn/server.conf new server tls-crypt-v2.key so find line in server.conf

<tls-crypt>
</tls-crypt>

and change to
<tls-crypt-v2>
paste your /etc/openvpn/tls-crypt-v2.key
</tls-crypt-v2>

and restart openvpn services

Maybe in future when i will have time i will send request with change to add tls-crypt-v2 support selectable during the script installation as the third option

@Angu0083
Copy link

Hello @joksik,

            Thanks for fixing the major bug/vulnerability.

@alinhayati
Copy link

I have added tls-crypt-v2 as option 3 to the implementation in my fork of the repository here.

@johnay0
Copy link

johnay0 commented Sep 18, 2023

I have added tls-crypt-v2 as option 3 to the implementation in my fork of the repository here.

@alinhayati thank you so much i've been searching for this for nearly 1 month before that i was using the official openvpn access server to get tls crypt v2 but it's limited to 2 connections only, but now it's not, good job

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@angristan @joksik @alinhayati @Angu0083 @johnay0